<<< Date Index >>>     <<< Thread Index >>>

Re: Can we prevent IE exploits a priori?



Daniel, I'm glad to hear you bring up the subject of preventing IE exploit in
advance to their discovery. Most all of the IE vulnerabilities that are being
discovered are the result of known design flaws in IE and instead of tossing our
hands in the air in discontent we should look at this as a challenge.

I am sorry to hear that you have been unable to try out Qwik-Fix Pro. The 0.60
version was a prior proof-of-concept beta that has been discontinued for months
and the download sites should bring it offline shortly. On
http://pivx.com/qwikfix/download.html, we are asking you to email us for the
download links as we are currently in the process of moving to a new data
center. Any and all download requests are honored within 24 hours - feel free to
email me privately about this and we can work out where the miscommunication
must have happened.

Qwik-Fix Pro is a lot more than simple hardening of the My Computer zone in IE.
It's an agent based distribution platform for security logic and is inching its
way into an increasing amount of fields in Host Intrusion Prevention ranging
from OS protection to document security and application hardening. At the same
time, it is unintrusive and transparent, does not rely on signatures, is
completely reversible at runtime, is centrally deployed and managed on your LAN
through standard Windows management tools (existing AD infrastructure,NT
Domains, IBM Tivoli, SMS, etc.) and works on Windows 95 and higher.

To protect against Internet Explorer attacks specifically, Qwik-Fix Pro locks
down the security zones (different setttings for MC/Trusted/Internet), sets the
kill bit of several ActiveX controls, removes unsafe URL protocol handlers,
removes unsafe MIME types, turns ActiveX controls to "Administrator Approved",
tightens TIF privileges and disables automatic document opening (EditFlags et
al). To name a few, all of this protects against the impact of cross-zone
vulnerabilities that travel from the Internet Zone or Restricted Sites zone to
higher privileged zones whether it is My Computer or Trusted Sites, mitigates
the impact of any CHM vulnerabilities, prevents the codeBase attack vector,
prevents ADODB.Stream and Shell.Application by its nature and prevents an entire
range of new vulnerabilities in MIME type determination that we are waiting to
demonstrate once we have time to divert from our paying customers to pro bono
security research.

It it painless and efficient to mitigate against genres of vulnerabilities
instead of having to hurridly analyze and classify each individual threat
whenever they appear. It iss much less often that you see entire new attack
vectors and when you finally do there is a higher emphasis and resource
concentration to get them fixed early on.

These changes to IE alone mean that the more than hundreds of thousands of beta
users we have had since September last year were protected in advance against
all the command execution vulnerabilities in IE discovered since then that were
the result of design flaws in IE. The Ibiza CHM worms and trojans, the continued
exploits from Jelmer and http-equiv, the automatically executing email
attachments and the cross-zone address spoofing vulnerabilities of late are all
relying on design flaws in IE to elevate their executional privileges. Bizex,
Scob and Download.Ject are prime examples of more recent worms that our Qwik-Fix
Pro customers were protected against.

These changes go far and beyond the IE security improvements that Windows XP
Service Pack 2 will be implementing as a one time bonus. In addition, Qwik-Fix
Pro is continuously updated with new security improvements and management
features. Qwik-Fix Pro is not a set of registry fixes that you can apply or
revert mannually on your systems, it is an open framework for distribution of
security logic, a product and a service that is the continued productization of
our security research at PivX Labs.

Qwik-Fix Pro is not an IE security product, it is a HIP application for the
entire Windows platform. As an example, Qwik-Fix Pro protects against remote
exploitation of vulnerabilities that depend on getting the handle of an active
user session - such as the recent LSASS vulnerability that MS04-011 patches.
This system hardening was distributed to our customers almost a month before
MS04-011 was released, without us having any prior knowledge of said patch or
vulnerability, and has since protected against Sasser, Korgo and all of their
variants and cousins.

We are currently delivering security improvements for the core Windows platform,
Internet Explorer and Outlook/Outlook Express. On the product side, our security
improvements are currently expanding into Microsoft Office, IIS, Apache,
Mozilla, Opera, MS SQL, MySQL, the .NET framework, IM applications, Lotus Notes
and other popular Windows applications. On the technology side, we are currently
expanding into run time process modification and virtual application patching
(think dynamic removal of vulnerabilities from in-memory code), generic C
Runtime and Win32 API replacements (think libsafe for Windows), generic buffer
overflow protection and generic process privilege compartmentalization (think
chroot jail).

I am emphasizing the term expanding as we are currently not offering these
security improvements in Release Candidate 1. The above is also far from a
finished list of the security improvements we are implementing and planning, but
you will understand that I can't reveal all of our ideas for the future - these
will provide plenty of innovation and market uniqueness for at least the next 6
to 12 months. One of our main design goals with Qwik-Fix Pro has also been to
not rely too extensively on any one technology which is the very reason why it
is a secure distribution platform for security logic, allowing us to
continuously grow with new security improvements and adapt to the ever changing
world of security. Qwik-Fix Pro is indeed much more a service as opposed to a
product.

You can download a more recent copy of our whitepaper at
http://pivx.com/qwikfix/whitepapers/QwikFixProWhitepaper062904.doc. In addition,
we will shortly be releasing a comprehensive forensics analysis of Qwik-Fix Pro
that covers in great detail how we securely distribute and apply security logic
throughout WAN and LAN scenarios.



Regards

Thor Larholm
Senior Security Researcher
PivX Solutions
24 Corporate Plaza #180
Newport Beach, CA 92660
http://www.pivx.com
thor@xxxxxxxx
Stock symbol: (PIVX)
Phone: +1 (949) 231-8496
PGP: 0x5A276569
6BB1 B77F CB62 0D3D 5A82 C65D E1A4 157C 5A27 6569

PivX defines a new genre in Desktop Security: Proactive Threat
Mitigation.
<http://www.pivx.com/qwikfix>



----- Original Message ----- 
From: <security-bugtraq@xxxxxxxxxxxxxxx>
To: <bugtraq@xxxxxxxxxxxxxxxxx>
Sent: Wednesday, July 07, 2004 10:40 AM
Subject: Can we prevent IE exploits a priori?




We all know that yet another critical IE vulnerability (download.ject [aka SCOB,
finally patched by M$ after 10 months] caused some high profile groups
(http://slate.msn.com/id/2103152/, http://www.theinquirer.net/?article=16922,
slashdot.org/articles/04/07/02/1441242.shtml?tid=103&tid=113&tid=126&tid=172&tid
=95&tid=99) to suggest that people stop using Internet Explorer.  Yet a
variation on SCOB (shell.application), remains unpatched, allowing our favorite
Russian spam crime lords another crack people's boxes.  Of course, I use
Mozilla, but some of my clients use IE and won't give it up, so I started to
look around for a permanent fix, something that could prevent these attacks a
priori.

I found this post (http://seclists.org/lists/bugtraq/2004/May/0153.html) on
Bugtraq, from Thor Larholm which claims that his company
(http://pivx.com/qwikfix/) has fixed all of these problems, half a year ago,
with his program Qwik-fix.  It apparently does this by harderning IE's "my local
machine" zone (which is only visible if you hack the registry) and proactively
prevent these type of attacks for good.  Another program, Smartfix
((http://www.einfodaily.com/about.php#smartfix)), claims to do the same, so I
decided to try these programs.

I found Smartfix to be an unbearable resource hog on even a burly laptop, maxing
the CPU almost every time I opened a web page in any browser, so I ripped it off
my system.  On the other hand, Qwik-Fix is MIA for me.  Despite being supposedly
available from multiple locations, in various versions (0.58 beta:
http://www.majorgeeks.com/download4033.html , 0.57 beta:
http://fileforum.betanews.com/detail/1068047556/1 , and 0.60 beta:
http://superdownloads.ubbi.com.br/download/i24346.html), none of the downloads
work right.  The site doesn't list the current version, so I don't know if the
0.60 beta is even the latest version.  Anyway, all of the downloads either fail,
or when you get one of them and try to install it, the application attempts to
download an MSI file that doesn't exist on the server.  The Bugtraq post says
you can download it from their site, but the download page
(http://pivx.com/qwikfix/download.html) only allows you to email them so they
can send you a copy.  I still haven't heard from them.  I don't mean to flame
you Thor, as your client list is certainly impressive:
(http://pivx.com/clients.html) I just can't seem to get your program from
anywhere.

So I wanted to know, has anyone tried these programs successfully?  Can anyone
validate their claims?  Better yet, does anyone have a link to a "how to" doc,
that tells smart geeks how to make the registry changes ourselves, so we don't
have to rely on some program to do it for us?