Some portable internet browsers are granted as trusted installers [M1368]

onlooker · November 14, 2014, 2:32pm

1. The full product and its version:
CIS 8.0.0.4314 beta

2. Your Operating System (32 or 64 bit) and ServicePack revision. and if using a virtual machine, which one:
Win7x86SP1 (VMware), UAC is enabled

3. List all the configuration changes you did. Are you using Default configuration? If no, whats the difference?:
Configuration: Proactive Security
No changes

Antivirus:
Stateful
“Do not show antivirus alerts”: disabled

HIPS:
Safe Mode
“Create rules for safe applications”: disabled

Auto-Sandbox: Enabled
Firewall: Safe Mode

4. Did you install over a previous version without uninstalling first, or import a previous configuration file?:
No

5. Other Security, Sandboxing or Utility Software Installed:
No

6. Step by step description to reproduce the issue. Or if you cannot reproduce it, what you actually did before it happened, step by step:

1: Download and install some portable browser:

2: Run it and notice that its launcher has rating “Installer or Update”

3: Download any executable file and run it directly by the browser

4: Take notice: unrecognized program is running without restrictions

7. What actually happened when you carried out these steps:
The privileges “Installer or Update” was applied to internet browser

8. What you expected to see or happen when you carried out these steps, and why (if not obvious):
Applications such as PortableApps should not be granted as installers

And in general no application should be granted as installer when it doesn’t reuqire administrator privileges to run (!)

9. Any other information:
It would be useful to have an option for suppressing installers privileges. It is described in the wishlist.

In the version CIS 7 users have had a method to disable these privileges in case they are undesirable. In the version “CIS 8.0.0.4314 beta” that method doesn’t work. This problem was described formerly.

[attachment deleted by admin]

Gorgwutz · November 21, 2014, 4:16am

Да уж косяков у Comodo с портативными браузерами полно :‘( :’( :‘( :’( :‘( :’(

onlooker · November 21, 2014, 7:10am

Вы знаете еще какие-нибудь? *

Do you know any other problems with portable browsers?

mouse1 · November 24, 2014, 11:33am

Dear kibinimatik

Yes I see the problem.

Let me think this through a bit and get back to you later.

I think what may be happening is that because the launcher is a trusted file and needs to run other files it is being granted installer updater privs.

Meanwhile could you please post your active process list or Killswitch display while a portable browser, launched from a launcher, is running an unrecognised file?

Just to check if this is happening after a post browser installation reboot? Please check if you can. (I realize this is a portable app, but maybe the launcher is doing something special on first run)

Many thanks

Mouse

mouse1 · November 24, 2014, 5:31pm

Actually I think you have supplied enough information to move to format verified, thanks.

But what I have requested would be useful confirmation of my understanding if you can manage it

Kind regards

Mouse

onlooker · November 25, 2014, 9:43am

This vulnerability has appeared with the version 8.0.0.4337 too.

onlooker · January 20, 2015, 9:43pm

This bug opens the door to bypass Comodo’s HIPS, Auto-Sandbox and Antivirus together.
I have attached an example in which the launcher of FirefoxPortable is used to run an unrecognized program with trusted installer’s privileges.

[attachment deleted by admin]

wasgij6 · March 12, 2015, 2:09am

Hello,

The devs have not marked this as Fixed in the tracker. However, sometimes bugs are fixed by the release of new versions, but not marked as Fixed in the tracker.

If you are able please check with the newest version (CIS version 8.1.0.4426) and let me know if this is fixed on your computer with that version.

Thank you.

onlooker · March 19, 2015, 11:55am

It is not fixed.
With 8.2.0.4474 BETA too.

[attachment deleted by admin]

wasgij6 · March 21, 2015, 5:03pm

Thanks for letting me know. I have updated the tracker.

onlooker · May 2, 2015, 9:07pm

This also applies to the browser Opera 29: https://forums.comodo.com/news-announcements-feedback-cis/epic-fail-opera-has-trusted-intallers-privieges-t110946.0.html

qmarius · August 17, 2015, 2:56pm

Hi kibinimatik,

Please check with version <8.2.0.4674>.

Thank you.

onlooker · August 17, 2015, 9:05pm

This has been fixed, but only partially.
In the version CIS 8.2.0.4674 any files named “OperaPortable.exe”, “FirefoxPortable.exe”, “GoogleChromePortable.exe” are not taken for installers (when they are smaller than 40 MB). So these portable browsers can be used safely.

But:

When the launcher of portable browser is renamed by user, it get installer privileges.
Hackers can use renamed launchers of portable browsers to bypass CIS.
Some other portable applications are taken for installers, e.g. FreeCommander XE Portable.
Such applications are dangerous to CIS.
Any file created by them get trusted. Any file started by them runs without restrictions.

[attachment deleted by admin]

futuretech · October 17, 2015, 5:26pm

Can confirm on 8.2.0.4703 renaming the portable browser launchers does grant them Trusted/Install rights and freecommander portable executed as is will also have Trusted/Installer rights.

[attachment deleted by admin]

qmarius · October 17, 2015, 5:30pm

I’ve updated tracker data.
Thank you.

onlooker · October 17, 2015, 7:29pm

It is fixed in the “leaked” CIS 9.0.0.4725. Many thanks to developers!

But… before the final release it is premature to celebrate.

qmarius · October 18, 2015, 9:28am

In that case, I will move this one to “Resolved” section.
Thank you.