> -----Original Message----- > From: Thor Larholm > Sent: Saturday, July 03, 2004 3:47 PM > To: 'Drew Copley'; 'Windows NTBugtraq Mailing List'; > 'bugtraq@xxxxxxxxxxxxxxxxx' > Subject: RE: Registry Fix For Variant of Scob > > > Setting the kill bit on the "Shell.Application" ActiveX object, or any > other ActiveX, is a system wide configuration change. This is also the > reason for the incompatibility issues you are mentioning, but there is > no reason to kill the bird to secure the nest. > > The problem here is not the ADODB.Stream or Shell.Application objects, > the problem is the insecure My Computer zone in Internet > Explorer. Your > registry fix will have adverse functionality regressions on > any Windows > administrator that use WSH when there is no reason for this. <snip> I noted this in my paper. I noted in a reply to a post that hardening the Local Zone can also cause problems. A lot of applications use this zone. The reason killbitting was considered a "workaround" was because it was always a "workaround" until Microsoft fixed the issue. My viewpoint is the activex is flawed. The development of it and the QA of it. So, it should be removed, because of the security issue... until Microsoft fixes the issue and retests the activex for further variants. "My Computer Zone", ultimately, should be hardened, but without removing functionality, in my opinion. What I have been asking from Microsoft - and expect to get - is that they add it to the security interface. And further, that they make their security interface easy to use. As it stands it has almost no help, and the definitions are completely unwieldy. It is absurd. They do the xbox well, why can't they do this well? So, let's add that suggestion there, too. Because it is sorely needed.
