Tag Archives: Microsoft

How to remove Flash from Windows 10

by

As many of you have discovered by now, Microsoft surreptitiously added the Flash player in an update well after the upgrade to Windows 10. It isn’t possible to remove it using the standalone uninstaller from Adobe as in previous versions as this is now baked into Edge, Microsoft’s new browser… almost.

It is possible, to remove the plugin, but it requires a fair bit of manual labor to do so. First, go to Edge and select options (the . . . ) and follow the steps to make sure the Flash is turned off.

edgsettings

Edge > Options > Settings

Scroll down and click on

Scroll down and click on “View advanced settings”

Make sure Flash is turned off.

Make sure Flash is turned off.

Now the fun part

Microsoft has set ownership permissions for all the files we need to delete so that none of them can be removed without changing them first. The files we need to delete are located in the following places :

  • C:\Windows\System32\Macromed\Flash
  • C:\Windows\SysWOW64\Macromed\Flash

In each of these directories, you should see these files :

  • activex.vch
  • Flash.ocx
  • FlashUtil_ActiveX.dll
  • FlashUtil_ActiveX.exe

You may also see FlashInstall.log. Trying to delete these will give you a permission denied error. To change that, follow these steps. Be advised that you’ll have to follow these steps for each of those files individually as Microsoft has made it very difficult to collectively apply the same permissions by inheritance.

Right click > Properties > Select the

Right click > Properties > Select the “Security” tab. Click “Advanced”.

Note on top how the current owner is

Note on top how the current owner is “TrustedInstaller” (the biggest oxymoron in software if there ever was one).
Click on “change” to take ownership.

You'll be presented with the familiar user selection box. Click

You’ll be presented with the familiar user selection box.
Click “Advanced”.

flash4

…and “Find Now”.

Select your username and click

Select your username and click “OK”

...and then

…and then “OK” again on the user box.

You’re now the owner of the file to delete, but that’s not enough. You need to change the principal access.

Select the

Select the “Auditing” tab and click “Add”.

Click

Click “Select a principal”. We’ll have to do the same user selection song and dance we did before (“Advanced”, “Find Now” etc…)

But now we can check

But now we can check “Full control”.

Once you've done this, click

Once you’ve done this, click “OK” and then back at the “Auditing” tab…

...click

…click “Apply”.

You'll see a security dialog saying you'll need to close and reopen the security properties. That's fine (it's the least of our worries at this point). Click

You’ll see a security dialog saying you’ll need to close and reopen the security properties. That’s fine (it’s the least of our worries at this point). Click “OK” on the dialog and back at the “Auditing” tab and move on.

Close all the dialogs. Right click on the file again and select

Close all the dialogs. Right click on the file again and select “Properties” and select the “Security” tab as before. Click on “Edit” and you’ll see this.

Now you should be able change the permissions by selecting your username and checking

Now you should be able change the permissions by selecting your username and checking “Full control”

You’ll get a warning dialog. Just click “OK” on it and click on “OK” on the permissions box too. You can now delete that file.

Whew!

Cleaning the control panel

You’ll still see the FlashPlayer utilty in the control panel so to remove that, go to C:\Windows\SysWOW64 and delete:

  • FlashPlayerApp.exe
  • FlashPlayerCPLApp.cpl

Keep in mind, however, that there’s nothing preventing Microsoft from installing Flash on your system again. You don’t own proprietary software. Yes it’s your computer and you may pay for it (well, Windows 7, since this is a free upgrade), but you don’t own it if you can’t control what’s on your system how it gets there. Further, Windows 10 is as close to Software as a Service as you’ll get while still having something installed. It’s the most invasive in terms of your privacy as well, but there are mitigations you can take.

For your next operating system, may I suggest Linux Mint?

Why I cancelled my teched talks

by

Microsoft. Winning fans at every opportunity.

Greg Young's Blog

This was written the morning of my session at TechEd and has been sitting for a while. I wanted to give some time to see if Microsoft would have some kind of follow up.

A bit jetlagged now. Why? I flew from Bali into New Orleans to speakĀ at TechEd, yeah thatā€™s about two days of travel and 15 hours ofĀ jetlag. It was awesome waking up at midnight my first night here (at least in New Orleans you know you can get a good breakfast at 0200).

This morning I managed to get out of bed to go do my talk at TechEd.Ā Upon arrival at the venue we went to registration for speakers. I gotĀ my badge. I asked how we should handle my wife coming with me for theĀ hour duration of my talk (she wanted to take pictures). I was told they canā€™t handle it and we needĀ to go to theā€¦

View original post 995 more words

Stop WebMatrix from opening every folder on double-click

by

Just when you thought in 2012, Microsoft, out of the kindess of their heart (or byĀ finally listening to the public they’ve been shafting for years) wouldn’t do something completely asinine with their software…

If you’ve installed Microsoft WebMatrix lately, you may have noticed that it has the ability to open a folder as a website by right clicking and selecting “Open as a Web Site with Microsoft WebMatrix”. The problem is that now it opens every singleĀ folder just by double clicking on.

Fire up RegEdit and navigate to :
\HKEY_CLASSES_ROOT\Directory\shell

Find a key called “OpenAsAWebsite”. You’ll find a subkey called “command”. Copy the default value of theĀ key and deleteĀ it andĀ its parent “OpenAsAWebSite”.

Now navigate to:
\HKEY_CLASSES_ROOT\Folder\shell\ContextMenuHandlers

Add a new key hereĀ called “OpenAsAWebSite” (like the one above) and give this a default value of “Open as a Web Site with Microsoft WebMatrix”. Then create a “command” key under it,Ā just like you saw before, and change its default value by pasting what you copied from before. Or if you forgot to copy it, changeĀ to the install directory of WebMatrixĀ if necessary and paste the followingĀ :

C:\Program Files (x86)\Microsoft WebMatrix\WebMatrix.exe #ExecuteCommand# SiteFromFolder %L

Now you should still be able to use the Open as Web Site feature in WM, but not have it happen by defaultĀ when you try to openĀ every bloody folder.

Note to Microsoft:
I know you’ll ignore this, but stop being stupid!

Microsoft has a different definition for “Open Source”

by

The Microsoft Web Protection Library, commonly referred to as AntiXss (the previous class name) has had a bit of a vulnerability. Now we all know that vulnerability and Microsoft usually go together like chicken and eggs, but you see what makes this different is that it’s an apparent earnest effort at an Open Source project. Unfortunately, the newest iteration of this project, 4.2 breaks everything. This isn’t unusual by itselfĀ either as that too is a Microsoft staple and indeed other projects have faced similar issues with “fixes”. What is unusual is that MS has reinterpreted the meaning of Open Source and removed all previous binaries to the library that actually worked, even with the vulnerabilityĀ (thereby making it non-Open), and the sources for the 4.2 “fixes” are still unavailable.

Now I’ve read theĀ FAQĀ for Open Source, but I couldn’t find single instance where this behavior would fit under the term. I scanned through the FAQ again, and found a behavior similar to what MS is actually doing and came across the following :

What if I do not want to distribute my program in source code form? Or what if I don’t want to distribute it in either source or binary form?

If you don’t distribute source code, then what you are distributing cannot meaningfully be called “Open Source”. And if you don’t distribute at all, then by definition you’re not distributing source code, so you’re not distributing anything Open Source.

Interesting…

What’s more, “Barry” the coordinator of the project on CodePlex has stated the following when another user wanted the sources listed :

The source branch for 4.0, release, is available – the dates don’t ever match due to the way we publish.

The source for 4.2 is not available – it takes a bit of cleaning before publication (we usually have a 1-2 week gap), and as we’re working on getting the sanitizer functional again for 4.3 taking the time to publish the 4.2 code would remove effort from tracking down what is going on.

That’s not quite what it means to be Open Source, Barry.

But earlier on the same thread he had said :

It’s company policy I’m afraid. The source will remain though, so if you desperately wanted you could download and compile your own versions of older releases.

Notice it wasn’t project policy or community policy. But it was company policy; meaning Microsoft has a different definition of the term Open Source.

So AntiXss is no longer an Open Source project.

AntiXss 4.2 Breaks everything

by

This is one of those situations where none of your available options are good and your least harmful alternative is to shoot yourself in the foot at a slightly odd angle so as to only lose the little toe and not the big one.

All of this happened when Microsoft revealed January that their AntiXss library, now known as the Microsoft Web Protection Library (never seen a more ironic combination of words), had a vulnerabilityĀ and like all obedient drones, we must update immediately to avoid shooting ourselves in our big toe. The problem is that updating will cause you to loose your little toe.

You see, the new library BREAKS EVERYTHING and eats your children.

Update 11/14/2013:
A new HTML sanitizer is now available for PHP.

I WILL EAT ALL YOUR TAGS!!!

I think the problem is best described by someone who left a comment at the project discussion board.

I was using an old version of Anti-XSS with a rich text editor (CkEditor). It was working very great. But when upgrading to latest version, I discovered the new sanitized is way too much aggressive and is removing almost everything “rich” in the rich editor, specially colors, backgrounds, font size, etc… It’s a disaster for my CMS!

Is there any migration path I can use to keep some of the features of the rich text editor and having at least minimal XSS protection ?

Lovely eh?

Here’s the response from the coordinator.

CSS will always be stripped now – it’s too dangerous, but in other cases it is being too greedy, dropping hrefs from a tags for example. That is being looked at.

I know this may be a strange idea to comprehend for the good folks who developed the library, but you see in the civilized world, many people tend to use WYSIWYG in their projects so as to not burden their users with tags. These days more people are familiar with rudimentary HTML, but when you just want to quickly make a post, comment or otherwise share something, it’s nice to know there’s an editor that can accommodate rich formatting. This is especially true on a mobile device, where switching from text to special characters for tags is still annoying.

Those WYSIWYGs invariably use CSSĀ and inline styles to accomplish this rich formatting, thereby making your assertion ridiculous and this library now completely impractical.

A very quick test on the 4.2 Sanitizer shows that it totally removes strong tags, h1 tags, section tags and as mentioned above strips href attributes from anchor tags. At this rate the output will soon be string.Empty. I hope that the next version will allow basic markup tags and restore the href to anchors.

So in other words, AntiXss is now like an antidepressant. You’ll feel a lot better after taking it, but you may end up killing yourself.

And that’s not all…

I would have kept my mouth shut about this even though I’ve had my doubts about depending on the library over something DIY, but since I work with a bunch of copycat monkeys, I have to use whatever everyone else deems worthy of being included in a project (common sense be damned). I thought, surely there would at least be the older versions available, but no

It’s company policy I’m afraid. The source will remain though, so if you desperately wanted you could download and compile your own versions of older releases.

Of course, I lost my temper at that. Since I’m forced to use this library and one of the devs went ahead and upgraded without backing up the old version or finding out exactly how the vulnerability would affect us. I now had to go treasure hunting across three computers to find 4.0 after just getting home.

AntiXss 4.2 is stupid and so is Microsoft.

Here’s my current workaround until MS comes up with a usable alternative. I’m also using the HtmlAgilityPack which at the moment hasn’t contracted rabies, thankfully, and the 4.0 library.

using System;
using System.Collections.Generic;
using System.Linq;
using System.Text;
using HtmlAgilityPack;

namespace Arcturus.Helpers
{
	/// <summary>
	/// This is an HTML cleanup utility combining the benefits of the
	/// HtmlAgilityPack to parse raw HTML and the AntiXss library
	/// to remove potentially dangerous user input.
	///
	/// Additionally it uses a list created by Robert Beal to limit
	/// the number of allowed tags and attributes to a sensible level
	/// </summary>
	public sealed class HtmlUtility
	{
		private static volatile HtmlUtility _instance;
		private static object _root = new object();

		private HtmlUtility() { }

		public static HtmlUtility Instance
		{
			get
			{
				if (_instance == null)
					lock (_root)
						if (_instance == null)
							_instance = new HtmlUtility();

				return _instance;
			}
		}

		// Original list courtesy of Robert Beal :
		// http://www.robertbeal.com/

		private static readonly Dictionary<string, string[]> ValidHtmlTags =
			new Dictionary<string, string[]>
        {
            {"p", new string[]          {"style", "class", "align"}},
            {"div", new string[]        {"style", "class", "align"}},
            {"span", new string[]       {"style", "class"}},
            {"br", new string[]         {"style", "class"}},
            {"hr", new string[]         {"style", "class"}},
            {"label", new string[]      {"style", "class"}},

            {"h1", new string[]         {"style", "class"}},
            {"h2", new string[]         {"style", "class"}},
            {"h3", new string[]         {"style", "class"}},
            {"h4", new string[]         {"style", "class"}},
            {"h5", new string[]         {"style", "class"}},
            {"h6", new string[]         {"style", "class"}},

            {"font", new string[]       {"style", "class",
				"color", "face", "size"}},
            {"strong", new string[]     {"style", "class"}},
            {"b", new string[]          {"style", "class"}},
            {"em", new string[]         {"style", "class"}},
            {"i", new string[]          {"style", "class"}},
            {"u", new string[]          {"style", "class"}},
            {"strike", new string[]     {"style", "class"}},
            {"ol", new string[]         {"style", "class"}},
            {"ul", new string[]         {"style", "class"}},
            {"li", new string[]         {"style", "class"}},
            {"blockquote", new string[] {"style", "class"}},
            {"code", new string[]       {"style", "class"}},
			{"pre", new string[]       {"style", "class"}},

            {"a", new string[]          {"style", "class", "href", "title"}},
            {"img", new string[]        {"style", "class", "src", "height",
				"width", "alt", "title", "hspace", "vspace", "border"}},

            {"table", new string[]      {"style", "class"}},
            {"thead", new string[]      {"style", "class"}},
            {"tbody", new string[]      {"style", "class"}},
            {"tfoot", new string[]      {"style", "class"}},
            {"th", new string[]         {"style", "class", "scope"}},
            {"tr", new string[]         {"style", "class"}},
            {"td", new string[]         {"style", "class", "colspan"}},

            {"q", new string[]          {"style", "class", "cite"}},
            {"cite", new string[]       {"style", "class"}},
            {"abbr", new string[]       {"style", "class"}},
            {"acronym", new string[]    {"style", "class"}},
            {"del", new string[]        {"style", "class"}},
            {"ins", new string[]        {"style", "class"}}
        };

		/// <summary>
		/// Takes raw HTML input and cleans against a whitelist
		/// </summary>
		/// <param name="source">Html source</param>
		/// <returns>Clean output</returns>
		public string SanitizeHtml(string source)
		{
			HtmlDocument html = GetHtml(source);
			if (html == null) return String.Empty;

			// All the nodes
			HtmlNode allNodes = html.DocumentNode;

			// Select whitelist tag names
			string[] whitelist = (from kv in ValidHtmlTags
								  select kv.Key).ToArray();

			// Scrub tags not in whitelist
			CleanNodes(allNodes, whitelist);

			// Filter the attributes of the remaining
			foreach (KeyValuePair<string, string[]> tag in ValidHtmlTags)
			{
				IEnumerable<HtmlNode> nodes = (from n in allNodes.DescendantsAndSelf()
											   where n.Name == tag.Key
											   select n);

				// No nodes? Skip.
				if (nodes == null) continue;

				foreach (var n in nodes)
				{
					// No attributes? Skip.
					if (!n.HasAttributes) continue;

					// Get all the allowed attributes for this tag
					HtmlAttribute[] attr = n.Attributes.ToArray();
					foreach (HtmlAttribute a in attr)
					{
						if (!tag.Value.Contains(a.Name))
						{
							a.Remove(); // Attribute wasn't in the whitelist
						}
						else
						{
							// *** New workaround. This wasn't necessary with the old library
							if (a.Name == "href" || a.Name == "src") {
								a.Value = (!string.IsNullOrEmpty(a.Value))? a.Value.Replace("\r", "").Replace("\n", "") : "";
								a.Value =
									(!string.IsNullOrEmpty(a.Value) &&
									(a.Value.IndexOf("javascript") < 10 || a.Value.IndexOf("eval") < 10)) ?
									a.Value.Replace("javascript", "").Replace("eval", "") : a.Value;
							}
							else if (a.Name == "class" || a.Name == "style")
							{
								a.Value =
									Microsoft.Security.Application.Encoder.CssEncode(a.Value);
							}
							else
							{
								a.Value =
									Microsoft.Security.Application.Encoder.HtmlAttributeEncode(a.Value);
							}
						}
					}
				}
			}

			// *** New workaround (DO NOTHING HAHAHA! Fingers crossed)
			return allNodes.InnerHtml;

			// *** Original code below

			/*
			// Anything we missed will get stripped out
			return
				Microsoft.Security.Application.Sanitizer.GetSafeHtmlFragment(allNodes.InnerHtml);
			 */
		}

		/// <summary>
		/// Takes a raw source and removes all HTML tags
		/// </summary>
		/// <param name="source"></param>
		/// <returns></returns>
		public string StripHtml(string source)
		{
			source = SanitizeHtml(source);

			// No need to continue if we have no clean Html
			if (String.IsNullOrEmpty(source))
				return String.Empty;

			HtmlDocument html = GetHtml(source);
			StringBuilder result = new StringBuilder();

			// For each node, extract only the innerText
			foreach (HtmlNode node in html.DocumentNode.ChildNodes)
				result.Append(node.InnerText);

			return result.ToString();
		}

		/// <summary>
		/// Recursively delete nodes not in the whitelist
		/// </summary>
		private static void CleanNodes(HtmlNode node, string[] whitelist)
		{
			if (node.NodeType == HtmlNodeType.Element)
			{
				if (!whitelist.Contains(node.Name))
				{
					node.ParentNode.RemoveChild(node);
					return; // We're done
				}
			}

			if (node.HasChildNodes)
				CleanChildren(node, whitelist);
		}

		/// <summary>
		/// Apply CleanNodes to each of the child nodes
		/// </summary>
		private static void CleanChildren(HtmlNode parent, string[] whitelist)
		{
			for (int i = parent.ChildNodes.Count - 1; i >= 0; i--)
				CleanNodes(parent.ChildNodes[i], whitelist);
		}

		/// <summary>
		/// Helper function that returns an HTML document from text
		/// </summary>
		private static HtmlDocument GetHtml(string source)
		{
			HtmlDocument html = new HtmlDocument();
			html.OptionFixNestedTags = true;
			html.OptionAutoCloseOnEnd = true;
			html.OptionDefaultStreamEncoding = Encoding.UTF8;

			html.LoadHtml(source);

			// Encode any code blocks independently so they won't
			// be stripped out completely when we do a final cleanup
			foreach (var n in html.DocumentNode.DescendantNodesAndSelf())
			{
				if (n.Name == "code") {
					//** Code tag attribute vulnerability fix 28-9-12 (thanks to Natd)
					HtmlAttribute[] attr = n.Attributes.ToArray();
					foreach (HtmlAttribute a in attr) {
						if (a.Name != "style" && a.Name != "class")  { a.Remove(); }
					} //** End fix
					n.InnerHtml =
						Microsoft.Security.Application.Encoder.HtmlEncode(n.InnerHtml);
				}
			}

			return html;
		}
	}
}

This is a singleton class, so you need to call Instance to initiate.

E.G.

HtmlUtility util = HtmlUtility.Instance;

7:40AM… Bedtime!

Update : September 28.

Natd discovered a vulnerability in this code that allowed onclick attributes to be added to the code tag itself. Fixed.