Re: CWS = Crummy Windows Security

From: Andrew Aronoff (ntbugtraq.sub_at_AARONOFF.COM)
Date: 10/07/04

  • Next message: Jason Coombs PivX Solutions: "Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities" 
    Date:         Thu, 7 Oct 2004 21:23:17 +0200
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

    A Aronoff wrote:
    >> AppInit_Dlls is a gaping security hole. Unfettered access to this
    >> value should be removed ASAP from NT4/W2K/WXP.

    Ron Parker replied:
    > Unfettered? What's "unfettered" mean?

    Unfettered means that if security permits, any app can write to this
    value. In our opinion, even with Admin access, there should be special
    vetting, perhaps against an MS-approved white list, before an app can
    write there. On a hostile network (such as the Internet), the value is
    simply too powerful for access to be left otherwise.

    Mark Tassin pointed out:
    > Why not simply use CoolWebShredder? Made by the author of Hijack
    > This! It seems to nail all the CWS variants out there. And does it
    > well I might add.
    >
    > http://www.spywareinfo.com/~merijn/downloads.html

    For two reasons:

    1. As the download page you provided indicates, the CWShredder
       project is "suspended"

    2. On the CWS version we wrestled with, CWShredder didn't work.
       (HijackThis didn't show anything in the AppInit_Dlls value,
       either.)

    Of course, if CWShredder works, so much the better. It's free, just
    like the method we espouse.

    regards, Andy 

    --
                                *****
       Want to know every program that starts up with Windows?
                    Download "Silent Runners.vbs":
                    http://www.silentrunners.org/
                                *****
--
NTBugtraq Editor's Note:
Want to reply to the person who sent this message? This list is configured such that just hitting reply is going to result in the message coming to the list, not to the individual who sent the message. This was done to help reduce the number of Out of Office messages posters received. So if you want to send a reply just to the poster, you'll have to copy their email address out of the message and place it in your TO: field.
--
  • Next message: Jason Coombs PivX Solutions: "Re: [Full-Disclosure] RE: Disclosure policy in Re: RealPlayer vulnerabilities"

    Relevant Pages

    • Re: Access denied for OpenProcess(PROCESS_DUP_HANDLE) in service
      ... The user wants the app to work without admin access. ... > investigating having a service run as administrator to open the disk ... enough about your requirements and I am only familair with Windows device ...
      (microsoft.public.platformsdk.security)
    • Re: "ehttp.cc" insertion in URL
      ... It appears this is a piece of one or more of the coolwebsearch variants, ... You can get the current version of CWShredder here: ... the app as downloaded should take care of this problem. ... I can stop the insertion by entering ...
      (microsoft.public.scripting.virus.discussion)
    • Re: CWshredder ??
      ... I think this is probably an accident of timing. ... The app does get rev'd regularly: The date on the one I just downloaded is ... >>Does anyone know where CWShredder went. ...
      (microsoft.public.security.virus)
    • Setting security rights on directories...
      ... I have admin access to ... the systems this app is installed on and have full access to user and group ... Regards, ... -Tony Kirk ...
      (microsoft.public.vb.general.discussion)