[35615] in bugtraq
RE: Registry Fix For Variant of Scob
daemon@ATHENA.MIT.EDU (Drew Copley)
Tue Jul 6 19:22:29 2004
Content-class: urn:content-classes:message
MIME-Version: 1.0
Content-Type: text/plain;
charset="us-ascii"
Date: Tue, 6 Jul 2004 11:06:02 -0700
Message-ID: <FCAD9F541A8E8A44881527A6792F892C29429A@owa.eeye.com>
From: "Drew Copley" <dcopley@eEye.com>
To: "Thor Larholm" <thor@pivx.com>,
"Windows NTBugtraq Mailing List" <NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM>,
<bugtraq@securityfocus.com>
Content-Transfer-Encoding: 8bit
> -----Original Message-----
> From: Thor Larholm
> Sent: Saturday, July 03, 2004 3:47 PM
> To: 'Drew Copley'; 'Windows NTBugtraq Mailing List';
> 'bugtraq@securityfocus.com'
> Subject: RE: Registry Fix For Variant of Scob
>
>
> Setting the kill bit on the "Shell.Application" ActiveX object, or any
> other ActiveX, is a system wide configuration change. This is also the
> reason for the incompatibility issues you are mentioning, but there is
> no reason to kill the bird to secure the nest.
>
> The problem here is not the ADODB.Stream or Shell.Application objects,
> the problem is the insecure My Computer zone in Internet
> Explorer. Your
> registry fix will have adverse functionality regressions on
> any Windows
> administrator that use WSH when there is no reason for this.
<snip>
I noted this in my paper.
I noted in a reply to a post that hardening the Local Zone can
also cause problems. A lot of applications use this zone.
The reason killbitting was considered a "workaround" was because
it was always a "workaround" until Microsoft fixed the issue.
My viewpoint is the activex is flawed. The development of it
and the QA of it. So, it should be removed, because of the
security issue... until Microsoft fixes the issue and retests
the activex for further variants.
"My Computer Zone", ultimately, should be hardened, but without
removing functionality, in my opinion. What I have been asking
from Microsoft - and expect to get - is that they add it to
the security interface.
And further, that they make their security interface easy to
use. As it stands it has almost no help, and the definitions
are completely unwieldy. It is absurd. They do the xbox well,
why can't they do this well?
So, let's add that suggestion there, too.
Because it is sorely needed.
