Another problem was recently discovered in Microsoft Internet Explorer (IE): An intruder could use the Shell.Application object to launch a command shell on an affected system. This capability could lead to all sorts of dangerous activity. To protect systems, you can disable the object by navigating to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\\{13709620-C279-11CE-A49E-444553540000\} registry subkey and setting the Compatibility Flags entry (type REG_DWORD) to 00000400.
Yesterday, Microsoft released Microsoft Security Bulletin MS04-024 (Vulnerability in Windows Shell Could Allow Remote Code Execution) and a related patch for that problem, so you can now load the patch instead of editing the registry. The company also released six other bulletins and patches as part of its monthly security patch release. The patches fix vulnerabilities in HTML-based Help files, the Task Scheduler, Microsoft IIS 4.0, the POSIX subsystem, and Utility Manager (all of which might allow the execution of remote code), and Microsoft Outlook Express (for which the company issued a cumulative patch for Denial of Service--DoS--conditions). You can learn more about these fixes at Microsoft's TechNet Security Web site.
http://www.microsoft.com/technet/security
After the Shell.Application bug was published on various security mailing lists, researchers began checking the Mozilla Web browser for a similar problem, and it turns out that Mozilla is affected to some extent. According to Mozilla's security advisory, it's possible to use the shell: URL scheme to launch executables on a remote user's system. The developers issued a workaround for the problem, which is available at the Mozilla Web site.
http://www.mozilla.org/security/shell.html
The discovery of these serious security risks points out the need to regularly adjust your defenses to protect against attack. Sometimes you need to apply a vendor patch, and other times you can perform a configuration workaround. Another tactic you can use to mitigate unforeseen security problems is to employ the security tools available from various vendors.
For example, security scanners might find the shell problem as well as the ADO databases (ADODB) problem I've discussed in recent issues of this newsletter. Scanning tools that find these problems probably also would let you make registry adjustments to protect against attacks.
Another tool, which I've mentioned recently, is PivX Solutions' Qwik-Fix Pro. Qwik-Fix Pro doesn't scan your systems; instead, it lets you change configuration settings to strengthen the overall security of various applications, including IE.
Alex Tosheff, chief technology officer at PivX, told me that the company plans an official release of the enterprise version of Qwik-Fix Pro on August 2 (the product has been in public beta testing for quite some time). The enterprise version integrates with Active Directory (AD), uses Group Policy to define security configuration settings, and includes a Microsoft Management Console (MMC) snap-in.
According to Thor Larholm, a lead researcher at PivX, the release version will include features such as strengthened security for IE security zones (e.g., My Computer, Trusted Sites, Internet), which Microsoft Outlook also uses. Larholm also said that the product will be expanded to include application protection for Microsoft Office, Microsoft IIS, Apache HTTP Server, Mozilla, Opera Software's Opera, Microsoft SQL Server, MySQL, Windows .NET Framework, Instant Messaging (IM) applications, IBM's Lotus Notes, and other popular Windows applications. The company is also working on features that will perform "runtime process modification and virtual application patching, ... generic C runtime and Win32 API replacements, ... generic buffer overflow protection, and generic process privilege compartmentalization."
I've pointed out before that I don't know of any products that offer the same functionality as Qwik-Fix Pro. I'm sure some other products offer some of the features, but as far as I know, the solution is rather unique in its approach. And it clearly defends against hundreds of known and untold numbers of unknown attack methods well in advance of their release. If you haven't tested Qwik-Fix Pro already, then you might want to take a close look at the release version when it becomes available.
http://www.pivx.com/qwikfix
