[35579] in bugtraq
Registry Fix For Variant of Scob
daemon@ATHENA.MIT.EDU (Drew Copley)
Sat Jul 3 12:05:54 2004
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Date: Fri, 2 Jul 2004 14:32:56 -0700
Message-ID: <FCAD9F541A8E8A44881527A6792F892C293E9C@owa.eeye.com>
From: "Drew Copley" <dcopley@eEye.com>
To: "Windows NTBugtraq Mailing List" <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>,
<bugtraq@securityfocus.com>
Content-Transfer-Encoding: 8bit
About the same time Jelmer found the adodb bug, http-equiv
found a similiar issue with the object "Shell.Application".
This issue has also been unfixed for the past ten months.
Unfortunately, Microsoft has not taken the "hint" and not
fixed this issue either.
Jelmer has noted this and made a proof of concept exploit
page here:
http://62.131.86.111/security/idiots/malware2k/installer.htm
The below registry file will protect you from this exploit
by kill biting "Shell.Application" variant.
<------------------------------------------->
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{13709620-C279-11CE-A49E-444553540000}]
"Compatibility Flags"=dword:00000400
<-------------------------------------------->
I will be updating our free fix download here:
http://www.eeye.com/html/research/alerts/AL20040610.html
This will break some hta scripts that might be used
for management. It may cause some incompatibility issues
with some programs.
Shell.Application is commonly used by administrators
for administration of systems via Visual basic script
or WSH. It may have other uses. It is kind of Microsoft's
answer to shell script -- though not as happy as batch.
