OSEC

Neohapsis is currently accepting applications for employment. For more information, please visit our website www.neohapsis.com or email hr@neohapsis.com
 
From: Bronek Kozicki (brokrubikon.pl)
Date: Thu Dec 20 2001 - 03:15:05 CST

  • Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

    > The firewall won't help because we use a proxy before we get to the
    > firewall. We could block those server addresses on the Proxy though.

    At least some of IE vulnerabilities can be exploited without browsing
    Internet at all. That's because these vulnerabilities affect Outlook
    Express as well. It's enough to read your mail, or just open .eml or
    .nws file . If you have SMTP or NNTP server running locally, you will
    probably have plenty of these files floating in your \Inetpub directory.

    > I just thought that there maybe a way to disable, delete, or
    unregister
    > some IE component that would disable the user interface of the
    browser.

    Good point. However, if you take careful look into "Add/Remove Programs"
    applet in Control Panel, you will find that it's HTML control, running
    in MSHTA.exe process. If you "disable" IE, this applet will not work.
    It's just an example, how deeply IE5 is integrated with Win2K (not only
    integrated, but also unsupported, actually) . Coming back to your
    question: simplest and safe (i.e.. undo-able) way to disable IE would be
    to revoke access for its most important DLLs: mshtml.dll , url.dll,
    urlmon.dll , wininet.dll and shdocvw.dll . One way would be to put very
    restrictive ACL, another to create local account (especially for this
    purpose) and use it to encrypt these files. Both can be rolled back in
    case someone comes with better solution, or you find up that Win2K does
    not work without IE.

    I also have question regarding MS01-058 . Jouko Pynnonen claims (here:
    http://www.solutions.fi/index.cgi/news_2001_12_14?lang=eng ) that this
    vulnerability applies to IE5.0 . Unfortunately, there's no way to
    validate this (no sample exploit available). Microsoft discontinued
    support for IE5.01 and is not going to evaluate any security problems
    with it. Can anybody confirm or deny, that "Arbitrary File Execution"
    vulnerability affects IE5.01 SP2? If so, there should be way to protect
    without installing newer IE version. Or force Microsoft to fully support
    Win2K with all "features" they put inside it.

    Regards

    B.