Re: ActiveX

[David H. Lipman]

From: "Far Canal" <me@privacy.net>

|
| Turn it off
| http://www.microsoft.com/technet/sec...ry/927892.mspx
| 0-day bug shatters Windows
| http://www.theregister.co.uk/2006/11...y_windows_bug/
|

Just this part needs to be done to mitigate this threat...

{ the following will wrap }

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{88d969c5-f192-11d4-a65f-0040963251e5}]
"Compatibility Flags"=dword:00000400

Secunia rates this vulnerability "Extremely critical"
http://secunia.com/advisories/22687/

http://xforce.iss.net/xforce/alerts/id/239

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[cmsix]

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:zoO3h.1105$244.958@trnddc01...
> From: "Far Canal" <me@privacy.net>
>
> |
> | Turn it off
> | http://www.microsoft.com/technet/sec...ry/927892.mspx
> | 0-day bug shatters Windows
> | http://www.theregister.co.uk/2006/11...y_windows_bug/
> |
>
> Just this part needs to be done to mitigate this threat...
>
> { the following will wrap }

Just wondering, but was the register correct saying that this
vulnerability is facilitated through Internet Explorer? That sounds
logical to me since I don't think Opera deals with ActiveX controls.

cmsix

>
> Windows Registry Editor Version 5.00
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
> Compatibility\{88d969c5-f192-11d4-a65f-0040963251e5}]
> "Compatibility Flags"=dword:00000400
>
> Secunia rates this vulnerability "Extremely critical"
> http://secunia.com/advisories/22687/
>
> http://xforce.iss.net/xforce/alerts/id/239
>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

[David H. Lipman]

From: "cmsix" <cmsix@storiesonline.org>


|
| Just wondering, but was the register correct saying that this
| vulnerability is facilitated through Internet Explorer? That sounds
| logical to me since I don't think Opera deals with ActiveX controls.
|
| cmsix
|


That assertion is correct.
It is a vulnerability in IE dealing with an ActiveX control for XML.

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[cmsix]

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:xm74h.1231$244.286@trnddc01...
> From: "cmsix" <cmsix@storiesonline.org>
>
>
> |
> | Just wondering, but was the register correct saying that this
> | vulnerability is facilitated through Internet Explorer? That
> sounds
> | logical to me since I don't think Opera deals with ActiveX
> controls.
> |
> | cmsix
> |
>
>
> That assertion is correct.
> It is a vulnerability in IE dealing with an ActiveX control for XML.

Isn't most every ActiveX control a vulnerability? I realize that some
of them are useful, and that in a "kinder" and "gentler" world they
might well be very useful for everyone. Lately though, I've been
thinging that it isn't all that smart to have something downloaded to
your computer that gives someone else control of parts of it. On the
other hand, I don't even have to do it and it ends up being lucrative
for me. Imagine that, other people are causing trouble all over the
internet and here I get paid to straighten it out for a few. Maybe
it's my good looks. Naw, must be because I work so cheap.

cmsix

>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

[David H. Lipman]

From: "cmsix" <cmsix@storiesonline.org>


|
| Isn't most every ActiveX control a vulnerability? I realize that some
| of them are useful, and that in a "kinder" and "gentler" world they
| might well be very useful for everyone. Lately though, I've been
| thinging that it isn't all that smart to have something downloaded to
| your computer that gives someone else control of parts of it. On the
| other hand, I don't even have to do it and it ends up being lucrative
| for me. Imagine that, other people are causing trouble all over the
| internet and here I get paid to straighten it out for a few. Maybe
| it's my good looks. Naw, must be because I work so cheap.
|
| cmsix

That's a common misperception. There are malware add-ons to FireFox. That can be compared
to Microsoft's ActiveX. Many legitimate applications use ActiveX. In this case there is a
XML in HTTP handling bug that cvan be exploited to elevate priveledges to install sooftware
without the user's knowledge or consent.

Please read all about the situation in KB927892...
http://www.microsoft.com/technet/sec...ry/927892.mspx

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[cmsix]

"David H. Lipman" <DLipman~nospam~@Verizon.Net> wrote in message
news:ng94h.2086$Lt4.1435@trnddc08...
> From: "cmsix" <cmsix@storiesonline.org>
>
>
> |
> | Isn't most every ActiveX control a vulnerability? I realize that
> some
> | of them are useful, and that in a "kinder" and "gentler" world
> they
> | might well be very useful for everyone. Lately though, I've been
> | thinging that it isn't all that smart to have something downloaded
> to
> | your computer that gives someone else control of parts of it. On
> the
> | other hand, I don't even have to do it and it ends up being
> lucrative
> | for me. Imagine that, other people are causing trouble all over
> the
> | internet and here I get paid to straighten it out for a few. Maybe
> | it's my good looks. Naw, must be because I work so cheap.
> |
> | cmsix
>
> That's a common misperception. There are malware add-ons to
> FireFox. That can be compared
> to Microsoft's ActiveX. Many legitimate applications use ActiveX.
> In this case there is a
> XML in HTTP handling bug that cvan be exploited to elevate
> priveledges to install sooftware
> without the user's knowledge or consent.


>
> Please read all about the situation in KB927892...

Among other things,
> http://www.microsoft.com/technet/sec...ry/927892.mspx
said: "Customers would need to visit an attacker's Web site to be at
risk. We will continue to investigate these public reports."

Even though they didn't say it, I assume that customers would have to
visit the attacker's Web sites with Internet Explorer to be at risk.

Later they mention HTML emails and since I don't allow Outlook Express
to render html in messages that isn't a bother either, for me
presonally at least. It is hard to explain to customers why they
shouldn't though. I usually take the easy way out and blame it on
Microsoft's poor security.

cmsix

>
> --
> Dave
> http://www.claymania.com/removal-trojan-adware.html
> http://www.ik-cs.com/got-a-virus.htm
>
>

[clifto]

David H. Lipman wrote:
> Just this part needs to be done to mitigate this threat...
>
> { the following will wrap }
>
> Windows Registry Editor Version 5.00
>
> [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
> Compatibility\{88d969c5-f192-11d4-a65f-0040963251e5}]
> "Compatibility Flags"=dword:00000400

Maybe I misread it, but I only saw them say "to stifle this CLSID, do
this." I didn't see them say that was the CLSID of the ActiveX exploit.
I also didn't see them say an XMLHTTP exploit had to use that CLSID,
but then what I know about CLSIDs couldn't fill a gnat's thimble.

--
"A man's country is not a certain area of land, of mountains, rivers, and
woods, but it is a principle; and patriotism is loyalty to that principle."
-- George William Curtis

[David H. Lipman]

From: "clifto" <clifto@gmail.com>

|
| Maybe I misread it, but I only saw them say "to stifle this CLSID, do
| this." I didn't see them say that was the CLSID of the ActiveX exploit.
| I also didn't see them say an XMLHTTP exploit had to use that CLSID,
| but then what I know about CLSIDs couldn't fill a gnat's thimble.
|

I don't know where you got that text. I got the registry information form...
http://www.microsoft.com/technet/sec...ry/927892.mspx

suggested actions --> workarounds


More technical information can be found here..
"How to stop an ActiveX control from running in Internet Explorer"
http://support.microsoft.com/kb/240797

--
Dave
http://www.claymania.com/removal-trojan-adware.html
http://www.ik-cs.com/got-a-virus.htm

[clifto]

David H. Lipman wrote:
> From: "clifto" <clifto@gmail.com>
> | Maybe I misread it, but I only saw them say "to stifle this CLSID, do
> | this." I didn't see them say that was the CLSID of the ActiveX exploit.
> | I also didn't see them say an XMLHTTP exploit had to use that CLSID,
> | but then what I know about CLSIDs couldn't fill a gnat's thimble.
>
> I don't know where you got that text. I got the registry information form...
> http://www.microsoft.com/technet/sec...ry/927892.mspx

Right. It says:

"To set the kill bit for a CLSID with a value of
{88d969c5-f192-11d4-a65f-0040963251e5} paste the following text
in a text editor such as Notepad. Then, save the file by using
the .reg file name extension."

Then it gives the example .reg file you quoted. But it doesn't say that
the exploit has, or needs to have, the CLSID quoted in the article,
or that double-clicking that particular .reg file (made per instructions)
will stop the exploit. I thought maybe you saw or knew something I missed.

I thought they were saying, "if you happen to find an exploit that has
this CLSID, then you can stop that one and only that one by doing this,"
in typical helpful Microsoft fashion leaving the reader to figure out
what CLSIDs to block based on which ones hijacked his systems.

--
"A man's country is not a certain area of land, of mountains, rivers, and
woods, but it is a principle; and patriotism is loyalty to that principle."
-- George William Curtis