Bugtraq mailing list archives
Re: IE4 Custom Folder
From: dleblanc () MINDSPRING COM (David LeBlanc)
Date: Fri, 2 Oct 1998 08:59:33 -0400
At 02:25 PM 10/1/98 -0600, listuser () MAIL SEIFRIED ORG wrote:
---> Problem Users with write access to a customized folder can replace the customized folder settings inserting their own "evil" files to execute code.
I'd amend this to point out that users with write access to ANY directory can possibly trojan ANY user with Active Desktop enabled.
I'm not 100% sure what you can change these settings to, to lock the machine down, nor do I have any Windows95/98 machines to play on. The best advice would be to disable active desktop which is dog slow anyways. Impliment system policies, and distribute a custom version of MSIE 4.01 (via the IEAK) with this stuff turned off by default. In other words round up the usuall suspects.
Under NT, you've got a few more options - you can use the file system permissions to fix this - just create a desktop.ini file with nothing in it, and give only admins the right to change it - administrators:F, everyone:R ought to do it. Also be sure that everyone doesn't have full control on the parent directory. This is somewhat annoying, as you are allowed to customize remote folders, but there is no provision that I can see to keep users from conflicting with one another. In fact, the only safe work-around I see for this one is to pre-create the desktop.ini files for _all_ public shared directories, and set the ACL on it. Obviously, using the command line to deal with directories will keep you safe from this. IMHO, asking everyone to disable active desktop won't be effective. Tightening the security settings for the local zone would also be useful. With respect to disabling this attack on Win95, your only options are (in personal order of preference): 1) Install NT, precreate desktop.ini files and lock them down 2) Don't share anything 3) Disable active desktop I'd urge people not to dismiss this attack, as it would be fairly easy to use it to install all sorts of interesting trojans. I think the fix I'd like to see out of MS for this would be to not display any customization for any remote file system. This also gets a little interesting with NT 5.0 having the capability to mount a remote file system and map it to a directory which appears to be local. Another possible fix would be to give me the option of disabling customized directory display without disabling the desktop (which is basically how I prefer to use it). David LeBlanc dleblanc () mindspring com
Current thread:
- IE4 Custom Folder Marc (Oct 01)
- Re: IE4 Custom Folder listuser () MAIL SEIFRIED ORG (Oct 01)
- Re: IE4 Custom Folder David LeBlanc (Oct 02)
- Several potential security problems in IBM/Tivoli OPC Tracker Age Klaus.Kusche () OOE GV AT (Oct 02)
- Announcements from The Palace (fwd) Mike Holling (Oct 02)
- Re: IE4 Custom Folder Christopher K Davis (Oct 02)
- Internet Wide DOS Attack using IRC dbarba (Oct 02)
- Re: Internet Wide DOS Attack using IRC Kameron Gasso (Oct 02)
- Re: Internet Wide DOS Attack using IRC [deicide] (Oct 02)
- Re: Internet Wide DOS Attack using IRC Bencsath Boldizsar (Oct 02)
- Re: IE4 Custom Folder listuser () MAIL SEIFRIED ORG (Oct 01)
- CERT: IN-98.04 Darren Reed (Oct 01)