Security Incidents mailing list archives
RE: IE Malware / Spyware Control Methods
From: k levinson <levinson_k () yahoo com>
Date: Wed, 12 Jan 2005 08:00:06 -0800 (PST)
I personally wouldn't advise it except as an experiment. A limited user can still do plenty to configure IE and Windows to install and execute software persistently. Running as a limited user does reportedly help prevent a lot of adware and spyware, but it remains to be seen whether this is just because there is no incentive for adware authors to bother to write their code to work as limited users. What running IE or Windows does mainly is prevent code from re-loading persistently at next bootup; it does not prevent the malicious code from running. I also am not sure whether this tool successfully restricts IE buffer overflows to the limited user context. If you were interested in running as a limited user to prevent adware, I would find it more reliable to just log into Windows as a limited user that isn't a power user. I disagree somewhat with the premise of the IE limited user tool article. Running as non-admin does not IMHO help against viruses, especially not with the current versions of Windows. The article points out one virus and the things that virus cannot do if run as non-admin. What the article does not say is that you are still infected and infect others, whether or not you use that script or run as non-admin. There are plenty of files, folders, registry values and system resources a non-admin can access. As you may know, malware run as non-admin can still scan your hard drive for credit card numbers, delete your data files, install itself persistently to re-launch at bootup, send infected emails to other users, launch a listening remote access Trojan that allows remote control of your computer, change IE settings, install browser helper objects, etc. etc. In the days of the MS Word macro virus, some people suggested making the Word normal.dot file read-only, to prevent viruses from making persistent changes. We found this was not effective at all at preventing infections. I would predict this script would be about as effective at preventing malware, for similar reasons. I also suspect that this solution is probably unsupported and untested, and so is probably not a good solution for large business environments. Besides, once malware [or an attacker] is run on a computer as non-admin, the malware could invoke a number of methods to escalate privileges to that of administrator, if a determined attacker wished to do so. Just my two cents. regards, karl levinson
-----Original Message----- From: Jeff Bryner [mailto:jbryner1 () yahoo com] Has anyone resorted to 'run as' or dropping rights
within a
process to control administrative access within IE:
__________________________________ Do you Yahoo!? Yahoo! Mail - Easier than ever with enhanced search. Learn more. http://info.mail.yahoo.com/mail_250
Current thread:
- RE: IE Malware / Spyware Control Methods, (continued)
- RE: IE Malware / Spyware Control Methods David Gillett (Jan 10)
- RE: IE Malware / Spyware Control Methods Dave Dennis (Jan 07)
- Re: IE Malware / Spyware Control Methods gadgeteer (Jan 10)
- RE: IE Malware / Spyware Control Methods sunzi (Jan 07)
- RE: IE Malware / Spyware Control Methods James C Slora Jr (Jan 10)
- RE: IE Malware / Spyware Control Methods King, Stephen (Jan 10)
- Re: IE Malware / Spyware Control Methods lightweb (Jan 10)
- RE: IE Malware / Spyware Control Methods matt (Jan 10)
- RE: IE Malware / Spyware Control Methods Jason Albuquerque (Jan 10)
- RE: IE Malware / Spyware Control Methods k levinson (Jan 12)
- RE: IE Malware / Spyware Control Methods k levinson (Jan 12)