lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite for Android: free password hash cracker in your pocket
[<prev] [next>] [<thread-prev] [day] [month] [year] [list]
Message-ID: <40EE3CB0.2010707@science.org>
Date: Thu, 08 Jul 2004 20:35:28 -1000
From: Jason Coombs <jasonc@...ence.org>
To: Drew Copley <dcopley@...e.com>
Cc: security-bugtraq@...ketshark.net, bugtraq@...urityfocus.com,
	thor@...x.com
Subject: Re: Can we prevent IE exploits a priori?


Drew Copley wrote:
 > I have not seen evidence that either of these applications
 > prevents new exploits. If anyone is making this claim, they
 > should explain what technology they are using.
 >
 > The required fix is simply setting a kill bit on the vulnerable
 > activex objects.

In response to security-bugtraq@...ketshark.net
 >>I don't mean to flame you
 >>Thor, as your client list is certainly impressive:
 >>(http://pivx.com/clients.html) I just can't seem to get your
 >>program from anywhere.
 >>
 >>So I wanted to know, has anyone tried these programs
 >>successfully?  Can anyone validate their claims?  Better yet,
 >>does anyone have a link to a "how to" doc, that tells smart
 >>geeks how to make the registry changes ourselves, so we don't
 >>have to rely on some program to do it for us?

Aloha, Drew and MarketShark.net.

To answer your last question first, I wrote an article recently for Dr. 
Dobb's that you may find helpful as you figure out how to harden the IE 
My Computer/Local Machine zone yourself.

Dr. Dobb’s Windows Security, June 18, 2004

IE’s Local Machine Zone and the Attack of the TLAs
http://www.ddj.com/documents/s=9207/ddj040618sec/

As Thor Larholm pointed out to Drew Copley on July 3rd, the kill bit is 
good but preventing all scripting of controls in the My Computer Zone is 
better. This is the sort of security hardening for IE that Qwik Fix 
provides. See http://www.qwik-fix.net

Thor Larholm wrote:
 >The prerequisite for even having privileges enough to launch the
 >Shell.Application ActiveX object inside IE is to have script running in
 >the My Computer zone. Locking down this zone will completely prevent
 >this exploit, without introduing functionality regressions in other
 >parts of Windows.

Qwik Fix does set the kill bit on bad controls, and will set the kill 
bit on controls that are not bad but are a risk, but only when there is 
not a better technical solution available than setting kill bits.

There can be little argument that setting the kill bit on each control 
that poses a threat when IE's zones are not properly hardened is to 
attempt to hit a moving target.

Drew Copley wrote:
> The easy to use, free fix for all of these issues:
> http://www.eeye.com/html/research/alerts/AL20040610.html

It is not free if a paid employee of the company has to spend time doing 
it. Although the eeye registry fixer tool may be useful to some, the 
fact that registry hacks like the ones that eeye recommends often have 
to be backed out temporarily to do something that has been blocked by 
the new setting, and then re-implemented after that action is complete, 
makes it necessary to have a trusted software agent that does these 
security hardening and temporary unhardening steps for us automatically 
at runtime.

The user knows when they are browsing the Web and when they aren't -- 
therefore the user gets to decide when the protection should be present 
and when it should not be. This is a security context decision that a 
simple registry hack cannot make at runtime, and that in the end we have 
to be able to rely on the end user to understand. More importantly, we 
need the end user to be capable of exerting specific information 
security skill and knowledge with the click of a mouse in a consistent 
and manageable fashion.

My experience has been that end users do understand the difference 
between browsing the Web and printing a file to their printer, for 
example, and there are instances where security registry hacks will 
disable printing or some other mundane, low-risk activity. That the end 
user must take action to unharden a box long enough to print is an 
unfortunate reality of poor security design in printer manufacturer's 
user interfaces, and we all just have to live with and adapt our boxes 
around these realities.

> If you mess up you will make it very difficult for users to
> browse the web and they will manually change the settings and
> likely end up getting spyware running automatically on their
> systems -- or worse.

Again the reference to "you" as distinct from the "users" themselves 
makes it clear that you are thinking of the problem only from one 
perspective. End users will always manually change settings when not 
given an easy way to bypass barriers to getting things done. Spyware 
will do it for them without their knowledge. The "you" in the real world 
is often the end user themself, reinstallation of a Windows 
hotfix/service pack, and so forth. When "you" does refer to a system or 
network administrator, they know very well that even when they don't 
mess up, things still go wrong and settings get changed.

A software agent like Qwik Fix that knows how to harden and unharden or 
reharden a Windows box solves the "if you mess up" problem, no matter 
who, or what, "you" it is that is responsible for messing it up (again).

There are hundreds of thousands of Qwik Fix users to date, and the 
response to the software from other infosec peers has been very 
positive. After Scob there was an outpouring of gratitude expressed from 
people who realized that the software protected them in advance.

This is pretty convincing proof that the product protects against new 
exploits by solving root problems that allow them to occur. I personally 
was impressed enough to join the company. (note sig below)

Sincerely,

Jason Coombs
jasonc@...ence.org

Director of Forensic Services
PivX Solutions, Inc.
http://www.pivx.com



Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ