lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Date: Tue, 6 Jul 2004 11:06:02 -0700
From: "Drew Copley" <dcopley@...e.com>
To: "Thor Larholm" <thor@...x.com>,
	"Windows NTBugtraq Mailing List" <NTBUGTRAQ@...TSERV.NTBUGTRAQ.COM>,
	<bugtraq@...urityfocus.com>
Subject: RE: Registry Fix For Variant of Scob


 > -----Original Message-----
> From: Thor Larholm 
> Sent: Saturday, July 03, 2004 3:47 PM
> To: 'Drew Copley'; 'Windows NTBugtraq Mailing List';
> 'bugtraq@...urityfocus.com'
> Subject: RE: Registry Fix For Variant of Scob
> 
> 
> Setting the kill bit on the "Shell.Application" ActiveX object, or any
> other ActiveX, is a system wide configuration change. This is also the
> reason for the incompatibility issues you are mentioning, but there is
> no reason to kill the bird to secure the nest.
> 
> The problem here is not the ADODB.Stream or Shell.Application objects,
> the problem is the insecure My Computer zone in Internet 
> Explorer. Your
> registry fix will have adverse functionality regressions on 
> any Windows
> administrator that use WSH when there is no reason for this.

<snip>

I noted this in my paper.

I noted in a reply to a post that hardening the Local Zone can
also cause problems. A lot of applications use this zone.

The reason killbitting was considered a "workaround" was because
it was always a "workaround" until Microsoft fixed the issue.

My viewpoint is the activex is flawed. The development of it
and the QA of it. So, it should be removed, because of the
security issue... until Microsoft fixes the issue and retests
the activex for further variants.

"My Computer Zone", ultimately, should be hardened, but without
removing functionality, in my opinion. What I have been asking
from Microsoft - and expect to get - is that they add it to
the security interface.

And further, that they make their security interface easy to
use. As it stands it has almost no help, and the definitions
are completely unwieldy. It is absurd. They do the xbox well,
why can't they do this well?

So, let's add that suggestion there, too.

Because it is sorely needed.

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ