Registry Fix For Variant of Scob

From: Drew Copley (dcopley_at_EEYE.COM)
Date: 07/02/04

  • Next message: http-equiv_at_excite.com: "SUPER SPOOF DELUXE: The 3 D's" 
    Date:         Fri, 2 Jul 2004 14:32:56 -0700
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    About the same time Jelmer found the adodb bug, http-equiv
    found a similiar issue with the object "Shell.Application".

    This issue has also been unfixed for the past ten months.

    Unfortunately, Microsoft has not taken the "hint" and not
    fixed this issue either.

    Jelmer has noted this and made a proof of concept exploit
    page here:
    http://62.131.86.111/security/idiots/malware2k/installer.htm

    The below registry file will protect you from this exploit
    by kill biting "Shell.Application" variant.

    <------------------------------------------->
    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
    Compatibility\{13709620-C279-11CE-A49E-444553540000}]
    "Compatibility Flags"=dword:00000400
    <-------------------------------------------->

    I will be updating our free fix download here:
    http://www.eeye.com/html/research/alerts/AL20040610.html

    This will break some hta scripts that might be used
    for management. It may cause some incompatibility issues
    with some programs.

    Shell.Application is commonly used by administrators
    for administration of systems via Visual basic script
    or WSH. It may have other uses. It is kind of Microsoft's
    answer to shell script -- though not as happy as batch.

    -----
    NTBugtraq Editor's Note:

    Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
    -----

  • Next message: http-equiv_at_excite.com: "SUPER SPOOF DELUXE: The 3 D's"