If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
Thread Tools | Display Modes |
#1
|
|||
|
|||
!Testing for the latest vulnerabilities...
[From another Newsgroup]
Three new Windows security holes come at a bad time By Angela Gunn, USATODAY.com Three new vulnerabilities have been discovered in Microsoft's Windows operating system, leaving computers running that OS open to possible hacker attacks - including PCs running the recently released XP SP2 (Service Pack 2). The vulnerabilities were published on various online security newsgroups and confirmed by antivirus firm Symantec. The discoveries raise particular concern since, with the holidays underway, interested worm-writers may have a significant head start on security professionals hoping to plug the hole. I tested the one that applies to XP SP2 using the proof of concept test at: http://freehost07.websamba.com/greyhats/sp2rc.htm and here are my results: XP pops up with: "Your security settings do not allow websites to use Active X controls installed on your computer. This page may not display correctly. Click here for more options." That's with IE listing the proof of concept website in the Internet zone of IE security zones. In that customised zone I have: ActiveX controls and plugins Automatic prompting for ActiveX controls disabled. Binary and script behaviours Administrator approved Download of signed ActiveX controls Prompt Download of unsigned ActiveX controls Disable Initialise and script ActiveX controls not marked as safe Disable Run ActiveX controls and plugins Administrator approved Script ActiveX controls marked as safe for scripting Enable Active scripting Enable Allow paste operations by script Disable Scripting of Java applets Enable However if I put the website in the trusted zone, the web page pops up the htm help window and attempts to load an .hta file in the documents and settings/all users/start menu/start directory that GRR (greyware registry rearguard) blocks unless (and until) I allow the change to that directory. IOW the exploit works with SP2 installed; Just not automatically on my systems, because of GRR. GRR's log file entry: Sat Dec 25 2004 17:52:16 WARNING: A entry has been added to a startup directory. This change was rejected by the foreground user. ==================================== There are several startup directories on your disk. How many, and which ones are used when you log on, depends on how your machine is configured and how you logged on. This addition was found in C:\Documents and Settings\All Users\Start Menu\Programs\Startup\ --Original Settings----------------- desktop.ini EPSON Status Monitor 3 Environment Check 2.lnk Microsoft Office.lnk Microsoft Works Calendar Reminders.lnk --New Settings---------------------- desktop.ini EPSON Status Monitor 3 Environment Check 2.lnk === Microsoft Office.hta === Microsoft Office.lnk Microsoft Works Calendar Reminders.lnk ==================================== So it would seem (the proof of concept test anyway) requires 'user interaction' to have the webpage with the exploit code placed in the trusted sites IE security zone for the (proof of concept) exploit to work. As far as I'm aware websites cannot be automatically added to the trusted sites zone without user approval, so it's not a completely automated exploit. As far as OE is concerned, SP2 automatically puts OE in the restricted IE zone by default which should prevent the exploit as well for the average user who receives any html emails. I emailed the results to the webmaster hosting the proof of concept test and their reply implied I must be running some 'extra' security options in the Internet security zone that stops it being a totally automatic exploit. (I thought I was pretty clear about my settings in that zone) One other thing I have done since reading about this exploit is remove from the .hta file extension any commands such as open, read, etc.... This means anytime anything tries to open or run an .hta file XP will (should) pop up a window saying it has no idea what program is needed to run ..hta files. ..hta files run applications from HTML documents. Note: This file type can become infected and should be carefully scanned if someone sends you a file with this extension. http://filext.com/detaillist.php?extdetail=HTA To do this start Windows Explorer Select: Tools Folder Options File Types Scroll down to the .hta file extension click Advanced remove all commands from the action window. You might want to make a note of what each command does in case you need set them up again (in case disabling ..hta file types breaks something, It hasn't on my system so far, see below) tick confirm after open (this should warn you if some program or script reactivates the .hta file extension 'silently by confirming any .hta file should be opened) tick always show extension. This will help you find .hta files in Windows Explorer. Click OK. Click Close. As I understand it the .hta file extension is rarely used by any programs so it shouldn't cause any problems disabling it's open, read, or run 'abilities.' BTW Here a handy website to find out all about file extensions. http://filext.com/index.php Is there anything else I can test for, or have I missed anything? -- Replace the obvious with paradise.net to email me Found Images http://homepages.paradise.net.nz/~mlvburke |
Ads |
#2
|
|||
|
|||
!Testing for the latest vulnerabilities...
"Max Burke" wrote in message ... [From another Newsgroup] Three new Windows security holes come at a bad time By Angela Gunn, USATODAY.com Three new vulnerabilities have been discovered in Microsoft's Windows operating system, leaving computers running that OS open to possible hacker attacks - including PCs running the recently released XP SP2 (Service Pack 2). The vulnerabilities were published on various online security newsgroups and confirmed by antivirus firm Symantec. The discoveries raise particular concern since, with the holidays underway, interested worm-writers may have a significant head start on security professionals hoping to plug the hole. I tested the one that applies to XP SP2 using the proof of concept test at: http://freehost07.websamba.com/greyhats/sp2rc.htm and here are my results: XP pops up with: "Your security settings do not allow websites to use Active X controls installed on your computer. This page may not display correctly. Click here for more options." That's with IE listing the proof of concept website in the Internet zone of IE security zones. In that customised zone I have: ActiveX controls and plugins Automatic prompting for ActiveX controls disabled. Binary and script behaviours Administrator approved Download of signed ActiveX controls Prompt Download of unsigned ActiveX controls Disable Initialise and script ActiveX controls not marked as safe Disable Run ActiveX controls and plugins Administrator approved Script ActiveX controls marked as safe for scripting Enable Active scripting Enable Allow paste operations by script Disable Scripting of Java applets Enable However if I put the website in the trusted zone, the web page pops up the htm help window and attempts to load an .hta file in the documents and settings/all users/start menu/start directory that GRR (greyware registry rearguard) blocks unless (and until) I allow the change to that directory. IOW the exploit works with SP2 installed; Just not automatically on my systems, because of GRR. Is there anything else I can test for, or have I missed anything? -- You seem to have customized the settings for the Internet zone, which is what protected you. Using the default Internet Zone settings, this does work without any user intervention. |
#3
|
|||
|
|||
!Testing for the latest vulnerabilities...
Colin Nash [MVP] wrote:
Max Burke wrote in message IOW the exploit works with SP2 installed; Just not automatically on my systems, because of GRR. Is there anything else I can test for, or have I missed anything? You seem to have customized the settings for the Internet zone, which is what protected you. Thta's what I thought. Using the default Internet Zone settings, this does work without any user intervention. But is easily prevented by users altering a few security settings in IE. (on XP SP2) -- Replace the obvious with paradise.net to email me Found Images http://homepages.paradise.net.nz/~mlvburke |
#4
|
|||
|
|||
!Testing for the latest vulnerabilities...
"Max Burke" wrote in message ... But is easily prevented by users altering a few security settings in IE. (on XP SP2) -- Agreed... but the vulnerability needs to be fixed because most users won't bother playing with the settings. Also, those restrictive settings do interfere with a lot of legitimate sites, which is why they are not turned on by default in SP2 (Microsoft did a lot of testing on this stuff.) So its a balance between security and making sure that the web browser doesn't bug you with annoying warning popups every 10 seconds (the average user will either look for a way to turn off these warnings, or start blindly clicking 'yes'.) Perhaps Microsoft needs to redesign the whole security model that IE uses... Longhorn should bring some big updates to IE. But for now, all they can do is patch these individual problems as quickly as possible. |
Thread Tools | |
Display Modes | |
|
|
Similar Threads | ||||
Thread | Thread Starter | Forum | Replies | Last Post |
Multiple vulnerabilities in Mozilla products | JM Tella Llop [MVP Windows] | General XP issues or comments | 1 | January 11th 05 11:23 PM |
Multiple Vulnerabilities in Microsoft Internet Explorer | JM Tella Llop [MVP Windows] | General XP issues or comments | 0 | November 6th 04 07:38 PM |
Latest WIN XP Auto Update installed on or about 8/1/04 | Robert L. Ragot | The Basics | 2 | August 7th 04 11:49 AM |
WinXP SP1 Home, Scheduled Tasks don't run since installing latest Security Updates | Phydeaux | Customizing Windows XP | 0 | July 24th 04 03:23 AM |