Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Could an infection be delivered via a live tile in windows 8/8.1 ?


  • Please log in to reply
13 replies to this topic

#1 rp88

rp88

  • Members
  • 2,966 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:00 PM

Posted 13 August 2015 - 01:04 PM

Only a few days ago I realised that both my computers (windows 8.1) had live tiles enabled in the metro interface, and that they had been downloading things for them (various new pictures to be displayed on the tiles, and alos adverts for apps available in windows' store. I disabled the live tiles (there was only one, the windows store) on both machines as soon as I realised this. So they won't be wasting any more of my bandwidth downloading png pictures of apps I don't care about.


This however got me thinking: If the windows store shows adverts, and these adverts are shown (atleast in some sense) through the live tiles, then could these tiles end up distributing viruses? As far as I could tell the only things be downloaded (and wasting a small amount of my bandwidth) were png images, but part of me wonders if flash animations (with hidden exploits) or exe files could be downloaded and run like this? Has this ever happened yet? I have no particular cause to think it has happened to me but the fact that these tiles exist like this and do what they do makes me think it could happen some day? If it could then that would be a huge problem waiting to happen, viruses delivered through a running function on a computer that most people would never even think to look at.

Would it be possible? Has it ever happened yet? The same concern would probably affect windows 10 as well, because it too has live tiles.
Thanks

Edited by rp88, 13 August 2015 - 01:04 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

BC AdBot (Login to Remove)

 


#2 Slurppa

Slurppa

  • Malware Study Hall Senior
  • 578 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:09:00 PM

Posted 13 August 2015 - 03:50 PM

Tile images are usually hosted by programs so in order to get malicious one would require you to install one of those. You can still create one of your own and for example poll data from

website. It usually involves downloading image and small config file. In this case the host is IE.

 

Technically it could be possible to send some malformed config which then uses some vulnerability within system itself in order to inject malicious code. Still would still require you or some other program in your computer to create new live tile. I don't think it would be very useable case since you already have an access to the system at that point.

 

I don't think its going to be any less secure then just surfing over web. Microsoft controls Windows Store so there shouldn't be any problem with that matter of malicious data being send over their channels.

If there were some major security issues with this I think they would have been noticed at this point. But this is majorly just speculation on my part.

 

@EDIT

 

So as Didier Stevens pointed out, live tile hosts(Apps) are run inside sandbox environment. Most malicious active would require to escape that sandbox or use

some other exploit. As with the regular programs, user discretion is still advised when installing apps.


Edited by Slurppa, 13 August 2015 - 10:50 PM.

Member of the Bleeping Computer A.I.I. early response team!


#3 Didier Stevens

Didier Stevens

  • BC Advisor
  • 2,659 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:08:00 PM

Posted 13 August 2015 - 05:00 PM

Windows 8 Live Tiles are Apps. Apps are not like normal programs (PE files). Apps run in a sandbox and are restricted in their interaction with the resources managed by the OS.


Didier Stevens
http://blog.DidierStevens.com
http://DidierStevensLabs.com

SANS ISC Handler
Microsoft MVP 2011-2016 Consumer Security, Windows Insider MVP 2016-2018
MVP_Horizontal_BlueOnly.png

 

If you send me messages, per Bleeping Computer's Forum policy, I will not engage in a conversation, but try to answer your question in the relevant forum post. If you don't want this, don't send me messages.

 

Stevens' law: "As an online security discussion grows longer, the probability of a reference to BadUSB approaches 1.0"


#4 Slurppa

Slurppa

  • Malware Study Hall Senior
  • 578 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:09:00 PM

Posted 13 August 2015 - 10:12 PM

Windows 8 Live Tiles are Apps. Apps are not like normal programs (PE files). Apps run in a sandbox and are restricted in their interaction with the resources managed by the OS.

 

You are right. I should have done better research. Thanks for pointing this out. I will modify my first answer accordingly.


Member of the Bleeping Computer A.I.I. early response team!


#5 Nikhil_CV

Nikhil_CV

    Vestibulum Bleep


  • Members
  • 1,145 posts
  • OFFLINE
  •  
  • Gender:Male
  • Location:err: Destination unreachable! bash!
  • Local time:11:30 PM

Posted 13 August 2015 - 10:33 PM

Plus, like apple and google stores, Windows apps hosted in store have security checks in place, so the chance of getting infected is less likely.

If MSFT thinks of allowing ads and pushing them to endusers via tile, thats another story.
(still there are lot of ways to get infected, like other Windows versions)
Regards : CV                                                                                                    There is no ONE TOUCH key to security!
                                                                                                                                       Be alert and vigilant....!
                                                                                                                                  Always have a Backup Plan!!! Because human idiotism doesn't have a cure! Stop highlighting!
                                                     Questions are to be asked, it helps you, me and others.  Knowledge is power, only when its shared to others.            :radioactive: signature contents © cv and Someone....... :wink:

#6 rp88

rp88
  • Topic Starter

  • Members
  • 2,966 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:00 PM

Posted 14 August 2015 - 08:03 AM

Ok, thanks for the clarification, so the key points are, If I understood you correctly:


1.apps and live tiles have some of the powers a regular program has (they can write and read certain files, like the images they are responsible for downloading*) but they are also sandboxed so can't do anything like as much a real programs can?

2.a deliberately malicious app could make some forms of malicious download, but this download might not be able to run itself due to the sandboxing?

3.bundled apps on a new computer and default microsoft apps (things like the app for the store itself) could perhaps deliver infections, but only if the infection first got past vetting my microsoft, and then was downloaded as content by the app (in the same way that the app downloads images and such), and then managed to execute, and then managed to escape the sandbox?

4.microsoft doesn't yet do advertising through the live tiles (the store live tile, the weather live tile, the financial news live tile, the maps live tile...) in the same way that adverts on the norml internet are run. Instead the only adverts here are ones which microsoft themselves have made, and which advertise store apps (I know I have seen atleast one instance of this before I disabled the live function on the store tile), but if they started shwoing third party adverts, then it would open up the risks described in point 3, but only if a malcicous third party advert could get past all those obstacles.

5.I couldn't work this out, but are you saying that the live tiles can be equally vulnerable as IE can? Are you saying that a live tile (the store tile, the news tile, the weather tile...) is like a constant connection via IE to a particular website? or are you saying this is not the case? Because if live tiles ARE equivalent to adverts being shown through IE, then they would surely be guaranteed to infect users, given how vulnerable IE is and how many adverts are malicious.


* to see what images I am talking about search your C:\ drive (through the file explorer, not the search function in the top right corner of the screen) for files with a date modified of today, then look at all the images amongst them, some of those images are clearly backgrounds for adverts in the ms app store. The images will be of things like x-box games, and also title covers of films, and other things like that, title covers of games drawn in cartoon computer graphic style... that sort of stuff, you'll know them when you see them. This will occur on computers where the only live tile is the store, on computers with more live tiles more things might be found. These images will probably only be found if you have live tiles enabled. When searching "show hidden files and folders" might need to be enabled, "show protected operating system files" does not need to be enabled. This happens for windows 8.1 users, it may or may not occur for windows 8 users.

Edited by rp88, 14 August 2015 - 08:03 AM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#7 Slurppa

Slurppa

  • Malware Study Hall Senior
  • 578 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:09:00 PM

Posted 15 August 2015 - 06:34 AM

Sorry for the delay. I had to do some research regarding this. Apps are pretty new concept for me.

 

1. True. For example apps have very limited access to system storage and can usually only access their own package folder without asking permission from the user.

 

 

2. Yes, apps can download files but are not allowed to executed them same way the regular programs are. You can launch another app within your app but that's pretty much it.

 

3. Not sure if I understood your question correctly, but I think answer lies in previous one(2). Without escaping their sandbox there isn't much apps can do without asking for your permission.

 

4. If you mean those adverts that Microsoft Store app shows, then I doubt that Microsoft would show third-party content on it.  At least not verified one. And it would still require

some yet-to-be-discovered exploit since the content is usually just parsed from regular text file(html,xaml..).

 

5. I was referring to IE feature that allows you to create your own live tiles out of sites. Here is an tutorial about it:

http://www.hanselman.com/blog/MakeAWindows81PinnedLiveTileForYOURWebsiteInMinutes.aspx

This usually involves reading xml file from the site and as far as I know no javascript or anything like that is executed.

This type of live tile is hosted by IE and is sandboxed as well. I cannot say whether normal IE security bugs are in effect here but then again

it's users choice what sites to visit.

 

There may be errors in my statements, if so please give me feedback.


Member of the Bleeping Computer A.I.I. early response team!


#8 rp88

rp88
  • Topic Starter

  • Members
  • 2,966 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:00 PM

Posted 15 August 2015 - 09:32 AM

"...can usually only access their own package folder..."
that is indeed where the downloaded images are turning up.

Regarding point 5, so you are saying that a website owner can produce a live tile of their site, but it would be up to users whether they wanted to "install" this live tile and get themselves a live tile feed of the website in question? Or that a user can use some built-in windows store app to make live tiles of any URL they choose? Or are you saying that any site you visit could decice to make itself appear as a live tile?




ALSO:

I said I disabled the live tile for the "windows store", the green tile with a logog of a stylised shopping bag, I did indeed do this on both my computers, yet even at dates and times after the disabling the download of these png images continues. They all turn up in a particular folder C:\Users\[my name]\AppData\Local\Packages\WinStore_[string of text removed as it might be a unique identifying number]\LocalState\LiveTile .

Currently this folder has 7 png images in it, with very random alphanumeric names:

one of them shows the netflix logo,
one of them shows a cartoon star wars logo,
one shows a halo game series logo under a tiny green x-box logo,
one shows a stylised waveform (11 bars with the 6th coloured orange),
one shows an 8 slanted at 45 degrees clockwise,
one shows white text on a blue background saying "rdio",
and one shows the funny curly "o" at the end of the word in the "rdio" image.

None shows anything I have ever used or intend to use.

Also there are loads of files somehow related to the windows app store with a kind of "double s crossed with an oval and a dollar sign" character in them.

These seem to update daily at the time I connect to the internet, even though I disabled the one live tile I had and never use any apps.

Edited by rp88, 15 August 2015 - 09:32 AM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#9 Slurppa

Slurppa

  • Malware Study Hall Senior
  • 578 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:09:00 PM

Posted 15 August 2015 - 10:18 AM

"...can usually only access their own package folder..."
that is indeed where the downloaded images are turning up.

Regarding point 5, so you are saying that a website owner can produce a live tile of their site, but it would be up to users whether they wanted to "install" this live tile and get themselves a live tile feed of the website in question? Or that a user can use some built-in windows store app to make live tiles of any URL they choose? Or are you saying that any site you visit could decice to make itself appear as a live tile?
 

 

Website owner produces live tile support for their website. Then you can create live tile yourself using Internet Explorer. There is no way for website to force you to create live tile.

 

 

I said I disabled the live tile for the "windows store", the green tile with a logog of a stylised shopping bag, I did indeed do this on both my computers, yet even at dates and times after the disabling the download of these png images continues. They all turn up in a particular folder C:\Users\[my name]\AppData\Local\Packages\WinStore_[string of text removed as it might be a unique identifying number]\LocalState\LiveTile .

Currently this folder has 7 png images in it, with very random alphanumeric names:

one of them shows the netflix logo,
one of them shows a cartoon star wars logo,
one shows a halo game series logo under a tiny green x-box logo,
one shows a stylised waveform (11 bars with the 6th coloured orange),
one shows an 8 slanted at 45 degrees clockwise,
one shows white text on a blue background saying "rdio",
and one shows the funny curly "o" at the end of the word in the "rdio" image.

None shows anything I have ever used or intend to use.

Also there are loads of files somehow related to the windows app store with a kind of "double s crossed with an oval and a dollar sign" character in them.

These seem to update daily at the time I connect to the internet, even though I disabled the one live tile I had and never use any apps.

 

Were those images there before you disabled live tile for the store app?

Those images are used by Microsoft Store app for advertisement of the given software.

The files you descriped are cache files of the Store app. Name of the weird symbol is surface integral. I don't know why they use that but it's normal behaviour.


Edited by Slurppa, 15 August 2015 - 10:21 AM.

Member of the Bleeping Computer A.I.I. early response team!


#10 rp88

rp88
  • Topic Starter

  • Members
  • 2,966 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:00 PM

Posted 17 August 2015 - 01:48 PM

Older versions of those images were there before I disbaled the live tile, but they have updated themselves ince, the dates created and modified are more recent than the time I turned off the live tile. Very creepy, and a bit concerning for security, how they keep updating even with the live tile disabled.

Correction, with the live tile still disabled those images have changed again now, now there are four in the folder, they show:

1.a green furry ball with eye's and a moustache
2.a screaming ogre under an xbox logo
3.a white F with a curled serif to the left of the top of the F, on a dark circle with vertical coloured stripes behind
4.a cartoon of a brown leather wallet

Thier date created/modified was 21:24 yesterday, approximately the time yesterday at which I first connected to the internet.



Ah yes, the surface integral, I recognise it from mathematics now you say that. Nice to know a computer font character actually exists for this symbol. Given how regularly I see the character in equations ( I do a lot of calculations which involve that sort of mathematics ) I feel a fool for not recognising what it was.

Edited by rp88, 17 August 2015 - 01:54 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#11 Slurppa

Slurppa

  • Malware Study Hall Senior
  • 578 posts
  • ONLINE
  •  
  • Gender:Male
  • Local time:09:00 PM

Posted 19 August 2015 - 02:57 PM

I think Windows Store app downloads those images on startup or when first time connected to internet. However, it doesn't seem to update them after that. As far as security goes, I don't think it offers any more attack surface than, for example, windows update.


Member of the Bleeping Computer A.I.I. early response team!


#12 rp88

rp88
  • Topic Starter

  • Members
  • 2,966 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:00 PM

Posted 16 December 2015 - 04:43 PM

On the subject of these weird image downloads, images being downloaded which are in some way connected with the windows store, I think I might have found a "fix". Time (the next few days to monitor if those images continue to update once daily or if they stay forever as they currently are) will tell if the "fix" is effective. Let me explain:

Today I saw something creepy, the windows store tile was visible on the "start screen" just as I logged out, it showed I had 7 "messages" within it. No doubt these messages are related to windows 10 (see my post at http://www.bleepingcomputer.com/forums/t/599598/is-the-windows-store-tile-in-81-now-giving-messages-about-win10/ )so I decided that the windows store had to stop doing anything on my machine as of that moment. I found a way to disable the windows store service and I unpinned the tile from that start screen so it now only gets listed on that "apps list" page that the down arrow on the start screen can take you to. Disabling the windows store service (WSService) was not easy, it can't be done from within "open services"(accessed from the "services" tab of task manager), I had to go into regedit and change, VERY CAREFULLY one AND ONLY ONE thing. There is a key within the registry for this service and there is a place where a value can be given to it's startup type (I will describe this process in greater details if the next few days prove what I've done has worked), by changing this value it can be disabled entirely. The process involved changing a value in the registry, which we all know to be highly risky, so it is not something which anyone without system images amde should EVER dare to do, but if the next few days prove me right it looks like it might have worked to prevent these weird images being downloaded daily (and if it has worked I'll describe EXACTLY how I did it). Naturally doing this isn't something which users of store apps should consider, and it may cause some problems* (the next few days will let me know if it has so I can undo it if it's a problematic change) with other features on the system, but for now everything is working fine.

* I tested windows update, this still works fine to check for updates with the store service disabled so that's one thing which doesn't suffer problems when doing this. But it'll be a few days of use before I can see if other things have suffered problems due to this disabling.

I am NOT recommending anyone else do this until I've seen whether there are any problematic side-effects, but in a fewdays I should know. And I would NEVER recommend anyone do anything LIKE this unless they have system images about incase of severe problems.

Note: this post is not related to the discussion of whether live tiles could present any kind of security risk(the discussion occuring in the very first few posts of this thread), rather it is simply discussing whether they can be fully disabled in such a way that one does not get daily downloads of random images(which is what was discussed in the rest of this thread) related to the windows store.

Edited by rp88, 16 December 2015 - 05:02 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#13 rp88

rp88
  • Topic Starter

  • Members
  • 2,966 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:00 PM

Posted 17 December 2015 - 12:48 PM

Looks like disabling that service has stopped those png images downloading, certainly they haven't downloaded today and in the past they've arrived on a daily basis. Will post more in a day or two to report whether this effect has lasted over the next few days.
Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB

#14 rp88

rp88
  • Topic Starter

  • Members
  • 2,966 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Local time:06:00 PM

Posted 19 December 2015 - 12:45 PM

It doesn't work. Those random png images are still being refreshed every day or so despite the store service being disabled. Is it worth keeping the store service disabled or better putting it back to how it was before? Would leaving this service disbaled offer any advantage at all for stopping attempts to "upgrade" me to windows 10* or will whether this service is enabled or disbaled have no effect at all on that sort of thing?

Thanks

*I have ofcourse already taken all the main steps such as avioding certain KB updates and having updates on "check automatically but ask me whether I want to download", just wondering if having the store service disabled might also be helpful or if it's pontless?

Edited by rp88, 19 December 2015 - 12:46 PM.

Back on this site, for a while anyway, been so busy the last year.

My systems:2 laptops, intel i3 processors, windows 8.1 installed on the hard-drive and linux mint 17.3 MATE installed to USB




0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users