Last week, Secunia published an advisory on a new vulnerabilities found in Windows. An exploit can take advantage of a weakness in Regedit, allowing a hacker to put a long string in the registry to hide a command. advisory picked it up on Friday.

From Secunia: “The weakness is caused due to an error in the Registry Editor Utility (regedt32.exe) when handling long string names. This can be exploited to hide strings in a registry key by creating a string with a long name, which causes this string and any subsequently created strings in the key to be hidden. Successful exploitation e.g. makes it possible for malware to hide strings in the “Run” registry key. However, these hidden strings created after the string with the overly long name will still be executed when the user logs in.”

However, someone actually has to get in to your system to implant this registry key.   So it’s not a “run for the hills” type scenario, despite breathless reports to the contrary. But it is something to take note of.

Two SANs bulletins, here and here. “An overly long registry entry can be added, but won’t be shown by regedit and regedt32. Even better, all registry entries that get added afterward under the same key, even if not overly long, will be hidden as well…This allows to add hidden entries under the famous HKLM\Software\MS\Windows\CV\Run. Entries that you can’t see with regedit, but that will just as faithfully get run at startup. ” This can happen right now on fully patched systems.

In other words, a hacker can implant a long string into the Run section of the Registry. Regedit can’t actually “see” it. When you re-start your computer, it will happily run.

This vulnerability has been confirmed on fully patched Windows 2000 and XP systems. Other systems may be at risk.

Here is what you can do right now. Run this tool from SANS which will tell you what extra long entries you have in the registry. It looks for values in excess of 254 characters. (Another option is to open up a command prompt (Start/Run/Cmd) and type “reg query HKLM\Software\Microsoft\Windows\CurrentVersion\Run”, but I wouldn’t bother with that).

And wait for the patches to come forth from various vendors.

Alex Eckelberry
(Tip o’ the hat to Eric Howes)