Subject: FW: [windows-hied]: Any legitimate uses for .HTA files?
From: Wadell, Jim S (SAIC) (WadellJS@BP.com)
Date: Fri Oct 03 2003 - 14:12:04 AKDT
QUESTION: How can a customer prevent themselves from getting infected
Should be:
Switch to Linux ;->
Jim
-----Original Message-----
From: Jenkinson, John P (SAIC)
Sent: Friday, October 03, 2003 2:08 PM
To: G ANC UNIX Support
Subject: FW: [windows-hied]: Any legitimate uses for .HTA files?
BE AWARE
a lot of trojans and other malware are rapidly spreading
takes advantage of IE vulnerability. MS had issued patches, but none thus
far have fixed this vulnerability. eta for patch is weeks.
in the mean time threat vectors are many and varied
visit web page, get an email, chat room, im, load a midi file, etc etc etc
ABSOLUTE & COMPLETE control can be given to the attacker if any of the above
threat vectors are combined with a malicious site/email/etc.
details below, cut and past any urls that have wrapped
There is a new Trojan affecting Internet Explorer that appears to be
related to the MS03-032 security patch.
QUESTION: Where can I find information on this Trojan?
ANSWER:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.ht
ml
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100719
http://www3.ca.com/virusinfo/virus.aspx?ID=37191
QUESTION: How are customers getting infected?
ANSWER:
There are several ways that systems are getting infected.
1) We have heard of web sites being hacked & then Trojans being
installed on the hacked sites
2) Emails being sent with a URL to entice the customer to click on
it
3) Pop-up Adds hosted on a fee server such as geocities can be used
to install the Trojans. There is at least one site on
http://www.fortunecity.com that has been reported to have pop-up ads
that install the Trojan.
QUESTION: How can a customer prevent themselves from getting infected
ANSWER: (from
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/bulletin/MS03-032.asp ):
Prompt before running of ActiveX controls in the Internet and Intranet
zones:
You can help protect against this vulnerability by changing your
settings for the Internet security zone to prompt before running ActiveX
components. To do this, perform the following steps:
* In Internet Explorer, select Tools, Internet Options
* Click on the Security tab
* Highlight the Internet icon and click on the Custom Level
button
* Scroll through the list to the Active X controls and plug-ins
section
* Under Run ActiveX controls and plug-ins click Prompt
* Click OK
* Highlight the Local Intranet icon and click on the Custom
Level button
* Scroll through the list to the Active X controls and plug-ins
section
* Under Run ActiveX controls and plug-ins click Prompt
* Click OK; then click OK again to return to Internet Explorer
Restrict Web sites to only your trusted Web sites
After requiring a prompt before running ActiveX in the Internet and
Intranet zone, you can add sites that you trust into Internet Explorer's
Trusted sites. This will allow you to continue using trusted Web sites
exactly as you do today, while protecting you from this attack on
untrusted sites.
To do this, perform the following steps:
* In Internet Explorer, select Tools, then Internet Options.
Click the Security tab.
* In the box labeled Select a Web content zone to specify its
current security settings, click Trusted Sites, then click Sites
* If you want to add sites that do not require an encrypted
channel, click to clear the Require server verification (https:) for all
sites in this zone check box.
* In the box labeled Add this Web Site to the zone, type the URL
of a site that you trust, then click the Add button. Repeat for each
site that you want to add to the zone.
* Click OK twice to accept the changes and return to Internet
Explorer. Add any sites that you trust not to take malicious action on
your computer. One in particular that you may want to add is
http://windowsupdate.microsoft.com. This is the site that will host the
patch, and it requires the use of an ActiveX control to install the
patch.
QUESTION: Are there any side-effects to prompting before running of
ActiveX components?
ANSWER: Yes. Many Web sites on the Internet use ActiveX to provide
additional functionality. For instance, an online e-commerce site or
banking site might use ActiveX controls to provide menus, ordering
forms, or even account statements.
Prompting before running ActiveX controls is a global setting for all
Internet and Intranet sites. You will be prompted frequently when you
enable this work-around. For each prompt, if you feel you trust the site
that you are visiting, click Yes to run ActiveX components. If you do
not want to be prompted for all of these sites, you can instead use the
"Restrict Web sites to only your trusted Web sites" workaround
QUESTION: What can a customer do after being infected?
ANSWER:
The AV vendors instructions for manually removing the trojan:
http://securityresponse.symantec.com/avcenter/venc/data/trojan.qhosts.ht
ml
http://us.mcafee.com/virusInfo/default.asp?id=description&virus_k=100719
http://www3.ca.com/virusinfo/virus.aspx?ID=37191
Microsoft best practices recommend that any Trojanized box be wiped &
rebuilt. It is the only way to be sure the box is secure.
-----Original Message-----
From: owner-windows-hied@lists.Stanford.EDU
[mailto:owner-windows-hied@lists.Stanford.EDU] On Behalf Of Gary Flynn
Sent: Thursday, October 02, 2003 9:23 PM
To: Rich Graves
Cc: windows-hied@lists.Stanford.EDU
Subject: Re: [windows-hied]: Any legitimate uses for .HTA files?
Rich Graves wrote:
>We're contemplating the Registry hack mentioned at the bottom of this:
>
> http://www.jmu.edu/computing/security/info/iebug.shtml
>
>In the last few days, we've seen at least 25 computers compromised by
this
>set of vulnerabilities, for which working example exploits that bypass
the
>MS03-032 patch have been available on public forums since the day that
the
>patch was released.
>
>I remember the security community being outraged some years back when
.HTA
>files first came out, but someone mentioned a legitimate use, maybe by
some
>network installer program. Anyone know?
>
>Of course we will aggressively apply the correct patch when it comes
out,
>but if there are no legitimate uses for this web/windows integration
>feature, we'd rather not wait for the next hole.
>
>
Rich,
This latest set of infestations is not due to HTA. Its due to that
cesspool
of defects we call Internet Explorer. It has had a serious security
defect
almost every other month for the past three years. Please don't throw
the
baby out and keep the bath water.
I, for one, would be disappointed if people permanently disabled HTA. We
might as well go ahead and really solve the problem by disabling WSH,
VBS,
BAT, EXE and, for that matter, PERL, SH, TCL/TK (HTA's rough
equivalent),
and BIN on that other platform. ;)
Other defects in the past have allowed all manner of executables to be
run. People constantly download and click all manner of executables.
Shoot,
with today's defects, media files are executables. HTA is just another.
Admittedly, they're easier to use to create malware but they can be used
for good too.
Windows is just getting to the point where it is starting to have a
suite of useful administration and rapid development tools and utilities
like unix (complex object model notwithstanding). WSH, WMI, and HTA can
form the basis of quick to develop, powerful utilities for network and
system administrators and end user tools.
We saw some of the power of WSH/WMI with the scripts people quickly
developed for Blaster cleanup. HTA can put a nice user interface on them
for end user functions. I'm working on an HTA application (StartSafe)
modeled after our RUNSAFE recommendations to aid end users in the
initial,
secure setup of their computers. Something like the CIS standards.
Could I do this in VC++. Sure. Will I? No way. I thought about it at one
time. No time. Too many variables. Too many rapid changes will need to
be made for all the possible configurations, threats, and new hardware
and
software coming down the pike to do it in such a low level language. I'd
be a slave to it. Scripting is the only way. And what better interface
than the web which HTA provides? Easy to write. Easy to customize.
Familiar to users.
Removing the MIME association may be OK. HTAs will still run locally
unless
more drastic measures are taken. But there are advantages with allowing
them to run from the web. No local copies. Instant updates. It will
require
user training so they don't go clicking HTAs indiscriminately and they
should probably be signed but I see HTA as a tool with great potential.
Are
there risks? Sure. But certainly no more than the risk of giving a
programmable computer to 300,000,000 consumers on an unrestricted
Internet
and trusting vendors to ship them in a configuration safe for that
Internet. :)
Gary Flynn
Security Engineer - Technical Services
James Madison University
-++**==--++**==--++**==--++**==--++**==--++**==--++**==--++**==
This message was posted through the Stanford campus mailing list
server. If you wish to unsubscribe from this mailing list, send the
message body of "unsubscribe windows-hied" to
majordomo@lists.stanford.edu
-++**==--++**==--++**==--++**==--++**==--++**==--++**==--++**==
This message was posted through the Stanford campus mailing list
server. If you wish to unsubscribe from this mailing list, send the
message body of "unsubscribe windows-hied" to majordomo@lists.stanford.edu
---------
To unsubscribe, send email to <aklug-request@aklug.org>
with 'unsubscribe' in the message body.
This archive was generated by hypermail 2a23 : Fri Oct 03 2003 - 14:55:31 AKDT