Re: POS#1 Self-Executing HTML: Internet Explorer 5.5 and 6.0 Part III

From: Kurt Seifried (bt_at_SEIFRIED.ORG)
Date: 11/07/03

  • Next message: Russ: "MajorRev: Microsoft Security Bulletin MS02-050 - Certificate Validation Flaw Could Enable Identity Spoofing (Q329115)" 
    Date:         Fri, 7 Nov 2003 14:38:40 -0700
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    > >> In our never-ending quest for entertainment, we commece from
    > >> this date forward to end-2004 our POS series of findings. That
    > >> is the 'perfect operating system'. Today we debut and regurgitate
    > >> new and not so new for fun as follows. A warm up for the New Year if
    > >> you will !:
    > >
    > > This is easy to avoid. Just set the kill bit for the affected Active
    > > component, Adodb.Stream for which the CLSID is
    > > 4B106874-DD36-11D0-8B44-00A024DD9EFF.
    >
    > {4B106874-DD36-11D0-8B44-00A024DD9EFF} is the Local Troubleshooter
    control.
    >
    > The ADODB.Stream control, an important part of several current IE
    exploits,
    > is {00000566-0000-0010-8000-00AA006D2EA4}.
    >
    > MS KB article about the kill bit:
    >
    > <http://support.microsoft.com/support/kb/articles/q240/7/97.asp>
    >
    > Disable Active scripting for untrusted sites.

    Ack, my bad, I cut and paste the wrong one (to many bits to kill, and after
    a while CLSID's all look the same). It should also be noted that exploit
    code for this problem has been around since early (i.e. first week) of
    September, and it at least one major virus has used it.

    The good news is that MS is setting kill bits with some service packs, the
    bad news is that they aren't publicizing what CLSID's need to be killed.
    Listing MS IE installed components is relatively simple:

    HKEY_LOCAL_MACHINE\Software\Microsoft\Active Setup\Installed Components

    The bad news is this does not cover "built-in" components. As well it isn't
    always the most helpful:

    CLSID: 3bf42070-b3b1-11d1-b5c5-0000f8051515
    version: 1.0161.1890.3
    uniscribe
    USP10

    No link in the registry to any files, or what it does. Google indicates it
    most likely is Japanese language support.

    If anyone knows a tool for finding out the CLSID of an ActiveX object I
    would love to know it. Essentially something that would pop up the CLSID of
    a program when it runs so when you visit a web page and an activex
    components runs or is installed you can get ahold of the CLSID of it.

    The MS OLE viewer:

    http://www.microsoft.com/com/resources/oleview.asp

    Only works for installed ones, one site covering the kill bit says:

    "Determine the CLSID for the ActiveX control that you want to disable. If
    you are not sure of the CLSID for the control, contact the manufacturer."

    Which isn't overly helpful in most cases. Symantec goes with:

    "To determine which CLSID corresponds with the ActiveX control that you want
    to disable, first remove all of the ActiveX controls that are currently
    installed. Then install the control that you want to disable and add the
    Kill Bit to its CLSID. "

    In other words no good methods for enumerating CLSID's seem to exist.

    >
    > - Art

    Kurt Seifried, kurt@seifried.org
    A15B BEE5 B391 B9AD B0EF
    AEB0 AD63 0B4E AD56 E574
    http://seifried.org/security/

    -----
    Marcus Ranum's new book "The Myth of Homeland Security" is now out and
    is available from http://www.amazon.com/ranum In this hard-hitting
    review of the homeland security business, Ranum shows us how the problem
    is vastly harder than it's being made to sound, and how special
    interests, *** covering, and bureaucracy are threatening to derail any
    chance of making progress.
    -----

  • Next message: Russ: "MajorRev: Microsoft Security Bulletin MS02-050 - Certificate Validation Flaw Could Enable Identity Spoofing (Q329115)"