RE: Worms and CScript/WScript

From: Dubber, Drew B (drew.dubberat_private)
Date: Tue May 28 2002 - 09:13:23 PDT

  • Next message: zeno: "Security contacts for cnn,time.com,usatoday,and boston globe needed"

    There was a nice message the other day about restricting the ability to run
    scripts by removing the NTFS execute permission for users from certain
    folders, such as the temporary folders that Outlook uses.
    
    Alternatively, Windows XP allows you to sign your scripts. utilise IE zone
    security, or use pki technologies to ensure that only authorised scripts are
    run. There is some basic security functionality that can be configured for
    Win2k but as I remember its a weak as runny poo :)
    
    Regards
    Drew
    
    -----Original Message-----
    From: Richard H. Cotterell [mailto:seecat_private]
    Sent: 28 May 2002 02:39
    To: Nick FitzGerald; incidentsat_private
    Subject: RE: Worms and CScript/WScript
    
    
    
    
    Ref: Nick FitzGerald <nick@virus-l.demon.co.uk>'s
         message dated 27 May 2002, 15:07 hours.
    
    >"Richard H. Cotterell" <seecat_private> wrote:
    >
    >> Ref: Nick FitzGerald <nick@virus-l.demon.co.uk>'s
    >>      message dated 22 May 2002, 17:04 hours.
    >> 
    ><<snip>>
    >> > ...  Thus, suggesting disabling 
    >> >it as a blanket recommendation may not be a wise thing...  (And, even 
    >> >in the corporate arena, you may better off restricting access to it 
    >> >rather than removing it -- if your admin group uses VB scripts for 
    >> >advanced system admin, certainly let them continue to run it so long 
    >> >as scripts can be run under a suitably privileged security context 
    >> >without introducing other unwanted problems but lock down your 
    >> >ordinary users' access to the EXEs.)
    >> 
    >> An alternative approach would be to use *script defender* from AnalogX, 
    >> which allows a Windows user to turn on/off the whole set of scripts that 
    >> make for vulnerable web site visiting. :-)
    >> 
    >> <http://www.analogx.com>
    >
    >For SOHO users, something like that would be fine so long as they ahd
    >the discipline to use it.  There are several other such utilities too
    >and part of the discipline of using these is remembering to re-check
    >after installing updates and so on.  In many cases things like
    >ScriptDefender get turned off -- i.e. scripts get re-enabled -- for
    >some "good reason" and then not turned back on but the users keep
    >working "as normal" in the belief that the protection it was giving
    >them is still there.  This is not really a problem with the product 
    >-- more a reminder that we are talking about fixing a _process_ so a 
    >single point, static program is unlikely to be the be-all and end-all 
    >of a solution.
    >
    >Further, the function of things like ScriptDefender is often 
    >misrepresented or misunderstood, as we see in your own description of 
    >what it does.  ScriptDefender provides _no_ protection against "the 
    >whole set of scripts that make for vulnerable web site visiting" and 
    >getting that wrong when offering "advice" to others is no smiling 
    >matter...  All ScriptDefender does is break or re-establish the file 
    >associations between certain _standalone_ WSH script types and the 
    >program(s) that normally handle them, interjecting itself into the 
    >command chain to allow for a presumably rational choice on the part 
    >of the user as to whether to let the script be passed to its usual 
    >handler or not.  (And let's not forget, these are the same users who, 
    >for the last 5 years, have largely not managed to work out you click 
    >the "Disable macros" button in Word and other MS Office products when 
    >given much the same kind of responsibility...)  It does nothing to 
    >disable or manage the execution of scripts embedded in web pages or 
    >HTML Email messages _unless_ the particular exploit of some 
    >vulnerability creates local "script files" of the types handled by 
    >ScriptDefender.
    >
    
    Makes for interesting reading, certainly.  As with most man made actions 
    there are counter-measures, and in the field of software that is a 
    certainty and in the case of the subject matter, that is a fact.
    
    You are too hasty in judgement... we are not in the habit of offering 
    advice that creates an unfounded sense of security in a user.  :-(
    
    We quote, for your perusal and reflection:  
    
    With all the script viruses being e-mailed around these days, and virus 
    authors
    getting more clever by the minute, it's important to do everything you can
    to ensure you aren't their next victim.
    
    AnalogX Script Defender intercepts all requests to execute a variety of
    different script types that are commonly used to infect your computer - 
    Visual
    Basic Scripting (.VBS), Java Script (.JS) and Windows Scripting (.WSH) are
    the most common and can all be intercepted by SDefender.  Best of all, you
    can add other scripting extensions later on when virus authors figure out 
    how
    to exploit something else.
    
    Operation is *VERY* simple; just run the program, make sure you have the
    extensions listed that you want to intercept (normally the default should 
    be
    fine), then choose 'Install Intercepts' - that's it!  If you would like to
    test it to make sure everything is operating properly, I've enclosed a 
    Visual
    Basic script that will open up a message dialog - if you've followed the 
    above
    procedure then SDefender should pop open and ask you if you would like to
    execute the script file.  If you choose to execute it, then the script 
    should
    run normally, or you can choose to abort the execution.
    [end of quote]
    
    Please, note the last sentence in the second paragraph.  Ah, yes, they all 
    do work even on the Microsoft Updates site!
    
    You can of course, if you wish, add *proxomitron* to the repertoire of 
    defensive tools in the arsenal at your command.  :-)
    
    A Welsh warrior at work.
    
    Alas another thought, this time a question: I received three of your mails 
    all same date and time but different sizes - 5.5k; 5.7k; and 4.1k which 
    makes for an interesting use of telco use and bandwidth.  Thanks!
    
    
    
    
    
    
    
    --
    Richard H. Cotterell  <mailto:seecat_private>
    
    It's just a job. Grass grows, birds fly, waves pound the
    sand. I beat people up.
      -Muhammad Ali [also known as Cassius Clay]
    
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    
    ----------------------------------------------------------------------------
    This list is provided by the SecurityFocus ARIS analyzer service.
    For more information on this free incident handling, management 
    and tracking system please see: http://aris.securityfocus.com
    



    This archive was generated by hypermail 2b30 : Tue May 28 2002 - 10:06:39 PDT