Re: Microsoft disables ADODB.Stream

From: Russ (Russ.Cooper_at_RC.ON.CA)
Date: 07/02/04

  • Next message: Drew Copley: "Registry Fix For Variant of Scob"
    Date:         Fri, 2 Jul 2004 14:30:27 -0400

    There certainly has been a great deal of discussion occurring as a result of the release by MS of this registry tweak. I believe the biggest cause of confusion has been the fact MS released a binary which performs the registry update. In my opinion, a lot of people believe the binary to be more than simply a tool to invoke the registry change. They seem to think its a "fix", when its not.

    There's also good reason to discuss the criticality of this "fix", if not amongst the general population who may not appreciate such a discussion, at least amongst ourselves as security professionals.

    The ADODB.Stream object isn't vulnerable, its abuse is the symptom of vulnerabilities which allow access to it. So, what in fact do we fix by disabling it?

    Well, we disallow the attack from the Russian website...wonderful...its down anyway. It does not to prevent the websites which still have the JavaScript footer which try to send us to that site. It prevents exploitation of a variety of small scale attacks which have periodically occurred...that is, at least until something other than ADODB.Stream is found to be as useful.

    Until the problems with the trust zone model are fixed, we may find ourselves killing object after object.

    I'm certainly not recommending anyone urgently get this registry tweak installed. Heck, I wouldn't have recommended they do it when the Russian site was up. Is ADODB.Stream needed in IE? Well, you'll have to tell me that. For my sites, and those I access, no...let me know if you find something that breaks as a result of it being killed. I doubt there will be many, but I've already heard of a couple.

    I think, in the face of overwhelming pressure from the media, Microsoft has "done something" to address the least that's what the media and consumers might think...until they realize just what's been done.

    If you ask me, this "fix" kills of couple of strongly held MS theories;

    1) If vulnerability #2 cannot be attacked directly, but instead can only be attacked if vulnerability #1 is present, then vulnerability #2 isn't really a problem. It seems clear to me that this is no longer a reasonable position to take.

    2) You don't have to release exploit code, or make a big stink, in order to get action out of a Vendor regarding a security vulnerability. As responsive as Microsoft is, the fact that they've only reacted now, and in this way, strongly suggests that had their been an exploit in the wild on September 15th last year (shortly after Jelmer's announcement), we'd have had a real fix by now.

    I'm all in favor of giving Vendors notice and time to fix something, but as long as it continues to prove better to have an attack in order to get a reaction, it will continue to be difficult to convince people to disclose responsibly.

    Russ - NTBugtraq Editor

    NTBugtraq Editor's Note:

    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.

  • Next message: Drew Copley: "Registry Fix For Variant of Scob"

    Relevant Pages