cquirke (MVP Windows shell/user) wrote:
Ugly, yes... but it's the way it was done in XP -- an ADS was
constructed containing the metadata. So now we have all these streams
containing metadata which Vista can't even access.
Vista can access ADS; whether it was written to do so is another
thing. There are very good reasons to leave ADS alone.
The nice thing about it using ADS is that it worked silently via Samba
-- it would just create a file on the other end with the colon and the
stream name. Nice and easy to back up.
ADS are a death-trap, because:
- the UI doesn't show them, so you have no control over them
- they can be automated as easily as via a batch file
- MS will happily run code hidden in them, by design
- code in an ADS takes the file name of the host file
- so Ctl+Alt+Del lists only the host file, not the ADS
- so firewalls checking only the host file, let ADS pass through
- most off-NTFS transfers strip the ADS, so...
- ...submitting ADS samples to av vendors is difficult
MS could have prevented code from running from an ADS, or filtered ADS
input to ensure only text was permitted, or provided a UI for ADS, or
done all of these risk-aware, clueful things. They did none of them.
Who needs a rootkit, when content within ADS is invvisible, by design?
The cure for ADS is FATxx ;-)
-- Risk Management is the clue that asks:
"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"