Re: lets vote for better security

From: Karl Levinson, mvp (levinson_k_at_despammed.com)
Date: 04/10/05


Date: Sun, 10 Apr 2005 02:29:14 -0400


<Vanguard> wrote in message news:YsSdnexdKaNHHMXfRVn-ow@comcast.com...

> How to Uninstall Internet Explorer 6
> http://support.microsoft.com/default.aspx?scid=kb;en-us;293907

As you know, what I and the OP wanted to be able to do is eliminate IE and
OE-related security vulnerabilities. It seems obvious to me that something
is very wrong with all MS customers worldwide being required to install, and
thoroughly test, IE and OE patches onto production servers every 30 to 60
days, when IE shouldn't be there in the first place.

> There are a hell of a lot of programs that rely on the HTML rendering
> assumed available in Windows. Removing the HTML rendering engine (along
> with the front-end UI application; i.e., the IE browser) would hurt a
> lot more software vendors than there are 3rd party browsers claiming
> superiority over IE.

I know, but that doesn't sway me. Since most people don't use most of those
vendors, why should there be no possible way for such users to disable
MSHTML?

Giving users a way to disable IE, and/or making IE disabled by default,
doesn't hurt those vendors at all really. They would simply need to make a
minor change to their install programs to enable MSHTML during the
installation. Surely you are aware that there are plenty of applications
out there that need to enable or install other MS components in order to
work. By extension, your argument would require every Windows computer to
be running MSDE, etc. by default with no way to disable it, just because
there are a lot of software vendors that use it. That would be a security
disaster.

> I'm not saying that the IE browser is wonderful or that the HTML
> rendering engine couldn't use some work. But, at least, it is a
> non-proprietary document format and really shouldn't require a specific
> front-end application to use it.

I'm not saying that Mozilla is more secure than MSHTML, nor do I really
believe that. I *am* saying that Windows is less secure because you can't
disable powerful and risky components you aren't using, like MSHTML. You
can't very easily argue against that, or if you try, you're trying to
contradict a whole lot of security professionals. I also think it is
entirely technically possible for MS to un-bundle MSHTML from Windows.
Linux, Windows 3.x, etc. work just fine without MSHTML bundled in.

> > WSH that made the iloveyou virus and others possible gets
> > reinstalled by a variety of install programs.
>
> Which is alleviated when using anti-virus software with script
> blocking/scanning.

You generally block known viruses with AV. What you don't block by AV alone
is a lone attacker in, say, Pakistan who writes a brand new script and sends
it to your government. That slips past Norton with no trouble at all. If
your AV has good heuristics, a sandbox, etc, then your chances might improve
somewhat and your risk might go down somewhat. But there's still risk
there. Totally unnecessary risk. Because of a technology most home users
never ever use. Totally unnecessary. This weakens Windows security.

> like iLoveYou. Anyone not using AV software should not be connected to
> the Internet, should not be connected to their own network, and
> shouldn't install any software unless from a major software producer.

I use AV, and yet WSH is still a threat.

> Internet Explorer 4.0 and later treat WSH objects as unsafe ActiveX
> controls. As I recall, the default settings in the Internet security
> zone disable initialization and scripting of unsafe AX controls. Also,
> if you are using OE and not setting it to the default of using the
> Restricted Sites security zone (at its default High setting) then that
> was your deliberate choice to use lax security.

None of that does anything whatsoever to block VBS files that arrive via
NetBIOS file share, P2P, from a .ZIP file, by an attacker putting it onto
the computer, etc. etc. So VBS / WSH is still a risk. I don't feel the
user is to blame here.

> WSH relies on the
> Visual Basic Script and Java Script engines provided in Internet
> Explorer. There are plenty of perfectly legitimate applications that
> rely on scripting. So here you have an interdependency that most users
> won't know about. They get rid of IE, if possible, and all of a sudden
> some non-browser specific application stops working. The
> interdependencies can get quite complicated and convoluted. It isn't
> DOS anymore.

That doesn't sway me either. I never said WSH or IE should be disabled by
Microsoft post-Windows install, nor will it. It should be disabled in the
default installation and be disable-able by Group Policy. Microsoft has
decided to make it necessary for the user, or the application setup program,
enable some things that are disabled by default, and this could be done the
same way.

You are considering things that could go wrong, but I feel Microsoft could
make this happen without these things being issues. XP SP2 disables and
breaks a bunch of things as well, but MS worked through those issues fairly
well.

> As far as WSH getting reinstalled, guess I haven't ran into an
> application that did that (other than service packs but that won't
> affect script blocking/scanning by registry changes made for an
> anti-virus program).

This problem of WSH getting re-installed was a lot worse with Windows 9x...
mainly because many versions of IE 5 - 6 containing WSH were released in
that timeframe, while IE 6 has been largely unchanged throughout Windows
2000 and XP SP1. I seem to recall other apps re-installing WSH as well.

> However, if one application requires it and you
> require that application to work then it is an all or nothing
> proposition: you enable WSH or you disable it, and enabling it means any
> application can use it.

WSH safety does not need to be all or nothing. If Microsoft would just make
the default action on .VBS files edit instead of execute, users would be a
lot safer from viruses, and attackers that have not yet compromised a
computer would in most cases not be able to call cscript.exe scriptname to
run a malicious script.

> When running the setup program for MS Office, there is the "Microsoft
> Office -> Office Shared Features -> Visual Basic for Applications" node
> in the hierarchical component tree. Unchecking that option eliminates
> installing VBA (or uninstalls it if already installed). Microsoft isn't
> responsible for non-Microsoft programmers who do not similarly note the
> inclusion of VBA in their installs.

I don't recall seeing that option. I could certainly be mistaken about
there not being a GUI way for a user to uninstall VBA. I'm not an expert at
Office XP or 2003.

> > Nor is
> > there a group policy button that comes with Windows.
>
> I wasn't quite sure where you were going with this. A button? Maybe in
> the Start menu?

I meant that while it may or may not be possible to disable some of these
via Group Policy, you either have to download and import a MS template to do
so, or write your own template to do so. It shouldn't be this hard to do
something that to me seems so natural... e.g. disable functionality you
don't need or use, both on a single system and remotely across an large
enterprise. By "button," I meant a GUI object, such as a checkbox in a GP
MMC console.



Relevant Pages

  • Re: "Selling" Perl (i.e. getting the boss to let me install it)
    ... > I'd like to install ActivePerl on a Windows XP machine specifically to ... Perl is 'just another interpreting language on your PC' and doesn't have any specific security implications. ... If they wanted to be safe, they had to forbid the execution of any executable / script / macro not installed by them. ...
    (comp.lang.perl.misc)
  • Re: [fw-wiz] Securing a Linux Firewall
    ... No. Doing an basic application security analysis does not require doing the ... > install' side of the discussion. ... Install it and run the script. ... All the arguments for having a minimal install involve "raising the bar" ...
    (Firewall-Wizards)
  • RE: Disabling USB mass storage
    ... or concerned service depended of user account or computer location in AD ... script try to enable all devices from ... "devcfg disable" it disables all devices and concerned services ... Specify "devcmcfg.vbs disable" as Startup Script parameter value of GPO, ...
    (Focus-Microsoft)
  • RE: Error installing R2 disk
    ... Tried the install with evertything disabled, as instructed, and received ... It seems you upgrade your server to R2, If so, according to the less error ... This disables all third party service items. ... Please collect the Setup MPS report for analysis: ...
    (microsoft.public.windows.server.sbs)
  • RE: preventing run-as option
    ... still doesn't address the security posture that is allowing the access. ... It merely disables the GUI and not the daemon or the access controls. ... The NSA has designated Norwich University a center of Academic ... Citizens or its affiliates via email, ...
    (Security-Basics)