[R] registry vulnerabilities in R

Duncan Murdoch murdoch.duncan at gmail.com
Wed May 9 20:17:38 CEST 2012 

On 09/05/2012 2:04 PM, Gabor Grothendieck wrote:
> On Wed, May 9, 2012 at 12:46 PM, Paul Martin<pamartin at alum.mit.edu>  wrote:
> >  I don't have much new to add, but I want to make some clarifying comments:
> >
> >  First, there are clearly workarounds available. I am using one now. R is
> >  installed on a personal laptop which I bring to work every day. I take
> >  extreme care with the nature of the files I move back and forth, and none of
> >  this is classified. This is common practice here. Yes, it would be nice if I
> >  could get R onto my desktop machine at work. It would save me burning CDs to
> >  move plots back and forth. But it's not the end of the world. My ability to
> >  get work done is not the issue here.
> >
> >  The issue is the following: Is there anything her which is of concern to the
> >  R community? I suspect the answer is no, but cannot say anything for sure at
> >  this point.
> >
> >  The registry analysis tool looks like it is custom software developed by the
> >  Air Force. I can't get any specific information beyond that. That is
> >  unfortunate, since it would be nice if the tests could be duplicated and
> >  confirmed.
> >
> >  We will get separate tests on R without RStudio.
> >
> >  The registry analysis reports results in two sections: Registry entries
> >  added and registry entries modified. There were no vulnerabilities found in
> >  the "entries modified" section. All of the vulnerabilities are listed under
> >  "entries added".
> >
>
> During the installation process its only the installer that sets any
> registry values, not R itself.
>
> Using the standard installer that comes with R it asks you whether you
> want to save version numbers in the registry and whether you want to
> create an association for RData files.  If you uncheck those then the
> installation does not set any registry values.

That's correct.  And with a small change to the installer script, even 
that can be suppressed.  (For anyone interested:  you need 
"Uninstallable=no" near the top of the Inno Setup script; if using the 
regular build, that's in the file RHOME/src/gnuwin32/installer/header1.iss.)

Duncan Murdoch

More information about the R-help mailing list