We’re back under the bonnet this month with Simon Peppercorn. He’s had to wrench himself free of Windows’s mechanical mess after some punk threw a spanner into the works. So, screw your head on and top up on some expert knowledge. If you have some overflowing (out your ears, perhaps), send it in to phr33xtw33x@atomicmpc.com.au.
Tweak0ring your Windows security -- part 2
Some well-known viruses owe their destructive success to certain weaknesses in Visual Basic scripting. By default, Windows automatically executes a .VBS file (Visual Basic Script), when it is delivered as an attachment to an email, using a scripting host.
If you don't create script files in VB, then there is no good reason to have the Windows scripting host installed. So kill it. Kill it dead.
To perform this execution in Windows 2000, go into My Computer, then Tools -> Folder Options -> File Types. Find 'VBScript Script File' in the list and nuke the bugger.
The danger here is that some applications may rely on the Windows Scripting Host to function correctly, although I can't think of any. If you do experience scripting error messages, you will need to recreate the association.
Smelly patches
You may be the type that doesn't bother getting all the latest and greatest updates for your operating system. As suspicious as some may be about Microsoft Update, it may pay them to have a closer look.
Glaring security holes do exist in all flavours of Windows. Some are rarely likely to affect you. Others can be dangerous if left unchecked. For example, Windows XP's 'Add Network Place' function, found in the My Network Places folder can be one such security hole. This wizard allows you to create shortcuts to network locations, such as shares on a LAN or a Website address. (This is different to a Desktop shortcut, which simply specifies a path to a particular network location or Website.)
The Add Network Place wizard allows your network client to use the Windows Redirector to access files, irrespective of the actual protocol being used. Even the 'NET USE' command, makes use of the Windows Redirector.
Under Windows XP, the Windows Redirector uses an unchecked buffer for receiving parameter information. Someone with naughty intentions could exploit that buffer to deliver customised code, which could compromise your security, and allow full, unrestricted access to your system.
Microsoft claims that the attacker would have to actually log on to that system first to be able to launch the Windows Redirector. Yes, the Windows Redirector can only be executed locally. What happens at LANs, however, when people start trawling through the Network Neighbourhood/Places, browsing the freeware(z) collections of others? The attacker just needs to wait for you to come to him. Scared yet? No?
Unchecked buffer vulnerabilities also exist in the following software (along with many others):
* Microsoft Locater Service* Network Share Service * Windows Shell in XP* PPTP (Point to Point Tunnelling Protocol) of Windows 2000 and XP * Windows Shell in XP* Windows Help in Windows 98 and higher* the native file decompression functions in 98 (with plus pack), ME and XP* Universal Plug and Play Service* Windows 2000 IIS (Internet Information Service)* Windows 2000 event viewer* Windows Media Player* MSN Chat
With more script kiddies testing out their l33t hax0rship skillz than ever before, you may as well be handing out slips of paper with your administrator password, written in crayon.
Keep an eye on the Windows Update pages, and think seriously if any of the security patches are relevant to you. It has been known for some patches to cause more harm than good, however, so don't just blindly install every one, and certainly don't set Windows to download them automatically. Retain control over your system at all times.
Taking a dump
Often, when Windows crashes, it creates a memory dump. This file can be useful in terms of troubleshooting what the fruck caused your system to crap itself, as long as you know how to read it. I don't, and I doubt many of you do either. But this file can also pose a security risk as it can contain information such as usernames, file locations, and possibly even passwords.
Dr Watson is a Windows debugger utility that you can use to view the dump file ('drwtsn32', from the Run dialog box). It shows you the program which caused the error, the piece of code that caused the crash, a bunch of general system information, who was logged in at the time and so on.
However, viewing the file in Word revealed, apart from many thousands of pages of garbage, information such as other usernames that have logged in, the full path to many installed applications, URLs to Websites visited, full network paths to network resources and in some cases, large portions of text from personal documents. That doesn't mean that everyone will find that stuff in their own dump files. It depends what you system was doing at the time it crashed. When you have finished looking at it, delete it. Also, feel free to disable its creation via the Dr Watson program. You'll save yourself about 128-256MB of drive space, but this really depends on the amount of RAM you have in you computer.
It may also be prudent to disable the creation of the debug file. Jump into Control Panel -> System Properties -> Advanced -> Startup and Recovery, and then set 'Write Debugging Information' to 'None'.
Issue: 137 | June, 2012