Re: .hta virus analysys

[Nick FitzGerald <nick () virus-l demon co uk>]

Jelmer <jkuperus () planet nl> wrote:

> There's nothing wrong with .hta files, ...

As local content, agreed -- they are just as "safe" as such other  
things as .EXE files, .VBS files and so on...

> ... but that it has an associated mime
> type boggles the mind

Agreed, but what boggles my mind even more is that I have been told 
that in the past MS has said it will not remove support for this (and 
related extreme stupidities) "because some major customers actually 
_want_ _AND USE_ this functionality".

That's right folk -- TCI means that if a couple of pea-brained, slack-
arsed "system administrators" at a couple of major MS accounts (think 
the "big three" (or is it still four?) accounting/consulting firms, 
really large defense, aerospace, etc manufacturers to get an idea of 
the size of operation your security is competing with here), who are 
too stupid to work out a couple of registry tweaks to shoot off both 
their feet in the pursuit of making their own lives marginally easier, 
MS will roll the desired "feature" into the default install so as to 
inflict several hundred million machines worldwide with the associated 
problems should there be any flaws elsewhere in its products.

It's long past time Windows' attack surface was dramatically reduced 
through the removal of all kinds of stupid and dangerous MIME type 
mappings, CLSID as file extension tricks, and other such nonsenses.  
I'm sure these gave wet dreams to the pimply-faced geeks that dreamed 
them up as yet another cool way to "just make things work" if the only 
"skill" some yokel user knows is "double-click it and see".  However, 
as those geeks were neither trained in, nor charged with having, the 
vaguest clue about or concern for security, it's time that a lot of 
those design decisions were re-considered.  It's at least half-
pointless having better security-trained programmers (if you believe 
Redmond's hype) if they are baby-sitting code that is still intended to 
implement functionality dreamed up when "security-ignorant featuritis" 
and "everything enabled by default so everything just works" were the 
driving forces behind the design ideal...

> It's been the source of many an issue in the past. Microsoft would be better
> of disabling it entirely

Yep, couldn't agree more.

Maybe in XP SP2???

And if so, will they "back-port" it to the next W2K SP??


Regards,

Nick FitzGerald

_______________________________________________
Full-Disclosure - We believe in it.
Charter: http://lists.netsys.com/full-disclosure-charter.html