none
Windows security best practices test failed in Windows ACK test on Win8.

    Question

  • Hi,

    I'm working on the Windows ACK test on Win8 for my app, but I encountered a fail case on Windows security

    best practices test, the following are some description from the report.

        <REQUIREMENT NUMBER="13" TITLE="Windows security best practices test" RATIONALE="An application should not change the default Windows security settings.">
          <TEST INDEX="32" NAME="Attack surface analyzer" DESCRIPTION="Analysis of windows securable objects and windows platform security settings." EXECUTIONTIME="00h:01m:30s.84ms">
            <RESULT><![CDATA[FAIL]]></RESULT>
            <MESSAGES>
              <MESSAGE TEXT="&#xD;&#xA;            Weak ACL on C:\Program Files (x86)\xxx\liveupdate.exe allows tampering by multiple non-administrator accounts.&#xD;&#xA;          " />
              <MESSAGE TEXT="File: C:\Program Files (x86)\xxx\liveupdate.exe&#xA;Writable by: &#xA;World&#xA;Rights: WRITE_OWNER, WRITE_DAC, FILE_WRITE_ATTRIBUTES, FILE_WRITE_EA, FILE_APPEND_DATA, FILE_WRITE_DATA&#xA;" />
            </MESSAGES>
          </TEST>
        </REQUIREMENT>

    Can some one tell me what "Weak ACL on C:\Program Files (x86)\xxx\liveupdate.exe allows tampering by multiple non-administrator accounts." means

    and how can I fix this issue?

    Friday, June 29, 2012 2:16 AM

Answers

  • If you look at the message text it says that the liveupdate.exe file is writable by the world:

    <MESSAGE TEXT="File: C:\Program Files (x86)\xxx\liveupdate.exe&#xA;Writable by: &#xA;World&#xA;Rights: WRITE_OWNER, WRITE_DAC, FILE_WRITE_ATTRIBUTES, FILE_WRITE_EA, FILE_APPEND_DATA, FILE_WRITE_DATA&#xA;" />
    This means that anybody could overwrite it and replace it with their own Trojan horse. To fix this, modify your installer so that it doesn't set unsafe security settings for the app. Leaving the security untouched and inheriting the default security from Program Files is probably the best way.

    --Rob

    • Marked as answer by alexforgoal Friday, June 29, 2012 9:32 AM
    Friday, June 29, 2012 3:00 AM

All replies

  • If you look at the message text it says that the liveupdate.exe file is writable by the world:

    <MESSAGE TEXT="File: C:\Program Files (x86)\xxx\liveupdate.exe&#xA;Writable by: &#xA;World&#xA;Rights: WRITE_OWNER, WRITE_DAC, FILE_WRITE_ATTRIBUTES, FILE_WRITE_EA, FILE_APPEND_DATA, FILE_WRITE_DATA&#xA;" />
    This means that anybody could overwrite it and replace it with their own Trojan horse. To fix this, modify your installer so that it doesn't set unsafe security settings for the app. Leaving the security untouched and inheriting the default security from Program Files is probably the best way.

    --Rob

    • Marked as answer by alexforgoal Friday, June 29, 2012 9:32 AM
    Friday, June 29, 2012 3:00 AM
  • Thanks, I updated my installer, and it works.
    Friday, June 29, 2012 9:33 AM