G
Guest
Guest
Archived from groups: microsoft.public.windowsxp.security_admin (More info?)
[From another Newsgroup]
> Three new Windows security holes come at a bad time
> By Angela Gunn, USATODAY.com
> Three new vulnerabilities have been discovered in Microsoft's Windows
> operating system, leaving computers running that OS open to possible
> hacker attacks - including PCs running the recently released XP SP2
> (Service Pack 2).
> The vulnerabilities were published on various online security
> newsgroups and confirmed by antivirus firm Symantec. The discoveries
> raise particular concern since, with the holidays underway,
> interested worm-writers may have a significant head start on security
> professionals hoping to plug the hole.
I tested the one that applies to XP SP2 using the proof of concept test at:
http://freehost07.websamba.com/greyhats/sp2rc.htm and here are my results:
XP pops up with:
"Your security settings do not allow websites to use Active X controls
installed on your computer. This page may not display correctly. Click here
for more options."
That's with IE listing the proof of concept website in the Internet zone of
IE security zones.
In that customised zone I have:
ActiveX controls and plugins
Automatic prompting for ActiveX controls disabled.
Binary and script behaviours
Administrator approved
Download of signed ActiveX controls
Prompt
Download of unsigned ActiveX controls
Disable
Initialise and script ActiveX controls not marked as safe
Disable
Run ActiveX controls and plugins
Administrator approved
Script ActiveX controls marked as safe for scripting
Enable
Active scripting
Enable
Allow paste operations by script
Disable
Scripting of Java applets
Enable
However if I put the website in the trusted zone, the web page pops up the
htm help window and attempts to load an .hta file in the documents and
settings/all users/start menu/start directory that GRR (greyware registry
rearguard) blocks unless (and until) I allow the change to that directory.
IOW the exploit works with SP2 installed; Just not automatically on my
systems, because of GRR.
GRR's log file entry:
Sat Dec 25 2004 17:52:16 WARNING: A entry has been added to a startup
directory.
This change was rejected by the foreground user.
====================================
There are several startup directories on your disk. How many, and which
ones are used when you log on, depends on how your machine is configured and
how you logged on. This addition was found in C:\Documents and Settings\All
Users\Start Menu\Programs\Startup\
--Original Settings-----------------
desktop.ini
EPSON Status Monitor 3 Environment Check 2.lnk
Microsoft Office.lnk
Microsoft Works Calendar Reminders.lnk
--New Settings----------------------
desktop.ini
EPSON Status Monitor 3 Environment Check 2.lnk
===> Microsoft Office.hta <===
Microsoft Office.lnk
Microsoft Works Calendar Reminders.lnk
====================================
So it would seem (the proof of concept test anyway) requires 'user
interaction' to have the webpage with the exploit code placed in the trusted
sites IE security zone for the (proof of concept) exploit to work.
As far as I'm aware websites cannot be automatically added to the trusted
sites zone without user approval, so it's not a completely automated
exploit.
As far as OE is concerned, SP2 automatically puts OE in the restricted IE
zone by default which should prevent the exploit as well for the average
user who receives any html emails.
I emailed the results to the webmaster hosting the proof of concept test and
their reply implied I must be running some 'extra' security options in the
Internet security zone that stops it being a totally automatic exploit. (I
thought I was pretty clear about my settings in that zone)
One other thing I have done since reading about this exploit is remove from
the .hta file extension any commands such as open, read, etc....
This means anytime anything tries to open or run an .hta file XP will
(should) pop up a window saying it has no idea what program is needed to run
..hta files.
..hta files run applications from HTML documents.
Note: This file type can become infected and should be carefully scanned if
someone sends you a file with this extension.
http://filext.com/detaillist.php?extdetail=HTA
To do this start Windows Explorer
Select:
Tools
Folder Options
File Types
Scroll down to the .hta file extension
click Advanced
remove all commands from the action window. You might want to make a note of
what each command does in case you need set them up again (in case disabling
..hta file types breaks something, It hasn't on my system so far, see below)
tick confirm after open (this should warn you if some program or script
reactivates the .hta file extension 'silently by confirming any .hta file
should be opened)
tick always show extension. This will help you find .hta files in Windows
Explorer.
Click OK.
Click Close.
As I understand it the .hta file extension is rarely used by any programs so
it shouldn't cause any problems disabling it's open, read, or run
'abilities.'
BTW Here a handy website to find out all about file extensions.
http://filext.com/index.php
Is there anything else I can test for, or have I missed anything?
--
mlvburke@xxxxxxxx.nz
Replace the obvious with paradise.net to email me
Found Images
http://homepages.paradise.net.nz/~mlvburke
[From another Newsgroup]
> Three new Windows security holes come at a bad time
> By Angela Gunn, USATODAY.com
> Three new vulnerabilities have been discovered in Microsoft's Windows
> operating system, leaving computers running that OS open to possible
> hacker attacks - including PCs running the recently released XP SP2
> (Service Pack 2).
> The vulnerabilities were published on various online security
> newsgroups and confirmed by antivirus firm Symantec. The discoveries
> raise particular concern since, with the holidays underway,
> interested worm-writers may have a significant head start on security
> professionals hoping to plug the hole.
I tested the one that applies to XP SP2 using the proof of concept test at:
http://freehost07.websamba.com/greyhats/sp2rc.htm and here are my results:
XP pops up with:
"Your security settings do not allow websites to use Active X controls
installed on your computer. This page may not display correctly. Click here
for more options."
That's with IE listing the proof of concept website in the Internet zone of
IE security zones.
In that customised zone I have:
ActiveX controls and plugins
Automatic prompting for ActiveX controls disabled.
Binary and script behaviours
Administrator approved
Download of signed ActiveX controls
Prompt
Download of unsigned ActiveX controls
Disable
Initialise and script ActiveX controls not marked as safe
Disable
Run ActiveX controls and plugins
Administrator approved
Script ActiveX controls marked as safe for scripting
Enable
Active scripting
Enable
Allow paste operations by script
Disable
Scripting of Java applets
Enable
However if I put the website in the trusted zone, the web page pops up the
htm help window and attempts to load an .hta file in the documents and
settings/all users/start menu/start directory that GRR (greyware registry
rearguard) blocks unless (and until) I allow the change to that directory.
IOW the exploit works with SP2 installed; Just not automatically on my
systems, because of GRR.
GRR's log file entry:
Sat Dec 25 2004 17:52:16 WARNING: A entry has been added to a startup
directory.
This change was rejected by the foreground user.
====================================
There are several startup directories on your disk. How many, and which
ones are used when you log on, depends on how your machine is configured and
how you logged on. This addition was found in C:\Documents and Settings\All
Users\Start Menu\Programs\Startup\
--Original Settings-----------------
desktop.ini
EPSON Status Monitor 3 Environment Check 2.lnk
Microsoft Office.lnk
Microsoft Works Calendar Reminders.lnk
--New Settings----------------------
desktop.ini
EPSON Status Monitor 3 Environment Check 2.lnk
===> Microsoft Office.hta <===
Microsoft Office.lnk
Microsoft Works Calendar Reminders.lnk
====================================
So it would seem (the proof of concept test anyway) requires 'user
interaction' to have the webpage with the exploit code placed in the trusted
sites IE security zone for the (proof of concept) exploit to work.
As far as I'm aware websites cannot be automatically added to the trusted
sites zone without user approval, so it's not a completely automated
exploit.
As far as OE is concerned, SP2 automatically puts OE in the restricted IE
zone by default which should prevent the exploit as well for the average
user who receives any html emails.
I emailed the results to the webmaster hosting the proof of concept test and
their reply implied I must be running some 'extra' security options in the
Internet security zone that stops it being a totally automatic exploit. (I
thought I was pretty clear about my settings in that zone)
One other thing I have done since reading about this exploit is remove from
the .hta file extension any commands such as open, read, etc....
This means anytime anything tries to open or run an .hta file XP will
(should) pop up a window saying it has no idea what program is needed to run
..hta files.
..hta files run applications from HTML documents.
Note: This file type can become infected and should be carefully scanned if
someone sends you a file with this extension.
http://filext.com/detaillist.php?extdetail=HTA
To do this start Windows Explorer
Select:
Tools
Folder Options
File Types
Scroll down to the .hta file extension
click Advanced
remove all commands from the action window. You might want to make a note of
what each command does in case you need set them up again (in case disabling
..hta file types breaks something, It hasn't on my system so far, see below)
tick confirm after open (this should warn you if some program or script
reactivates the .hta file extension 'silently by confirming any .hta file
should be opened)
tick always show extension. This will help you find .hta files in Windows
Explorer.
Click OK.
Click Close.
As I understand it the .hta file extension is rarely used by any programs so
it shouldn't cause any problems disabling it's open, read, or run
'abilities.'
BTW Here a handy website to find out all about file extensions.
http://filext.com/index.php
Is there anything else I can test for, or have I missed anything?
--
mlvburke@xxxxxxxx.nz
Replace the obvious with paradise.net to email me
Found Images
http://homepages.paradise.net.nz/~mlvburke