The registry is not an API

Disclaimer: I love the [Windows] registry.

But folks correctly point out that the registry is not an API. It fails to provide reliable semantics and is void of any kind of regulation, guidance and mostly governed by a set of traditional, unwritten rules established by Microsoft’s example and legacy and weakly enforced by tools such as Active Directory Group Policies.

There’s no point discussing why .config files or other decentralized, hierarchical, semi-structured configuration storages are usually no less a PITA and a “real” API, like WBEM (i.e. WMI) is used or understood by nobody.

 

Whatever.

 

Today brings a fine example:

PDF "/Launch" Social Engineering Attack

Suppose Acrobat [Reader] did not expose these registry keys.

Suppose the setting was in AcroRd32.exe.config or ~/.acroRd32 or who knows where, maybe C:UsersTheUserAppDataLocalAdobeReaderTrustManager.settings.

Or, suppose there was command line, e.g. like “adobeconfig –user –acrobatReader –trustManager –allowOpenFile false”.

To fix this security problem on a couple hundred of desktop machines and, possibly, servers, what would you do?

Advertisements
This entry was posted in Computers and Internet. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s