Security Incidents mailing list archives
RE: Worms and CScript/WScript
From: Nick FitzGerald <nick () virus-l demon co uk>
Date: Mon, 27 May 2002 15:07:00 +1200
"Richard H. Cotterell" <seec () mail retina ar> wrote:
Ref: Nick FitzGerald <nick () virus-l demon co uk>'s message dated 22 May 2002, 17:04 hours.
<<snip>>
... Thus, suggesting disabling it as a blanket recommendation may not be a wise thing... (And, even in the corporate arena, you may better off restricting access to it rather than removing it -- if your admin group uses VB scripts for advanced system admin, certainly let them continue to run it so long as scripts can be run under a suitably privileged security context without introducing other unwanted problems but lock down your ordinary users' access to the EXEs.)An alternative approach would be to use *script defender* from AnalogX, which allows a Windows user to turn on/off the whole set of scripts that make for vulnerable web site visiting. :-) <http://www.analogx.com>
For SOHO users, something like that would be fine so long as they ahd the discipline to use it. There are several other such utilities too and part of the discipline of using these is remembering to re-check after installing updates and so on. In many cases things like ScriptDefender get turned off -- i.e. scripts get re-enabled -- for some "good reason" and then not turned back on but the users keep working "as normal" in the belief that the protection it was giving them is still there. This is not really a problem with the product -- more a reminder that we are talking about fixing a _process_ so a single point, static program is unlikely to be the be-all and end-all of a solution. Further, the function of things like ScriptDefender is often misrepresented or misunderstood, as we see in your own description of what it does. ScriptDefender provides _no_ protection against "the whole set of scripts that make for vulnerable web site visiting" and getting that wrong when offering "advice" to others is no smiling matter... All ScriptDefender does is break or re-establish the file associations between certain _standalone_ WSH script types and the program(s) that normally handle them, interjecting itself into the command chain to allow for a presumably rational choice on the part of the user as to whether to let the script be passed to its usual handler or not. (And let's not forget, these are the same users who, for the last 5 years, have largely not managed to work out you click the "Disable macros" button in Word and other MS Office products when given much the same kind of responsibility...) It does nothing to disable or manage the execution of scripts embedded in web pages or HTML Email messages _unless_ the particular exploit of some vulnerability creates local "script files" of the types handled by ScriptDefender. -- Nick FitzGerald Computer Virus Consulting Ltd. Ph/FAX: +64 3 3529854 ---------------------------------------------------------------------------- This list is provided by the SecurityFocus ARIS analyzer service. For more information on this free incident handling, management and tracking system please see: http://aris.securityfocus.com
Current thread:
- Re: Strange scan on 1433, (continued)
- Re: Strange scan on 1433 Jason Robertson (May 21)
- RE: Strange scan on 1433 David LaPorte (May 21)
- RE: Strange scan on 1433 Deus, Attonbitus (May 21)
- RE: Strange scan on 1433 Blake Frantz (May 21)
- Re: Strange scan on 1433 George Bakos (May 21)
- Worms and CScript/WScript Blake Frantz (May 21)
- Re: Worms and CScript/WScript Ryan Russell (May 21)
- RE: Worms and CScript/WScript Michael Wright (May 21)
- RE: Worms and CScript/WScript Nick FitzGerald (May 22)
- RE: Worms and CScript/WScript Richard H. Cotterell (May 26)
- RE: Worms and CScript/WScript Nick FitzGerald (May 27)
- RE: Worms and CScript/WScript Richard H. Cotterell (May 28)
- Re: Strange scan on 1433 Johannes Ullrich (May 21)