A
AMADHA
When a program tries to access the address book (XP sp2, Outlook 2002 sp3) a
warning message pops up indicating that a program is trying to access my
address book. It would be nice to know what program it was that was doing so.
I realize that this is hard to do in a multitasking system, however I
believe that a simple change to the call mechanism of the address book and
small patch to the OS could accomplish this (this would be a big change to
the dev community, but hey this is a major hole). Add a requirement to attach
the PID id of the requestor (made available by a request - what am I?) to any
request for access to the address book. While in the OS, the change would
impact the Windows Task Manager function by adding the start-up directory to
the secondary mouse-click display options for an "Image Name" on the
processes screen of 'taskman'.
These two 'small' changes will provide users the ability to determine if
running processes ought to be (or at least which program would be impacted by
a kill process command) and would permit the error message to display a
reverse look-up of the PID to list the directory and image name of the
requestor.
A more involved fix would be to change the interprocess communication to use
the active PID as the communication primary ID, forcing malware to intercept
and pass on PID identified communications. This could be foiled by adding to
the internal security system an application registration process (internal to
OS) that 'registers' runable files by directory on install (clearly notifying
on changes to registered apps) that on application startup validates the
assigned PID-Image name/start directory with the registry and compares it to
other running apps and prevents access to mismatches or duplicate running
apps with different exe characteristics(the malware would have to overwrite
the actual application exe and fudge the registratioy entries). A further
enhancement is to include the internal application GUID into this process.
Just my opinion.
warning message pops up indicating that a program is trying to access my
address book. It would be nice to know what program it was that was doing so.
I realize that this is hard to do in a multitasking system, however I
believe that a simple change to the call mechanism of the address book and
small patch to the OS could accomplish this (this would be a big change to
the dev community, but hey this is a major hole). Add a requirement to attach
the PID id of the requestor (made available by a request - what am I?) to any
request for access to the address book. While in the OS, the change would
impact the Windows Task Manager function by adding the start-up directory to
the secondary mouse-click display options for an "Image Name" on the
processes screen of 'taskman'.
These two 'small' changes will provide users the ability to determine if
running processes ought to be (or at least which program would be impacted by
a kill process command) and would permit the error message to display a
reverse look-up of the PID to list the directory and image name of the
requestor.
A more involved fix would be to change the interprocess communication to use
the active PID as the communication primary ID, forcing malware to intercept
and pass on PID identified communications. This could be foiled by adding to
the internal security system an application registration process (internal to
OS) that 'registers' runable files by directory on install (clearly notifying
on changes to registered apps) that on application startup validates the
assigned PID-Image name/start directory with the registry and compares it to
other running apps and prevents access to mismatches or duplicate running
apps with different exe characteristics(the malware would have to overwrite
the actual application exe and fudge the registratioy entries). A further
enhancement is to include the internal application GUID into this process.
Just my opinion.