Forum Thread: Perils of a 32-bit scanner on a 64-bit system

You are currently viewing a forum thread in the Secunia Community Forum. Please note that opinions expressed here are not of Secunia but solely reflect those of the user who wrote it.

This thread was submitted in the following forum:
PSI

This thread has been marked as locked.
tovodeverett Perils of a 32-bit scanner on a 64-bit system
Member 31st Dec, 2009 07:41
Ranking: 0
Posts: 5
User Since: 1st Jan, 2009
System Score: N/A
Location: N/A
Last edited on 31st Dec, 2009 07:43

AFAIK, PSI is only available as a 32-bit program. When installed on a 64-bit system (Windows 7 in my case), it sees 32-bit installs to "system32" twice. I say "system32" because it gets a little confusing. 64-bit programs see C:\Windows\system32 and install their DLLs and OCXes there. 32-bit programs get access to C:\Windows\system32 transparently redirected to C:\Windows\SysWow64 and install their DLLs and OCXes there.

A 64-bit scanner would sees C:\WINDOWS\system32 as C:\WINDOWS\system32 and C:\WINDOWS\SysWow64 as C:\WINDOWS\SysWow64. A 32-bit scanner sees C:\WINDOWS\SysWow64 as C:\WINDOWS\system32 and as C:\WINDOWS\SysWow64, but can't see the real C:\WINDOWS\system32 at all (which has 64-bit DLLs and OCXes in it)!

Thus, a 32-bit scanner on a 64-bit system sees all files in C:\WINDOWS\SysWow64 twice, but can't scan the 64-bit files that are really in C:\WINDOWS\system32.

See http://blogs.msdn.com/craigmcmurtry/archive/2004/1... for a good overview.

Finally, to demonstrate (assuming you have 32-bit Flash installed), open a Command Prompt and note the following:

C:\>dir C:\WINDOWS\System32\Macromed\Flash\*.ocx
The system cannot find the path specified.

C:\>dir C:\WINDOWS\SysWow64\Macromed\Flash\*.ocx
Volume in drive C has no label.
Volume Serial Number is 268D-BDFD

Directory of C:\WINDOWS\SysWow64\Macromed\Flash

10/27/2009 06:31 PM 3,982,240 Flash10d.ocx
1 File(s) 3,982,240 bytes
0 Dir(s) 104,053,833,728 bytes free

Now run C:\WINDOWS\SysWow64\cmd.exe from that Command Prompt (this starts a 32-bit cmd.exe process as a child process of the 64-bit cmd.exe - you can see this in Task Manager) and execute the same commands.

C:\>dir C:\WINDOWS\System32\Macromed\Flash\*.ocx
Volume in drive C has no label.
Volume Serial Number is 268D-BDFD

Directory of C:\WINDOWS\System32\Macromed\Flash

10/27/2009 06:31 PM 3,982,240 Flash10d.ocx
1 File(s) 3,982,240 bytes
0 Dir(s) 104,053,833,728 bytes free

C:\>dir C:\WINDOWS\SysWow64\Macromed\Flash\*.ocx
Volume in drive C has no label.
Volume Serial Number is 268D-BDFD

Directory of C:\WINDOWS\SysWow64\Macromed\Flash

10/27/2009 06:31 PM 3,982,240 Flash10d.ocx
1 File(s) 3,982,240 bytes
0 Dir(s) 104,053,833,728 bytes free

In a nutshell, 64-bit programs see the file system as it really is. 32-bit programs have the 64-bit directories hidden from them and see the 32-bit code in two locations. To be continued . . .

tovodeverett RE: Perils of a 32-bit scanner on a 64-bit system
Member 31st Dec, 2009 07:47
Score: 0
Posts: 5
User Since: 1st Jan 2009
System Score: N/A
Location: N/A
Which means that even if Secunia had 64-bit programs in their vulnerability database, the 32-bit scanner couldn't scan for those files because it can't see them - they're effectively masked by the redirection to SysWow64.

The good news is that the majority of the vulnerabilities that people are worried about are in browser plugins, and the vast majority of users on 64-bit OSes still use a 32-bit browser with 32-bit plugins because some key plugins (namely Flash - 64-bit support is expected in 10.1) don't come in 64-bit variants yet. But once 64-bit plugins do start to be released and users start installing them, PSI will be blind to those 64-bit plugins until there's a 64-bit PSI.
Was this reply relevant?
+0
-0
This user no longer exists RE: Perils of a 32-bit scanner on a 64-bit system
Member 31st Dec, 2009 13:45
That's interesting as I am running Windows 7 64-bit.
Was this reply relevant?
+0
-0
PalominoGirl RE: Perils of a 32-bit scanner on a 64-bit system
Member 31st Dec, 2009 18:18
Score: 0
Posts: 1
User Since: 21st Feb 2009
System Score: N/A
Location: N/A
Could this possibly be why I keep getting the message that Firefox is insecure despite repeated attempts at fixing it? It's about to make me crazy.
Was this reply relevant?
+0
-0
This user no longer exists RE: Perils of a 32-bit scanner on a 64-bit system
Member 31st Dec, 2009 20:18
PalominoGirl, please enable ADVANCED mode then click on Insecure then look in Insecure Programs for the location of the detected program
Was this reply relevant?
+0
-0

This thread has been marked as locked.