lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list] 
Date: 7 Jul 2004 17:40:41 -0000
From: <security-bugtraq@...ketshark.net>
To: bugtraq@...urityfocus.com
Subject: Can we prevent IE exploits a priori?




We all know that yet another critical IE vulnerability (download.ject [aka SCOB, finally patched by M$ after 10 months] caused some high profile groups (http://slate.msn.com/id/2103152/, http://www.theinquirer.net/?article=16922, slashdot.org/articles/04/07/02/1441242.shtml?tid=103&tid=113&tid=126&tid=172&tid=95&tid=99) to suggest that people stop using Internet Explorer.  Yet a variation on SCOB (shell.application), remains unpatched, allowing our favorite Russian spam crime lords another crack people's boxes.  Of course, I use Mozilla, but some of my clients use IE and won't give it up, so I started to look around for a permanent fix, something that could prevent these attacks a priori.  

I found this post (http://seclists.org/lists/bugtraq/2004/May/0153.html) on Bugtraq, from Thor Larholm which claims that his company (http://pivx.com/qwikfix/) has fixed all of these problems, half a year ago, with his program Qwik-fix.  It apparently does this by harderning IE's "my local machine" zone (which is only visible if you hack the registry) and proactively prevent these type of attacks for good.  Another program, Smartfix ((http://www.einfodaily.com/about.php#smartfix)), claims to do the same, so I decided to try these programs.  

I found Smartfix to be an unbearable resource hog on even a burly laptop, maxing the CPU almost every time I opened a web page in any browser, so I ripped it off my system.  On the other hand, Qwik-Fix is MIA for me.  Despite being supposedly available from multiple locations, in various versions (0.58 beta: http://www.majorgeeks.com/download4033.html , 0.57 beta: http://fileforum.betanews.com/detail/1068047556/1 , and 0.60 beta: http://superdownloads.ubbi.com.br/download/i24346.html), none of the downloads work right.  The site doesn't list the current version, so I don't know if the 0.60 beta is even the latest version.  Anyway, all of the downloads either fail, or when you get one of them and try to install it, the application attempts to download an MSI file that doesn't exist on the server.  The Bugtraq post says you can download it from their site, but the download page (http://pivx.com/qwikfix/download.html) only allows you to email them so they can send you a copy.  I still haven't heard from them.  I don't mean to flame you Thor, as your client list is certainly impressive: (http://pivx.com/clients.html) I just can't seem to get your program from anywhere.    

So I wanted to know, has anyone tried these programs successfully?  Can anyone validate their claims?  Better yet, does anyone have a link to a "how to" doc, that tells smart geeks how to make the registry changes ourselves, so we don't have to rely on some program to do it for us?

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ