Registry fixes for the recent IE vulnerabilities

From: Mike Cheng (mcorl737_at_hotmail.com)
Date: 07/01/04

  • Next message: vuln_at_hexview.com: "[HW-MED] XSS in Netegrity IdentityMinder"
    Date: 1 Jul 2004 20:26:22 -0000
    To: bugtraq@securityfocus.com
    
    
    ('binary' encoding is not supported, stored as-is)

    Here are the fixes to patch the 2 vulnerability referenced here http://isc.sans.org/diary.php?date=2004-06-27 and here http://www.microsoft.com/security/incident/download_ject.mspx, and stop cross-zone scripting for IE without affecting daily web browsing abilities.

    1. Fix the adodb.stream vulnerability so you won't download files through a web page. Modify or add the following registry key to set a kill bit on this CLSID.

    [HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
    Compatibility\{00000566-0000-0010-8000-00AA006D2EA4}] "Compatibility
    Flags"=dword:00000400

    2. Change the security setting for the hidden "Local Computer Zone" in IE. To show the zone you need to modify the following registry.

    [HKEY CURRENT USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\0]
      "Flags"= dword:00000001

    Then open up IE and go to "Tools" -> "Internet Options" -> "Security" tab -> click on the "My Computer" zone and set the "Custom" security to high.

    Doing this will affect the files that you open on local machine, so if you are developing a app locally remember to switch back to medium or low security.

    Here's a tip if you are a developer, add a new zone in the registry for unrestricted setting and add 127.0.0.1 and your machine name the the site.

    You can add a zone by exporting one of the keys under

    HKEY CURRENT USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Zones\

    and modify it to your liking and add it back in the registry.


  • Next message: vuln_at_hexview.com: "[HW-MED] XSS in Netegrity IdentityMinder"

    Relevant Pages

    • Re: script error message in Outlook Express 6
      ... I read the page links you gave me and found the spots to modify in my ... registry. ... You need to turn on scripting in the security settings for the ... >> for a particular Zone. ...
      (microsoft.public.windows.inetexplorer.ie6_outlookexpress)
    • Re: sus office updates
      ... You can modify the registry ... or you can script a change for MSI to add ... my "encrypted" product code for Office 2003 Professional is: ...
      (microsoft.public.sms.tools)
    • Re: Internet Zone Missing/merged with Restricted Sites Zone
      ... Settings\Zones there isn't a "Restricted Sites node " There is only the ... - Internet ... I am able to use the Registry, Export Registry menu to save a .reg file ... create the Zone entry for the Internet Zone... ...
      (microsoft.public.windows.inetexplorer.ie6.browser)
    • Re: Virtual Memory
      ... You'd be better off modifying the registry through the ... optimize you swap file settings. ... >> is receiving virtual memory errors with the pagefile. ... There was not an article for 2000 to modify ...
      (microsoft.public.win2000.registry)
    • RE: Hive based Registry support issue
      ... but don't modify common code. ... there is any non needed settings are present with this. ... Added Hive Based Registry Component ... catlog item along with Rom only file system. ...
      (microsoft.public.windowsce.embedded)