RE: Worms and CScript/WScript

From: Nick FitzGerald (
Date: Tue May 21 2002 - 22:04:30 PDT

  • Next message: wirepair: "1999-2000 oops"

    mwrightat_private wrote:
    > The NSA guide, titled: "E-mail Security in the Wake of Recent Malicious Code
    > Incidents" actually recommends disabling Windows Scripting Host by removing
    > both cscript.exe and wscript.exe.
    And that makes it "correct" or "a good idea"?
    > I have added that to my logon script so that every time a user logs onto one
    > of my networks, WSH is disabled.  Add that to a managed anti-virus solution
    > that filters attachments by extension, and does real-time protection of both
    > servers and workstations and you have a very effective virus/worm/trojan
    > defense.
    In the corporate arena you often can get away without either of these 
    "advanced" scripting mechanisms, but Windows Update -- which is 
    rather critical to SOHO users having any chance of staying vaguely 
    up-to-date with security patches -- used to and presumably still does 
    depend on WSH (I think VBS specifically).  Thus, suggesting disabling 
    it as a blanket recommendation may not be a wise thing...  (And, even 
    in the corporate arena, you may better off restricting access to it 
    rather than removing it -- if your admin group uses VB scripts for 
    advanced system admin, certainly let them continue to run it so long 
    as scripts can be run under a suitably privileged security context 
    without introducing other unwanted problems but lock down your 
    ordinary users' access to the EXEs.)
    > You can download the afore mentioned NSA guide directly here:
    I won't comment further on this (and probably nor here but on the 
    focus-virus list if I ever do) until I've read it...
    > or browse through all the NSA guides at
    Let's see -- the NSA gives out security advice from a site that 
    _requires_ browser scripting to be enabled?
    Hmmmm -- do you think we may be able to make an informed estimate of 
    the likely quality and thoroughness of that advice from just this one 
    data point??
    Nick FitzGerald
    Computer Virus Consulting Ltd.
    Ph/FAX: +64 3 3529854
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Wed May 22 2002 - 13:56:08 PDT