Re: DNS changed...
From: Kent W. England [MVP] (kwe_at_mvps.org)
Date: 10/04/03
- Next message: Invisible Dance: "10:16 PM EDT 03OCT03"
- Previous message: Kent W. England [MVP]: "Re: virus swen cured then the same effects come back?"
- In reply to: Bill Sanderson: "Re: DNS changed..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Fri, 3 Oct 2003 18:00:26 -0700
More information is now available at
http://www.kb.cert.org/vuls/id/865940 and according to how I interpret
this poorly worded advice from CERT, the workarounds I described may not
catch all possible exploits of this vulnerability, but do stop the
current Qhosts exploit.
According to this article, disabling scripting will stop all exploits of
.hta content. While this seems extreme, you can download Microsoft
Internet Explorer 5 Power Tweaks Web Accessories:
http://www.microsoft.com/windows/ie/previous/webaccess/pwrtwks.asp
for new commands in the tools menu to add sites to Trusted or Restricted
zones. This tweak works for IE5/6 and makes it easier to add sites to
the Trusted zone to enable scripting.
-- Kent W. England, Microsoft MVP for Windows "Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message news:e8ynl%23ViDHA.4012@tk2msftngp13.phx.gbl... > Thanks Kent. > > Folks are saying that Symantec's description is more complete: > > http://www.symantec.com/avcenter/venc/data/trojan.qhosts.html > > The HTA disabling workaround you give is important--there's some urban > legends here--disabling activex and scripting doesn't work with this one, as > I understand it. > > > "Kent W. England [MVP]" <kwe@mvps.org> wrote in message > news:ewJOITViDHA.2592@tk2msftngp13.phx.gbl... > > That seems to be the case, as reported by > > http://vil.nai.com/vil/content/v_100719.htm. You can workaround this > > vulnerability in a couple of ways: > > > > 1) set your personal firewall to disallow mshta.exe from sending TCP > > data outbound > > 2) dissociate .hta files from mshta.exe, using Folder Options control > > panel > > > > In either case, you prevent .hta files from being executed/viewed. > > > > -- > > Kent W. England, Microsoft MVP for Windows > > > > > > > > "Bill Sanderson" <Bill_Sanderson@msn.com.plugh.org> wrote in message > > news:ulvWovKiDHA.1872@TK2MSFTNGP10.phx.gbl... > > > I'm confused as well. I suspect what this means is that this is a > > > vulnerability described in MS 03-032, but not, in fact, patched by the > > > associated patch. There have been rumors of such since this patch > > came out, > > > acknowledged by MS in revisions of the bulletin, but no new patch has > > come > > > out. > > > > > > "Mike Beauchamp" <newsgroups@mikebeauchamp.com> wrote in message > > > news:blgb4s0kvp@enews1.newsguy.com... > > > > You have me a little confused here.. You say that the vulnerability > > > > involved is MS03-032, yet the link included in your copy-paste says: > > > > > > > > NOTE: The MS03-032 patch does not protect against this attack > > vector. This > > > > allows for the automatic execution of VBScript contained in an HTML > > file > > > > (x.hta) > > > > > > > > Also, when I go to Windows Update, I see no critical updates that I > > can > > > > install. Yet I somehow managed to get this virus.. > > > > > > > > Mike > > > > > > > > > >
- Next message: Invisible Dance: "10:16 PM EDT 03OCT03"
- Previous message: Kent W. England [MVP]: "Re: virus swen cured then the same effects come back?"
- In reply to: Bill Sanderson: "Re: DNS changed..."
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
