0

Now I may have missed it but I was reading up on common windows issues and "Windows Unquoted Search Path or Element can allow local privilege escalation" keeps appearing.

I am amazed that this is still a possible issue, Technet and other sites are full of custom built scripts to attempt a fix (most disclaim only partial success).

Why has MS not enforced a rule/fix for this? Or have I gone search blind and they did?

user001
  • 101
  • 3

1 Answers1

3

Why has MS not enforced a rule/fix for this?

Because it would break existing software. Microsoft published an API where both paths would be searched. Developers implemented software knowing that. To change it would break any software searching in an unquoted directory with a space in the name. "C:\Program Files" means at the very least this is going to be a huge number of services.

Microsoft have to make a risk analysis and here they must have decided breaking legacy software was higher cost than the risk of unquoted search paths.

Hector
  • 10,893
  • 3
  • 41
  • 44
  • 1
    "..here they must have decided breaking legacy software was higher cost than the risk of unquoted search paths." - Which is true of most commercial entities. Money and keeping the majority of customers happy often win – ISMSDEV Nov 13 '17 at 12:37
  • Seems fair enough. Any official statements or industry journals would solidify it. – user001 Nov 13 '17 at 13:02
  • @user001 - This is educated opinion. Fully sourced research isn't really the purpose of StackExchange. Upvotes/Downvotes and reputation are the primary trust mechanisms. AFAIK microsoft have not issued a statement on this. Why would they? Its not a bug - it works as designed. If you view it as a security flaw you should request the software vendor for the code in question to quote their paths. – Hector Nov 13 '17 at 13:20
  • Yet I have seen (admittedly not in this room) many examples of highly repp'd people asked for sources and quotes or something more concrete, especially around opinion based answers. This place may work differently – user001 Nov 13 '17 at 13:53
  • @user001 - it depends on the context. I.e. do quotes make sense in the context of the answer, how disputable is the answer and how easy are quotes to source. Some of my own answers are 50% quotes from standards papers. But usually when the person asking asks for quotes with no dispute of the answer it suggests they need them (coursework, employer policy etc.) rather than it actually adding anything of value. – Hector Nov 13 '17 at 14:01
  • Or is a cynical git, who takes little on face value. Honestly it's cause I don't frequent here so don't know you our your skill set (and was being polite and not being so blatant about it lol) – user001 Nov 13 '17 at 14:47