What's in Your Registry?
|
One frequent TV commercial asks, "What's in your wallet?" I ask: What's in your computer that could expose sensitive data? Last week, I searched my Windows Vista registry and turned up some disturbing stuff. |
I found some surprising personal information there, such as name, address and phone number; online account user names; software registration codes; and information identifying some online accounts. I wasn't looking for any of this information. My search had initially been for something else. But the discovery of this information greatly disturbed me.
To be absolutely clear, none of this information was put there by Windows Vista. Third-party software or services were the culprits.
Andrew Jaquith, Yankee Group program manager for Security Research, said that the Windows registry makes "application developers' lives easier. It provides a centralized API for reading and writing configuration settings. Instead of worrying about lots of parsing and modifying .INI files scattered all over the hard disk, all you'd need to do is make a few Win32 API calls, and Windows takes care of managing all of that information for you."
Jaquith warned that too many third-party developers treat the "registry like a personal dumping ground, stashing things like product keys, sensitive personal information and other things the ISVs think they need. Like most dumping grounds, the registry tends to become overgrown and a little ripe over time."
My Vista registry search uncovered my name, address and phone number, which were associated with online registration for photography software from a well-known software company and longtime Microsoft partner. The online account information chilled me. From the information contained in the registry about the accounts, someone could have gotten at least one password with some thoughtful social engineering. Could my, or your, privacy be compromised by such a registry entry?
Absolutely, Jaquith warned: "Because [the registry] centralizes application configuration information and user preferences, it also becomes a natural target for malicious parties who want to mine the registry for information, install 'run keys' that execute spyware when the computer starts up and the like."
Alex Eckelberry, president of Sunbelt Software, also warned of possible registry mining, even though Microsoft made efforts to harden Vista.
"Probably the biggest issue with the registry is the Protected Storage Area," Eckelberry said. "I've personally seen data in keylogger files that are directly from this area—and since it stores all the form data from [Internet Explorer], it can be quite compromising. Users can turn off IE from storing this data but many people don't even realize it's stored in this manner."
What I found in my Vista registry raises questions about good security and privacy practice and what software developers should put where. My expectation had been that applications would encrypt and separately store registration information and product serial numbers, rather than put them out in plain sight in the registry.
"Good developers will encrypt this data if it's sensitive such as user names and passwords," Eckelberry said.
The problem: software or services from big-name companies left revealing information in my registry.
"The registry is a relic of a bygone era," Jacquith said. "I suspect that Microsoft knows this, and indeed in Vista certain aspects of the registry are 'virtualized.' User-specific registry calls now redirect the physical read-write operations to files that reside in user directories, although from the developer perspective the API calls are basically the same." Even with Vista, the registry is "still a dumping ground for who-knows-what."
Microsoft does provide tools, such as Windows CryptoAPI, DPAPI (Data Protection API) and .NET Data Protection API. But these tools are little good if developers don't use them.
"Unless and until third-party developers stop doing dumb things, we're going to see more and more registry issues pop up," Jacquith emphasized.
Comments (20)
If the applications applied appropriate security to the registry keys/values then it's not a problem. Of course, the likelihood that they did so is pretty small, but it's not a matter of philosophy, but implementation.
Posted by Swashbuckler | September 11, 2007 7:05 PM
Having enjoyed Microsoft Watch for quite a long time in the past, I'm giving up on it. It's just a bitch and whine location for Joe Wilcox now. Who pays his salary? Is it Google or Apple?
I enjoyed seeing actual news about Microsoft, not "how Microsoft messed up according to some guy named Joe." By eWeek.
Posted by Ted | September 11, 2007 7:57 PM
What can you say about an operating system that lets any 3rd party software make system changes (configuration changes by way the the reg) and even change OS system files out.
Then theres Internet Exploder, worst piece of software MS ever unloaded on the public.
Which brings us to;
Firefox: We caught Microsoft asleep at the wheel
http://www.pcpro.co.uk/news/124630/firefox-we-caught-microsoft-asleep-at-the-wheel.html
Posted by chips | September 11, 2007 10:32 PM
So let me see if I'm following this Joe. You have no problem getting into exhaustive detail every day about anything MS related that bothers you. But here you're unprepared to even name the "Third-party software or services" that were supposedly your problem, and still bury it in so much MS Registry verbiage that it comes off as a MS shortcoming? LOL.
Posted by paul | September 12, 2007 12:02 AM
A Rendezvous With Microsoft's Deep Throat
Meet mystery blogger Mini-Microsoft, an employee who runs a virtual watercooler for his corporate colleagues, also anonymous colleagues
http://www.businessweek.com/magazine/content/05_39/b3952009.htm
Posted by repugnant | September 12, 2007 1:25 AM
"Vista pirates safe from darkness, for now
Piracy cat and mouse continues"
"Microsoft has denied it has switched on an anti-piracy measure in Windows Vista that would result in a "black screen of darkness" for unlicensed OEM copies of the operating system but the software giant did not rule out turning it on in the future."
"According to a leaked e-mail from a local Microsoft OEM partner, the strict Vista anti-piracy measure, known internally as "Reduced Functionality" would be enabled this week leaving pirated copies without a start menu, task bar, desktop, and only one hour of Internet browsing before the screen turned black."
http://tinyurl.com/23kruc
Posted by n0ne_n0ne | September 12, 2007 5:16 AM
Who needs "black screen of darkness" When you can have ... for free?
"Now that I have used Compiz Fusion extensively, going back to a regular 2D desktop is just something I'm not willing to do. Nice job Compiz Fusion."
http://tinyurl.com/2kx37u
Posted by n0ne_n0ne | September 12, 2007 5:41 AM
haha
Posted by puppet | September 12, 2007 7:48 AM
Ted wrote: "Having enjoyed Microsoft Watch for quite a long time in the past, I'm giving up on it...I enjoyed seeing actual news about Microsoft, not 'how Microsoft messed up.'"
Hi, Ted,
I'm sorry to hear you feel that way. Suggestion: Take another look around Microsoft Watch. The registry story isn't negative to Microsoft. It raises concerns about bad third-party developer practices with respect to the Windows registry.
As for the news stories, you can use comments as a pseudo measure of page views. The straight news stories and even those more positive about Microsoft are the most ignored by readers. Few comments and lower page views. Yesterday's BizTalk story is good example.
That said, there is no agenda here. What you don't see is the stuff that doesn't get put into stories. Example is this quote from an analyst: "I think the registry was (and is) a bad idea." The story wasn't meant to indict Microsoft, but raise concerns about how developers misuse the registry, creating privacy and security risks for Microsoft. I decided that quote didn't fit.
You might take the registry story as negative, but I see it as positive. Many, perhaps most, Windows security problems are caused by non-Microsoft software. But who gets the blame? Microsoft. It's better to raise awareness that could help solve the problem.
Joe
Posted by Joe | September 12, 2007 10:03 AM
Ted, you're right about Joe. One day he explicitly calls microsoft out for FUD... and the next day we see him author a line like this:
--
which were associated with online registration for photography software from a well-known software company and longtime Microsoft partner.
--
The way he protects the guilty party, yet calls out microsoft is obviously obsurd, and shows intent (agenda) on joe's part.
Posted by uhura | September 12, 2007 11:52 AM
Of course, it does not help much that Microoft's rules for management of the registry by applications software are complicated and well-nigh inscrutible. So software developers take shortcuts, break the rules and put unencrypted insecure data in the registry for their own convenience. Please, let's not have Microsoft play the blame game and absolve itself of responsibility once again... Ben
Posted by Ben Myers | September 12, 2007 12:07 PM
I don't believe there is an agenda there. But I do believe you are overreacting to what you found.
The information you found doesn't sound that disconcerting -- your name, address and phone number can already be found in the phone book. Serial numbers for software? Anyone who doesn't want to buy it has simply reverse engineered and made a serial number up themselves. Usernames and identifiable information? A quick search on ones favourite social networking site will bring that up. Is someone with malicious intents really going to bother going through the effort of coercing you to run unreliable code when this information is already publically available?
And that is the real issue here, running dodgy code on your machine. As soon as you run a malicious application in your profile it has access to everything in your user profile. Nearly useless details in your registry aren't that interesting to someone; what are interesting are your e-mail, your documents, and especially your passwords. Although really just making your PC join a botnet or installing spyware with popups every two minutes is most likely the most probable scenario.
Since your purpose for creating this article seems to be to educate people and promote good practices, I also need to point out some issues with some of the various statements. At one point you have someone quoting the so-called problem with the Protected Storage area and then a few paragraphs later you are recommending the CryptoAPI. The Protected Storage area is protected using the CryptoAPI which is exactly why it can be decoded. Other things like saved .rdp files for Remote Desktop Connection sessions or the Credential Manager within Windows are also saved and can be decoded in the same way.
If you need to execute an application someone sent you or you don't think is trustworthy, simply run it in a Virtual Machine, which will exist separate from your profile and your data. Microsoft Virtual PC is a free Microsoft download, and if you do not have a spare unused Windows license sitting around, you can grab a VPC image of Windows XP for free from the Microsoft Download Center.
Posted by Jonathan Kay | September 12, 2007 12:40 PM
Uhura wrote: "The way he protects the guilty party, yet calls out microsoft is obviously obsurd, and shows intent (agenda) on joe's part."
What an interesting interpretation, Uhura. I kept the name back for Microsoft's benefit, seeing as how it's a big partner. I did disclose the name to security researchers and will discuss the problem with the developer and Microsoft. Tell you what, I'll ask Microsoft. If the Windows folks say, "Go for it. Reveal the name," then I will. But they won't say that, because Microsoft doesn't want to scare away buyers of Windows software. But they will want to fix the problem.
Joe
Posted by Joe | September 12, 2007 12:42 PM
if you don't plan on running any malware, trojans and the like, or letting someone steal your computer, i don't see how storing your name address and phone number in your registry is much of a concern.
Posted by will | September 12, 2007 3:14 PM
Joe, I don't follow your logic AT ALL. Why protect the guilty partner? You say you left the name out for MSFT's benefit. Since when did you do MSFT any favors? Spill the beans. Why wouldn't you?
Posted by uhura | September 13, 2007 12:43 AM
With all said, how do i access this information and safely remove what i consider propriety?
Posted by Kerry Batt | September 13, 2007 9:58 AM
Joe said: "you can use comments as a pseudo measure of page views"
Page views are a very good measure of page views. I would say that comments are a measure of disagreement and controversy. If I read news, I probably have no comment. If I read an editorial that's reasonably written, even if I disagree with it, I probably have no comment. If, however, I read an editorial that is provocative whether intentionally or not, I'll probably comment.
I only came back to this page to see if my comment was still around. I'm pleased to see that it was. I doubt I'll be back to read more, but I may stop by in a few months.
Posted by Ted | September 13, 2007 12:14 PM
LOL, at a rough estimate, 60% of the posters are MS shills and employees.
Do you guys have a quota to meet?
Posted by Chuck | September 15, 2007 4:12 PM
chuck off!
Posted by uhura | September 17, 2007 3:12 AM
Rather than defending yourself against habitual attackers, it would be more useful to respond to Kerry Batt. Please tell us, or direct us to a source that will tell us, how to access and remove unwanted information from the registry.
The other alternative would be to point out that the Unix/BSD/Linux family do not have this vulnerability, since they do not have registries. Of course, in that sense, the Windows registry vulnerability is a "negative" for Microsoft.
Posted by golfilla | October 14, 2007 7:15 PM