RE: Can we prevent IE exploits a priori?

["Drew Copley" <dcopley () eEye com>]

I have not seen evidence that either of these applications
prevents new exploits. If anyone is making this claim, they
should explain what technology they are using.

The required fix is simply setting a kill bit on the vulnerable
activex objects. Had this been done in September, none of these
attacks would have happened. 

"Workaround for Jelmer's Adodb Bug" 
Date: September 13, 2003
http://seclists.org/lists/fulldisclosure/2003/Sep/0643.html

The easy to use, free fix for all of these issues:
http://www.eeye.com/html/research/alerts/AL20040610.html

Jelmer and Http-equiv have just noted and proven that hardening
the local zone or the "My Computer Zone" which Quick-Fix touts
is not a solution because the "Trusted Zone" remains... and is
required for Windows Update. [Whatever else they may do, I
do not know, I am just noting what they tout as "the only"
solution.]

This said you can very easily harden your "My Computer Zone"
for free. Just show it and make it available. That is a google
step away.

You also need to harden all of the IE Zones.

You should do this as part of any system hardening effort. Simply
use the restricted zone as an example. You must know how to
do this and understand the settings to probably harden any Windows
system. It is as critical as setting the password policies or
anything else. This does require some self-education beyond using
the Restricted Zone as reference.

If you mess up you will make it very difficult for users to
browse the web and they will manually change the settings and
likely end up getting spyware running automatically on their
systems -- or worse.

Again, hardening all of the zones in IE should be a central
part of any Windows hardening process. This means not just the
Local Zone, but all of the other Zones as well.

The only people that should not be setting the kill bit are
administrators that wish to continue to rely on vbs or wsh despite
the strong evidence that this will make the systems they own
vulnerable to potential attacks. 

If you "really" want to ensure they will not get hit, put
on some AV and a good IPS. Ensure that the update subscription
is paid for. 



> -----Original Message-----
> From: security-bugtraq () marketshark net 
> [mailto:security-bugtraq () marketshark net] 
> Sent: Wednesday, July 07, 2004 10:41 AM
> To: bugtraq () securityfocus com
> Subject: Can we prevent IE exploits a priori?
>
>
>
> We all know that yet another critical IE vulnerability 
> (download.ject [aka SCOB, finally patched by M$ after 10 
> months] caused some high profile groups 
> (http://slate.msn.com/id/2103152/, 
> http://www.theinquirer.net/?article=16922, 
> slashdot.org/articles/04/07/02/1441242.shtml?tid=103&tid=113&t
> id=126&tid=172&tid=95&tid=99) to suggest that people stop 
> using Internet Explorer.  Yet a variation on SCOB 
> (shell.application), remains unpatched, allowing our favorite 
> Russian spam crime lords another crack people's boxes.  Of 
> course, I use Mozilla, but some of my clients use IE and 
> won't give it up, so I started to look around for a permanent 
> fix, something that could prevent these attacks a priori.  
>
>
>
> I found this post 
> (http://seclists.org/lists/bugtraq/2004/May/0153.html) on 
> Bugtraq, from Thor Larholm which claims that his company 
> (http://pivx.com/qwikfix/) has fixed all of these problems, 
> half a year ago, with his program Qwik-fix.  It apparently 
> does this by harderning IE's "my local machine" zone (which 
> is only visible if you hack the registry) and proactively 
> prevent these type of attacks for good.  Another program, 
> Smartfix ((http://www.einfodaily.com/about.php#smartfix)), 
> claims to do the same, so I decided to try these programs.  
>
>
>
> I found Smartfix to be an unbearable resource hog on even a 
> burly laptop, maxing the CPU almost every time I opened a web 
> page in any browser, so I ripped it off my system.  On the 
> other hand, Qwik-Fix is MIA for me.  Despite being supposedly 
> available from multiple locations, in various versions (0.58 
> beta: http://www.majorgeeks.com/download4033.html , 0.57 
> beta: http://fileforum.betanews.com/detail/1068047556/1 , and 
> 0.60 beta: 
> http://superdownloads.ubbi.com.br/download/i24346.html), none 
> of the downloads work right.  The site doesn't list the 
> current version, so I don't know if the 0.60 beta is even the 
> latest version.  Anyway, all of the downloads either fail, or 
> when you get one of them and try to install it, the 
> application attempts to download an MSI file that doesn't 
> exist on the server.  The Bugtraq post says you can download 
> it from their site, but the download page 
> (http://pivx.com/qwikfix/download.html) only allows you to 
> email them so they can send you a copy.  I
>   still haven't heard from them.  I don't mean to flame you 
> Thor, as your client list is certainly impressive: 
> (http://pivx.com/clients.html) I just can't seem to get your 
> program from anywhere.    
>
>
>
> So I wanted to know, has anyone tried these programs 
> successfully?  Can anyone validate their claims?  Better yet, 
> does anyone have a link to a "how to" doc, that tells smart 
> geeks how to make the registry changes ourselves, so we don't 
> have to rely on some program to do it for us?