RE: Worms and CScript/WScript

From: Nick FitzGerald (nick@virus-l.demon.co.uk)
Date: Tue May 21 2002 - 22:04:30 PDT

Next message: wirepair: "1999-2000 oops"

Previous message: Michael Wright: "RE: Worms and CScript/WScript"
In reply to: Michael Wright: "RE: Worms and CScript/WScript"
Next in thread: Richard H. Cotterell: "RE: Worms and CScript/WScript"
Next in thread: Ken Pfeil: "RE: Strange scan on 1433"
Reply: Richard H. Cotterell: "RE: Worms and CScript/WScript"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

mwrightat_private wrote:

> The NSA guide, titled: "E-mail Security in the Wake of Recent Malicious Code
> Incidents" actually recommends disabling Windows Scripting Host by removing
> both cscript.exe and wscript.exe.

And that makes it "correct" or "a good idea"?

> I have added that to my logon script so that every time a user logs onto one
> of my networks, WSH is disabled.  Add that to a managed anti-virus solution
> that filters attachments by extension, and does real-time protection of both
> servers and workstations and you have a very effective virus/worm/trojan
> defense.

In the corporate arena you often can get away without either of these 
"advanced" scripting mechanisms, but Windows Update -- which is 
rather critical to SOHO users having any chance of staying vaguely 
up-to-date with security patches -- used to and presumably still does 
depend on WSH (I think VBS specifically).  Thus, suggesting disabling 
it as a blanket recommendation may not be a wise thing...  (And, even 
in the corporate arena, you may better off restricting access to it 
rather than removing it -- if your admin group uses VB scripts for 
advanced system admin, certainly let them continue to run it so long 
as scripts can be run under a suitably privileged security context 
without introducing other unwanted problems but lock down your 
ordinary users' access to the EXEs.)

> You can download the afore mentioned NSA guide directly here:
> http://nsa2.www.conxion.com/emailexec/guides/eec-1.pdf

I won't comment further on this (and probably nor here but on the 
focus-virus list if I ever do) until I've read it...

> or browse through all the NSA guides at http://www.nsa.gov

Let's see -- the NSA gives out security advice from a site that 
_requires_ browser scripting to be enabled?

Hmmmm -- do you think we may be able to make an informed estimate of 
the likely quality and thoroughness of that advice from just this one 
data point??

-- 
Nick FitzGerald
Computer Virus Consulting Ltd.
Ph/FAX: +64 3 3529854

----------------------------------------------------------------------------
This list is provided by the SecurityFocus ARIS analyzer service.
For more information on this free incident handling, management 
and tracking system please see: http://aris.securityfocus.com

Next message: wirepair: "1999-2000 oops"
Previous message: Michael Wright: "RE: Worms and CScript/WScript"
In reply to: Michael Wright: "RE: Worms and CScript/WScript"
Next in thread: Richard H. Cotterell: "RE: Worms and CScript/WScript"
Next in thread: Ken Pfeil: "RE: Strange scan on 1433"
Reply: Richard H. Cotterell: "RE: Worms and CScript/WScript"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

This archive was generated by hypermail 2b30 : Wed May 22 2002 - 13:56:08 PDT