Changelog of 14.4.0 vs security

2 posters

Go down

Changelog of 14.4.0 vs security Empty Changelog of 14.4.0 vs security

Post by krzysiu Thu Aug 30, 2018 4:30 am

Hey! There's serious mistake in this changelog:

"This functionality requires youtube-dl.exe which you need to download yourself. Place that file in your Windows folder (usually c:\Windows) to make it available for use by MPC-HC."

That's not true. Youtube-dl can't be in this directory for security reasons. Windows directory is not for placing "random" files. It's a protected directory and it has very special permissions - it's even not owned by system, but by a special, secure subsystem. If you want to put there something, you need admin account (or turn off Windows safety systems) which is already unsecure for 3rd party application. Putting file there means it will get permissions from higher instance in FS, which is also insecure. Heuristics of AV tools might give false positive - downloader which connects to the internet and resides in the system directory...

I'm not saying youtube-dl is malicious but as every app it had security bugs and it will have in future. Don't risk user's security, don't teach them amateur ways from 90's. I remember it very well - back then people didn't care about security and they didn't bother to explain how to make file accessible, so they've been saying "eh, just put it there", as it was always in PATH variable. But these were 90's. 1) you don't need to provide directory name, which is just a guess - %VAR% resolves everywhere, either win GUI, win text mode or 3rd party tool 2) The proper way and the proper place is %COMMONPROGRAMFILES%, which resolves in default installations to C:\Program Files\Common Files - this is the proper place for putting common libraries and applications, as name suggests.

Posts : 2
Join date : 2016-06-27
Location : Katowice, Poland

Back to top Go down

Changelog of 14.4.0 vs security Empty Re: Changelog of 14.4.0 vs security

Post by Admin Thu Aug 30, 2018 1:10 pm

The write permissions of a folder are unrelated to the execution privileges with which the application will run. On any modern version of Windows it will execute with reduced privileges, even if you are logged in as Admin. It doesn't matter in which folder you put it.

The only requirement for using it with MPC-HC is that it is somewhere in %PATH% or in the MPC-HC folder itself. Folders which also all require Admin access to write to.


Posts : 7458
Join date : 2011-06-17

Back to top Go down

Back to top

Permissions in this forum:
You cannot reply to topics in this forum