Tuesday, October 02, 2012 8:08 AMHi all,
I have tested my installer with WACK and the test fails because of changes on ACL lists. My software doesn´t perform any change on ACLs but it writes some data an Dlls in \Users\Public\Documents\<mySoftware>. Interactive and Batch principals has permissions on \Users\Public and "get access" to these files (by inheritance I supose) and Attack Surface Analyzer thinks that something unsecure has happened. If during installation you change documents destination folder, test succeeds.
Could this be considered as an incorrect behaviour of Attack Surface Analyzer? Does exist a way to avoid this?
Monday, October 08, 2012 7:02 AM
Monday, October 08, 2012 11:10 PM
You landed in the correct forum (thanks Rob & Bob). ASA team has been notified.
Tuesday, October 09, 2012 7:06 AM
Ok, perfect. Thanks Rob and Bob, next time I will do better :)
Thursday, October 11, 2012 7:42 PM
Placing DLLs or executables in public folders like \users\public raises a warning. Consider using %Program Files%. Also, I recommend taking a look at the following MSDN links:
Friday, October 12, 2012 7:44 AM
our users can create Dlls using our software and Visual Basic Editor, these Dlls are used to perform important tasks asociated to our software. VBA files and Dlls are placed in user documents folder. In “per-machine” installations, machine users share these Dlls so they are placed in \Users\Public\Documents. For our clients is important to shared these data between machine users. During installation we provided some samples (VBA files and Dlls) that are also placed in \Users\Public\Documents.
When we try to pass WACK all is OK for per-user installation but fails for per-machine installation due to changes on ACLs performed by Interactive and Batch system principals that are out of our control, we write this files to \Users\Public\Documents and the SO itself change ACLs.
Of course we could design another solution for sharing but we think that we don´t have a security fault, and that WACK could be passed.
Thank you and best regards,