A Windows XP help forum. PCbanter

If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below.

Go Back   Home » PCbanter forum » Microsoft Windows XP » Security and Administration with Windows XP
Site Map Home Register Authors List Search Today's Posts Mark Forums Read Web Partners

!Testing for the latest vulnerabilities...



 
 
Thread Tools Display Modes
  #1  
Old December 28th 04, 03:58 AM
Max Burke
external usenet poster
 
Posts: n/a
Default !Testing for the latest vulnerabilities...

[From another Newsgroup]

Three new Windows security holes come at a bad time
By Angela Gunn, USATODAY.com
Three new vulnerabilities have been discovered in Microsoft's Windows
operating system, leaving computers running that OS open to possible
hacker attacks - including PCs running the recently released XP SP2
(Service Pack 2).
The vulnerabilities were published on various online security
newsgroups and confirmed by antivirus firm Symantec. The discoveries
raise particular concern since, with the holidays underway,
interested worm-writers may have a significant head start on security
professionals hoping to plug the hole.


I tested the one that applies to XP SP2 using the proof of concept test at:
http://freehost07.websamba.com/greyhats/sp2rc.htm and here are my results:

XP pops up with:

"Your security settings do not allow websites to use Active X controls
installed on your computer. This page may not display correctly. Click here
for more options."
That's with IE listing the proof of concept website in the Internet zone of
IE security zones.

In that customised zone I have:

ActiveX controls and plugins
Automatic prompting for ActiveX controls disabled.

Binary and script behaviours
Administrator approved

Download of signed ActiveX controls
Prompt

Download of unsigned ActiveX controls
Disable

Initialise and script ActiveX controls not marked as safe
Disable

Run ActiveX controls and plugins
Administrator approved

Script ActiveX controls marked as safe for scripting
Enable

Active scripting
Enable

Allow paste operations by script
Disable

Scripting of Java applets
Enable

However if I put the website in the trusted zone, the web page pops up the
htm help window and attempts to load an .hta file in the documents and
settings/all users/start menu/start directory that GRR (greyware registry
rearguard) blocks unless (and until) I allow the change to that directory.

IOW the exploit works with SP2 installed; Just not automatically on my
systems, because of GRR.

GRR's log file entry:

Sat Dec 25 2004 17:52:16 WARNING: A entry has been added to a startup
directory.
This change was rejected by the foreground user.
====================================
There are several startup directories on your disk. How many, and which
ones are used when you log on, depends on how your machine is configured and
how you logged on. This addition was found in C:\Documents and Settings\All
Users\Start Menu\Programs\Startup\

--Original Settings-----------------
desktop.ini
EPSON Status Monitor 3 Environment Check 2.lnk
Microsoft Office.lnk
Microsoft Works Calendar Reminders.lnk

--New Settings----------------------
desktop.ini
EPSON Status Monitor 3 Environment Check 2.lnk

=== Microsoft Office.hta ===

Microsoft Office.lnk
Microsoft Works Calendar Reminders.lnk
====================================

So it would seem (the proof of concept test anyway) requires 'user
interaction' to have the webpage with the exploit code placed in the trusted
sites IE security zone for the (proof of concept) exploit to work.
As far as I'm aware websites cannot be automatically added to the trusted
sites zone without user approval, so it's not a completely automated
exploit.

As far as OE is concerned, SP2 automatically puts OE in the restricted IE
zone by default which should prevent the exploit as well for the average
user who receives any html emails.

I emailed the results to the webmaster hosting the proof of concept test and
their reply implied I must be running some 'extra' security options in the
Internet security zone that stops it being a totally automatic exploit. (I
thought I was pretty clear about my settings in that zone)

One other thing I have done since reading about this exploit is remove from
the .hta file extension any commands such as open, read, etc....
This means anytime anything tries to open or run an .hta file XP will
(should) pop up a window saying it has no idea what program is needed to run
..hta files.

..hta files run applications from HTML documents.
Note: This file type can become infected and should be carefully scanned if
someone sends you a file with this extension.
http://filext.com/detaillist.php?extdetail=HTA

To do this start Windows Explorer

Select:

Tools

Folder Options

File Types

Scroll down to the .hta file extension

click Advanced

remove all commands from the action window. You might want to make a note of
what each command does in case you need set them up again (in case disabling
..hta file types breaks something, It hasn't on my system so far, see below)

tick confirm after open (this should warn you if some program or script
reactivates the .hta file extension 'silently by confirming any .hta file
should be opened)

tick always show extension. This will help you find .hta files in Windows
Explorer.

Click OK.
Click Close.

As I understand it the .hta file extension is rarely used by any programs so
it shouldn't cause any problems disabling it's open, read, or run
'abilities.'

BTW Here a handy website to find out all about file extensions.
http://filext.com/index.php

Is there anything else I can test for, or have I missed anything?

--

Replace the obvious with paradise.net to email me
Found Images
http://homepages.paradise.net.nz/~mlvburke

Ads
  #2  
Old December 28th 04, 04:16 AM
Colin Nash [MVP]
external usenet poster
 
Posts: n/a
Default !Testing for the latest vulnerabilities...


"Max Burke" wrote in message
...
[From another Newsgroup]

Three new Windows security holes come at a bad time
By Angela Gunn, USATODAY.com
Three new vulnerabilities have been discovered in Microsoft's Windows
operating system, leaving computers running that OS open to possible
hacker attacks - including PCs running the recently released XP SP2
(Service Pack 2).
The vulnerabilities were published on various online security
newsgroups and confirmed by antivirus firm Symantec. The discoveries
raise particular concern since, with the holidays underway,
interested worm-writers may have a significant head start on security
professionals hoping to plug the hole.


I tested the one that applies to XP SP2 using the proof of concept test
at: http://freehost07.websamba.com/greyhats/sp2rc.htm and here are my
results:

XP pops up with:

"Your security settings do not allow websites to use Active X controls
installed on your computer. This page may not display correctly. Click
here for more options."
That's with IE listing the proof of concept website in the Internet zone
of IE security zones.

In that customised zone I have:

ActiveX controls and plugins
Automatic prompting for ActiveX controls disabled.

Binary and script behaviours
Administrator approved

Download of signed ActiveX controls
Prompt

Download of unsigned ActiveX controls
Disable

Initialise and script ActiveX controls not marked as safe
Disable

Run ActiveX controls and plugins
Administrator approved

Script ActiveX controls marked as safe for scripting
Enable

Active scripting
Enable

Allow paste operations by script
Disable

Scripting of Java applets
Enable

However if I put the website in the trusted zone, the web page pops up the
htm help window and attempts to load an .hta file in the documents and
settings/all users/start menu/start directory that GRR (greyware registry
rearguard) blocks unless (and until) I allow the change to that directory.

IOW the exploit works with SP2 installed; Just not automatically on my
systems, because of GRR.


Is there anything else I can test for, or have I missed anything?

--




You seem to have customized the settings for the Internet zone, which is
what protected you. Using the default Internet Zone settings, this does
work without any user intervention.



  #3  
Old December 28th 04, 04:43 AM
Max Burke
external usenet poster
 
Posts: n/a
Default !Testing for the latest vulnerabilities...

Colin Nash [MVP] wrote:

Max Burke wrote in message
IOW the exploit works with SP2 installed; Just not automatically on
my systems, because of GRR.
Is there anything else I can test for, or have I missed anything?


You seem to have customized the settings for the Internet zone, which
is what protected you.


Thta's what I thought.

Using the default Internet Zone settings,
this does work without any user intervention.


But is easily prevented by users altering a few security settings in IE. (on
XP SP2)

--

Replace the obvious with paradise.net to email me
Found Images
http://homepages.paradise.net.nz/~mlvburke

  #4  
Old December 28th 04, 04:58 AM
Colin Nash [MVP]
external usenet poster
 
Posts: n/a
Default !Testing for the latest vulnerabilities...


"Max Burke" wrote in message
...
But is easily prevented by users altering a few security settings in IE.
(on XP SP2)

--



Agreed... but the vulnerability needs to be fixed because most users won't
bother playing with the settings. Also, those restrictive settings do
interfere with a lot of legitimate sites, which is why they are not turned
on by default in SP2 (Microsoft did a lot of testing on this stuff.) So its
a balance between security and making sure that the web browser doesn't bug
you with annoying warning popups every 10 seconds (the average user will
either look for a way to turn off these warnings, or start blindly clicking
'yes'.)

Perhaps Microsoft needs to redesign the whole security model that IE uses...
Longhorn should bring some big updates to IE. But for now, all they can do
is patch these individual problems as quickly as possible.


 




Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

vB code is On
Smilies are On
[IMG] code is Off
HTML code is Off

Similar Threads
Thread Thread Starter Forum Replies Last Post
Multiple vulnerabilities in Mozilla products JM Tella Llop [MVP Windows] General XP issues or comments 1 January 11th 05 11:23 PM
Multiple Vulnerabilities in Microsoft Internet Explorer JM Tella Llop [MVP Windows] General XP issues or comments 0 November 6th 04 07:38 PM
Latest WIN XP Auto Update installed on or about 8/1/04 Robert L. Ragot The Basics 2 August 7th 04 11:49 AM
WinXP SP1 Home, Scheduled Tasks don't run since installing latest Security Updates Phydeaux Customizing Windows XP 0 July 24th 04 03:23 AM






All times are GMT +1. The time now is 05:57 PM.


Powered by vBulletin® Version 3.6.4
Copyright ©2000 - 2024, Jelsoft Enterprises Ltd.
Copyright ©2004-2024 PCbanter.
The comments are property of their posters.