[15521] in bugtraq
Re: Force Feeding
daemon@ATHENA.MIT.EDU (David LeBlanc)
Wed Jun 28 16:34:30 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="us-ascii"
Message-Id: <3.0.5.32.20000628100643.034bd640@pop.mindspring.com>
Date: Wed, 28 Jun 2000 10:06:43 -0700
Reply-To: David LeBlanc <dleblanc@MINDSPRING.COM>
From: David LeBlanc <dleblanc@MINDSPRING.COM>
X-To: Philip Stoev <philip@einet.bg>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <002e01bfe11a$e54e3390$0100a8c0@ntserver1>
At 07:06 PM 6/28/00 +0300, Philip Stoev wrote:
>From: "David LeBlanc" <dleblanc@MINDSPRING.COM>
>> One work-around for this that I have long advocated is making the
>temporary
>> internet folders and the temp folders non-executable.
>
>This is really a beautiful solution, however, as far as my testing shows, it
>breaks Microsoft Office 2000 Premium Setup (the moment when you are prompted
>to enter the serial number, and possibly at other places also), and possibly
>other installers depending on Microsoft Installer technology as well. Or, I
>may have had made the folder non-executable, but my ACLs were somewhat
>wrong.
Several others have pointed out the same thing. The temp internet folders
aren't a problem - these really only need to be read-write. In terms of
installing software, using an account other than your normal account to
accomplish that would be the way to go (RunAs under Win2k helps). Or
considering that I don't install software every day, but I do surf the net,
etc. every day, I could script removal and replacement of the 'X' bit, so
set it back, do my install, then reset the permissions.
I understand that this isn't workable for the average end-user, but for
those of us who are a little more adept and security-conscious I think it
might help.
David LeBlanc
dleblanc@mindspring.com
