RE: Worms and CScript/WScript

From: Nick FitzGerald (
Date: Sun May 26 2002 - 20:07:00 PDT

  • Next message: List-Collector: "RE: strange .ch scan by"

    "Richard H. Cotterell" <seecat_private> wrote:
    > Ref: Nick FitzGerald <>'s
    >      message dated 22 May 2002, 17:04 hours.
    > > ...  Thus, suggesting disabling 
    > >it as a blanket recommendation may not be a wise thing...  (And, even 
    > >in the corporate arena, you may better off restricting access to it 
    > >rather than removing it -- if your admin group uses VB scripts for 
    > >advanced system admin, certainly let them continue to run it so long 
    > >as scripts can be run under a suitably privileged security context 
    > >without introducing other unwanted problems but lock down your 
    > >ordinary users' access to the EXEs.)
    > An alternative approach would be to use *script defender* from AnalogX, 
    > which allows a Windows user to turn on/off the whole set of scripts that 
    > make for vulnerable web site visiting. :-)
    > <>
    For SOHO users, something like that would be fine so long as they ahd
    the discipline to use it.  There are several other such utilities too
    and part of the discipline of using these is remembering to re-check
    after installing updates and so on.  In many cases things like
    ScriptDefender get turned off -- i.e. scripts get re-enabled -- for
    some "good reason" and then not turned back on but the users keep
    working "as normal" in the belief that the protection it was giving
    them is still there.  This is not really a problem with the product 
    -- more a reminder that we are talking about fixing a _process_ so a 
    single point, static program is unlikely to be the be-all and end-all 
    of a solution.
    Further, the function of things like ScriptDefender is often 
    misrepresented or misunderstood, as we see in your own description of 
    what it does.  ScriptDefender provides _no_ protection against "the 
    whole set of scripts that make for vulnerable web site visiting" and 
    getting that wrong when offering "advice" to others is no smiling 
    matter...  All ScriptDefender does is break or re-establish the file 
    associations between certain _standalone_ WSH script types and the 
    program(s) that normally handle them, interjecting itself into the 
    command chain to allow for a presumably rational choice on the part 
    of the user as to whether to let the script be passed to its usual 
    handler or not.  (And let's not forget, these are the same users who, 
    for the last 5 years, have largely not managed to work out you click 
    the "Disable macros" button in Word and other MS Office products when 
    given much the same kind of responsibility...)  It does nothing to 
    disable or manage the execution of scripts embedded in web pages or 
    HTML Email messages _unless_ the particular exploit of some 
    vulnerability creates local "script files" of the types handled by 
    Nick FitzGerald
    Computer Virus Consulting Ltd.
    Ph/FAX: +64 3 3529854
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see:

    This archive was generated by hypermail 2b30 : Mon May 27 2002 - 12:46:05 PDT