lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  PHC 
Open Source and information security mailing list archives
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
From: nick at (Nick FitzGerald)
Subject: .hta virus analysys

Jelmer <> wrote:

> There's nothing wrong with .hta files, ...

As local content, agreed -- they are just as "safe" as such other  
things as .EXE files, .VBS files and so on...

> ... but that it has an associated mime
> type boggles the mind

Agreed, but what boggles my mind even more is that I have been told 
that in the past MS has said it will not remove support for this (and 
related extreme stupidities) "because some major customers actually 
_want_ _AND USE_ this functionality".

That's right folk -- TCI means that if a couple of pea-brained, slack-
arsed "system administrators" at a couple of major MS accounts (think 
the "big three" (or is it still four?) accounting/consulting firms, 
really large defense, aerospace, etc manufacturers to get an idea of 
the size of operation your security is competing with here), who are 
too stupid to work out a couple of registry tweaks to shoot off both 
their feet in the pursuit of making their own lives marginally easier, 
MS will roll the desired "feature" into the default install so as to 
inflict several hundred million machines worldwide with the associated 
problems should there be any flaws elsewhere in its products.

It's long past time Windows' attack surface was dramatically reduced 
through the removal of all kinds of stupid and dangerous MIME type 
mappings, CLSID as file extension tricks, and other such nonsenses.  
I'm sure these gave wet dreams to the pimply-faced geeks that dreamed 
them up as yet another cool way to "just make things work" if the only 
"skill" some yokel user knows is "double-click it and see".  However, 
as those geeks were neither trained in, nor charged with having, the 
vaguest clue about or concern for security, it's time that a lot of 
those design decisions were re-considered.  It's at least half-
pointless having better security-trained programmers (if you believe 
Redmond's hype) if they are baby-sitting code that is still intended to 
implement functionality dreamed up when "security-ignorant featuritis" 
and "everything enabled by default so everything just works" were the 
driving forces behind the design ideal...

> It's been the source of many an issue in the past. Microsoft would be better
> of disabling it entirely

Yep, couldn't agree more.

Maybe in XP SP2???

And if so, will they "back-port" it to the next W2K SP??


Nick FitzGerald

Powered by blists - more mailing lists