What are Embedded MSI files?
Recently, our threat team posted about a feature in Windows that when abused could lead to unauthorized code execution bypassing code signing checks. This is done by appending malicious jar files to msi files.
To read more about what our threat team found, please see this UeX post.
How can CB Protection help?
The Windows Installer Embedded File Protection Rapid Config focuses on blocking or reporting jar files that are appended to msi files and other related Microsoft installer formats.
The java.exe script rule needs to be enabled.
CB Protection Server version 8.0 Patch 7 and above.
If you are running a version of Cb Protection Server 8.0 prior to 8.0.Patch 7 you are able to import a rule to provide this coverage. You should follow the instructions in this link. There is no support for versions prior to 8.X.
If your environment prevents you from receiving this Rapid Config via the CDC please contact support for instructions for manual installation.
Rapid Config details
The Windows Installer Embedded File Protection Rapid Config has three parameters that can be configured.
The first parameter allows you to Report or Block the execution of Jar files identified as installers. It is unusual for jar files to be identified as installers by CB Protection
As with all Rapid Configs we recommend setting each section to Report prior to setting to Block. You will want to ensure that the legitimate behavior will not be impacted.
The second parameter allows you to choose the notifier that is displayed when this Rapid Config blocks a file . This parameter is only visible when the user has selected the Block option so it is not visible by default.
The final parameter of the Rapid Config gives you the flexibility to add exceptions to the list. For example if you have a jar file named foo.jar that is tagged as an installer, and you still want to be able to execute it, you could specify that here.
We have more work forthcoming around this bypass vector and we welcome feedback via Productsecurity@carbonblack.com