<<< Date Index >>>     <<< Thread Index >>>

Re: Can we prevent IE exploits a priori?



Drew Copley wrote:
> I have not seen evidence that either of these applications
> prevents new exploits. If anyone is making this claim, they
> should explain what technology they are using.
>
> The required fix is simply setting a kill bit on the vulnerable
> activex objects.

In response to security-bugtraq@xxxxxxxxxxxxxxx
>>I don't mean to flame you
>>Thor, as your client list is certainly impressive:
>>(http://pivx.com/clients.html) I just can't seem to get your
>>program from anywhere.
>>
>>So I wanted to know, has anyone tried these programs
>>successfully?  Can anyone validate their claims?  Better yet,
>>does anyone have a link to a "how to" doc, that tells smart
>>geeks how to make the registry changes ourselves, so we don't
>>have to rely on some program to do it for us?

Aloha, Drew and MarketShark.net.

To answer your last question first, I wrote an article recently for Dr. Dobb's that you may find helpful as you figure out how to harden the IE My Computer/Local Machine zone yourself.

Dr. Dobb’s Windows Security, June 18, 2004

IE’s Local Machine Zone and the Attack of the TLAs
http://www.ddj.com/documents/s=9207/ddj040618sec/

As Thor Larholm pointed out to Drew Copley on July 3rd, the kill bit is good but preventing all scripting of controls in the My Computer Zone is better. This is the sort of security hardening for IE that Qwik Fix provides. See http://www.qwik-fix.net

Thor Larholm wrote:
>The prerequisite for even having privileges enough to launch the
>Shell.Application ActiveX object inside IE is to have script running in
>the My Computer zone. Locking down this zone will completely prevent
>this exploit, without introduing functionality regressions in other
>parts of Windows.

Qwik Fix does set the kill bit on bad controls, and will set the kill bit on controls that are not bad but are a risk, but only when there is not a better technical solution available than setting kill bits.

There can be little argument that setting the kill bit on each control that poses a threat when IE's zones are not properly hardened is to attempt to hit a moving target.

Drew Copley wrote:
The easy to use, free fix for all of these issues:
http://www.eeye.com/html/research/alerts/AL20040610.html

It is not free if a paid employee of the company has to spend time doing it. Although the eeye registry fixer tool may be useful to some, the fact that registry hacks like the ones that eeye recommends often have to be backed out temporarily to do something that has been blocked by the new setting, and then re-implemented after that action is complete, makes it necessary to have a trusted software agent that does these security hardening and temporary unhardening steps for us automatically at runtime.

The user knows when they are browsing the Web and when they aren't -- therefore the user gets to decide when the protection should be present and when it should not be. This is a security context decision that a simple registry hack cannot make at runtime, and that in the end we have to be able to rely on the end user to understand. More importantly, we need the end user to be capable of exerting specific information security skill and knowledge with the click of a mouse in a consistent and manageable fashion.

My experience has been that end users do understand the difference between browsing the Web and printing a file to their printer, for example, and there are instances where security registry hacks will disable printing or some other mundane, low-risk activity. That the end user must take action to unharden a box long enough to print is an unfortunate reality of poor security design in printer manufacturer's user interfaces, and we all just have to live with and adapt our boxes around these realities.

If you mess up you will make it very difficult for users to
browse the web and they will manually change the settings and
likely end up getting spyware running automatically on their
systems -- or worse.

Again the reference to "you" as distinct from the "users" themselves makes it clear that you are thinking of the problem only from one perspective. End users will always manually change settings when not given an easy way to bypass barriers to getting things done. Spyware will do it for them without their knowledge. The "you" in the real world is often the end user themself, reinstallation of a Windows hotfix/service pack, and so forth. When "you" does refer to a system or network administrator, they know very well that even when they don't mess up, things still go wrong and settings get changed.

A software agent like Qwik Fix that knows how to harden and unharden or reharden a Windows box solves the "if you mess up" problem, no matter who, or what, "you" it is that is responsible for messing it up (again).

There are hundreds of thousands of Qwik Fix users to date, and the response to the software from other infosec peers has been very positive. After Scob there was an outpouring of gratitude expressed from people who realized that the software protected them in advance.

This is pretty convincing proof that the product protects against new exploits by solving root problems that allow them to occur. I personally was impressed enough to join the company. (note sig below)

Sincerely,

Jason Coombs
jasonc@xxxxxxxxxxx

Director of Forensic Services
PivX Solutions, Inc.
http://www.pivx.com