Re: IE4 Custom Folder

From: David LeBlanc (dleblancat_private)
Date: Fri Oct 02 1998 - 05:59:33 PDT

Next message: Klaus.Kuscheat_private: "Several potential security problems in IBM/Tivoli OPC Tracker Age"

Previous message: Darren Reed: "CERT: IN-98.04"
Maybe in reply to: Marc: "IE4 Custom Folder"
Next in thread: Christopher K Davis: "Re: IE4 Custom Folder"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

At 02:25 PM 10/1/98 -0600, listuserat_private wrote:
>> ---> Problem
>> Users with write access to a customized folder can replace the customized
>> folder settings inserting their own "evil" files to execute code.

I'd amend this to point out that users with write access to ANY directory
can possibly trojan ANY user with Active Desktop enabled.

>I'm not 100% sure what you can change these settings to, to lock the
>machine down, nor do I have any Windows95/98 machines to play on. The best
>advice would be to disable active desktop which is dog slow anyways.
>Impliment system policies, and distribute a custom version of MSIE 4.01
>(via the IEAK) with this stuff turned off by default. In other words round
>up the usuall suspects.

Under NT, you've got a few more options - you can use the file system
permissions to fix this - just create a desktop.ini file with nothing in
it, and give only admins the right to change it - administrators:F,
everyone:R ought to do it.  Also be sure that everyone doesn't have full
control on the parent directory.

This is somewhat annoying, as you are allowed to customize remote folders,
but there is no provision that I can see to keep users from conflicting
with one another.

In fact, the only safe work-around I see for this one is to pre-create the
desktop.ini files for _all_ public shared directories, and set the ACL on
it.  Obviously, using the command line to deal with directories will keep
you safe from this.  IMHO, asking everyone to disable active desktop won't
be effective.

Tightening the security settings for the local zone would also be useful.

With respect to disabling this attack on Win95, your only options are (in
personal order of preference):

1) Install NT, precreate desktop.ini files and lock them down
2) Don't share anything
3) Disable active desktop

I'd urge people not to dismiss this attack, as it would be fairly easy to
use it to install all sorts of interesting trojans.

I think the fix I'd like to see out of MS for this would be to not display
any customization for any remote file system.  This also gets a little
interesting with NT 5.0 having the capability to mount a remote file system
and map it to a directory which appears to be local.  Another possible fix
would be to give me the option of disabling customized directory display
without disabling the desktop (which is basically how I prefer to use it).

David LeBlanc
dleblancat_private

Next message: Klaus.Kuscheat_private: "Several potential security problems in IBM/Tivoli OPC Tracker Age"
Previous message: Darren Reed: "CERT: IN-98.04"
Maybe in reply to: Marc: "IE4 Custom Folder"
Next in thread: Christopher K Davis: "Re: IE4 Custom Folder"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 14:18:33 PDT