I have not seen evidence that either of these applications prevents new exploits. If anyone is making this claim, they should explain what technology they are using. The required fix is simply setting a kill bit on the vulnerable activex objects. Had this been done in September, none of these attacks would have happened. "Workaround for Jelmer's Adodb Bug" Date: September 13, 2003 http://seclists.org/lists/fulldisclosure/2003/Sep/0643.html The easy to use, free fix for all of these issues: http://www.eeye.com/html/research/alerts/AL20040610.html Jelmer and Http-equiv have just noted and proven that hardening the local zone or the "My Computer Zone" which Quick-Fix touts is not a solution because the "Trusted Zone" remains... and is required for Windows Update. [Whatever else they may do, I do not know, I am just noting what they tout as "the only" solution.] This said you can very easily harden your "My Computer Zone" for free. Just show it and make it available. That is a google step away. You also need to harden all of the IE Zones. You should do this as part of any system hardening effort. Simply use the restricted zone as an example. You must know how to do this and understand the settings to probably harden any Windows system. It is as critical as setting the password policies or anything else. This does require some self-education beyond using the Restricted Zone as reference. If you mess up you will make it very difficult for users to browse the web and they will manually change the settings and likely end up getting spyware running automatically on their systems -- or worse. Again, hardening all of the zones in IE should be a central part of any Windows hardening process. This means not just the Local Zone, but all of the other Zones as well. The only people that should not be setting the kill bit are administrators that wish to continue to rely on vbs or wsh despite the strong evidence that this will make the systems they own vulnerable to potential attacks. If you "really" want to ensure they will not get hit, put on some AV and a good IPS. Ensure that the update subscription is paid for. > -----Original Message----- > From: security-bugtraq@xxxxxxxxxxxxxxx > [mailto:security-bugtraq@xxxxxxxxxxxxxxx] > Sent: Wednesday, July 07, 2004 10:41 AM > To: bugtraq@xxxxxxxxxxxxxxxxx > Subject: Can we prevent IE exploits a priori? > > > > We all know that yet another critical IE vulnerability > (download.ject [aka SCOB, finally patched by M$ after 10 > months] caused some high profile groups > (http://slate.msn.com/id/2103152/, > http://www.theinquirer.net/?article=16922, > slashdot.org/articles/04/07/02/1441242.shtml?tid=103&tid=113&t > id=126&tid=172&tid=95&tid=99) to suggest that people stop > using Internet Explorer. Yet a variation on SCOB > (shell.application), remains unpatched, allowing our favorite > Russian spam crime lords another crack people's boxes. Of > course, I use Mozilla, but some of my clients use IE and > won't give it up, so I started to look around for a permanent > fix, something that could prevent these attacks a priori. > > > > I found this post > (http://seclists.org/lists/bugtraq/2004/May/0153.html) on > Bugtraq, from Thor Larholm which claims that his company > (http://pivx.com/qwikfix/) has fixed all of these problems, > half a year ago, with his program Qwik-fix. It apparently > does this by harderning IE's "my local machine" zone (which > is only visible if you hack the registry) and proactively > prevent these type of attacks for good. Another program, > Smartfix ((http://www.einfodaily.com/about.php#smartfix)), > claims to do the same, so I decided to try these programs. > > > > I found Smartfix to be an unbearable resource hog on even a > burly laptop, maxing the CPU almost every time I opened a web > page in any browser, so I ripped it off my system. On the > other hand, Qwik-Fix is MIA for me. Despite being supposedly > available from multiple locations, in various versions (0.58 > beta: http://www.majorgeeks.com/download4033.html , 0.57 > beta: http://fileforum.betanews.com/detail/1068047556/1 , and > 0.60 beta: > http://superdownloads.ubbi.com.br/download/i24346.html), none > of the downloads work right. The site doesn't list the > current version, so I don't know if the 0.60 beta is even the > latest version. Anyway, all of the downloads either fail, or > when you get one of them and try to install it, the > application attempts to download an MSI file that doesn't > exist on the server. The Bugtraq post says you can download > it from their site, but the download page > (http://pivx.com/qwikfix/download.html) only allows you to > email them so they can send you a copy. I > still haven't heard from them. I don't mean to flame you > Thor, as your client list is certainly impressive: > (http://pivx.com/clients.html) I just can't seem to get your > program from anywhere. > > > > So I wanted to know, has anyone tried these programs > successfully? Can anyone validate their claims? Better yet, > does anyone have a link to a "how to" doc, that tells smart > geeks how to make the registry changes ourselves, so we don't > have to rely on some program to do it for us? >
