PuTTY semi-bug win-process-acl-finesse

Home | FAQ | Feedback | Licence | Updates | Mirrors | Keys | Links | Team
Download: Stable · Snapshot | Docs | Privacy | Changes | Wishlist

In PuTTY 0.67 on Windows, we restricted the process ACL with SetSecurityInfo() in an attempt to defend against malicious other processes (such as PuttyRider) injecting code, reading sensitive data, etc. (In 0.67 this only applied to PuTTY and PuTTYtel; in snapshots after 0.67, from 2016-04-03, we also did this for PSFTP, PSCP, Plink, PuTTYgen, and Pageant.)

Perhaps unsurprisingly, this broke some interactions with other software. Here are some things that stopped working with 0.67 which are known or suspected to have been broken by this change:

• Screen readers and similar software. In 0.67, unable to read system menu or PuTTY settings category tree view contents.
  • Windows Narrator. In the snapshots, we've allowed PROCESS_QUERY_INFORMATION, which is relatively harmless and allows Narrator to work.
  • NVDA. To work fully, this injects a DLL into PuTTY's memory space (IAccessible2Proxy.dll), so there's probably nothing we can do to fix this that won't also allow the likes of PuttyRider back in.
• Sharing PuTTY windows (read-only) with Microsoft Lync / Skype for Windows. (Sharing the entire screen still works, apparently.) Needs PROCESS_QUERY_INFORMATION | PROCESS_VM_READ, apparently; we don't have the latter.
• Trouble using Git with Plink as a transport (e.g., 1, 2). Our rights setting implicitly turns off anything we haven't considered, including the ability to wait for our return status; apparently adding SYNCHRONIZE back in fixes this. We have not yet done this.
• Tools like AquaSnap or ac'tivaid used for arranging windows can't change the PuTTY window's size and position any more.
• Software installed in corporate environments such as 'data loss prevention' software (which watches clipboard operations and the like) has been reportedly disrupted by this change. Since such software is functionally indistinguishable from malware, this isn't surprising.
• (Of course, debuggers can't attach, but if you're debugging you could probably have recompiled PuTTY with the UNPROTECT option.)

It might be possible to tone down our restrictive permissions to allow harmless interactions with legitimate software. We've done this a little bit since 0.67, although there's probably scope for more.

However, since it turns out that some screen-reading software (NVDA at least) has behaviour indistinguishable from malware, that approach won't be sufficient.

Update, 2017-01: we have turned off these ACL restrictions by default, so out of the box, all the things that were broken by this in 0.67 should be working again. A new command-line option -restrict-acl lets you get something like the 0.67 behaviour if you don't find it more trouble than it's worth.