Gizmos Freeware Reviews  

Go Back   Gizmo's Freeware Forum > Debating Chamber > Security

Reply
 
Thread Tools Display Modes
Old 27. Jul 2010, 07:44 PM   #11 (permalink)
Senior Member
 
Join Date: Nov 2009
Posts: 445
Default

Sope,
The Sophos tool can easily be uninstalled through Add/ Remove Programs or any uninstaller of your choice. It might not be necessary thow, as it's an extra layer of protection/ prevention.
__________________
26Dolphins
26Dolphins is offline   Reply With Quote
Old 27. Jul 2010, 11:30 PM   #12 (permalink)
Senior Member
 
Join Date: Feb 2009
Location: Wales, UK
Posts: 969
Default

@26Dolphins

That Sophos demo video you linked, and the info regarding the uninstall were very helpful, thanks.

I'll probably give it a go, it'll be interesting to see if it causes any noticeable slowdown to the display of shortcut icons.
Sope is online now   Reply With Quote
Old 28. Jul 2010, 03:14 AM   #13 (permalink)
J_L
Co-Author, Best Free Security List
 
J_L's Avatar
 
Join Date: Dec 2008
Posts: 1,826
Default

Quote:
Originally Posted by Concerned User View Post
Sorry to double post!

Sophos is providing a free tool to that is supposed to protect against this risk. More details here:

http://www.sophos.com/security/topic/shortcut.html

Obviously, Microsoft does not like this




Link to full article:

http://www.computerworld.com/s/artic...ortcut_attacks
Thanks for sharing!

Edit:
http://www.h-online.com/security/new...e-1046183.html
GData's may be better.

Last edited by J_L; 28. Jul 2010 at 03:52 AM.
J_L is online now   Reply With Quote
Old 28. Jul 2010, 06:11 AM   #14 (permalink)
Super Moderator
 
Anupam's Avatar
 
Join Date: Jul 2008
Location: India
Posts: 13,108
Default

I have the MS fix for this installed on my system. Should I uninstall it and install the one from Sophos instead? Or, can I have both installed? . Anyone knows how is Sophos fix different from the MS fix? If there is a difference, why... and why is MS not employing that to fix the vulnerability.
__________________
Anupam
Anupam is online now   Reply With Quote
Old 28. Jul 2010, 09:56 AM   #15 (permalink)
Site Manager
 
MidnightCowboy's Avatar
 
Join Date: Aug 2008
Location: South American Banana Republic, third bunch from the left
Posts: 12,929
Default

Quote:
Originally Posted by Anupam View Post
I have the MS fix for this installed on my system. Should I uninstall it and install the one from Sophos instead? Or, can I have both installed? . Anyone knows how is Sophos fix different from the MS fix? If there is a difference, why... and why is MS not employing that to fix the vulnerability.
Can't help with this because I don't understand enough about how the malware process manipulates this Windows function.

I've noticed no impact in any way though since installing the Sophos solution, and out of all the vendors out there (famous last words) I trust these more than most. If this was from Comodo we'd probably all be looking at blue screens right now
__________________
In love with life and desktops
MidnightCowboy is online now   Reply With Quote
Old 28. Jul 2010, 04:07 PM   #16 (permalink)
Senior Member
 
Join Date: Nov 2009
Posts: 445
Default

Hi,
Quote:
Originally Posted by MidnightCowboy View Post
... If this was from Comodo we'd probably all be looking at blue screens right now
Now MC, why are you hurting Comodo's feelings?

On topic:
First off, thanks for the heads up on GData's Tool J.L.
Upon reading the article on h-online, I decided to do a little experiment trying out both tools - Anupam, I think this might shed some light to your first question.

With none of the tools installed and without doing the MS "fix", I have the following entries in my registry:
1. HKEY_CLASSES_ROOT\lnkfile\shellex\IconHandler
2. HKEY_CLASSES_ROOT\piffile\shellex\IconHandler
Both of them have only (Default) with the value of {00021401-0000-0000-C000-000000000046}

When I installd either of the two tools, the entries for 2 (piffile) don't change, but the entries for 1 (lnkfile) do. Each of these tools makes its own handler the Default one and pushes the MS Windows one down as the OldIconHandler (name is not exactly the same, but that doesn't matter).
Uninstalling them reverses the entries to the original MS Windows ones.

@Anupam
Judging from this and given that the MS "fix" changes the value of the default entry, I'm not sure if keeping both won't mess up the handling of the .lnk files.

@Sope
About my previous statement that you may not need to uninstall it, I now think that when you apply the MS patch it'll overwrite these entries, I'm just not sure which ones it'll try to overwrite (probably the "Default" ones) and if that could lead to any messes.

As for the Tools themselves:
1. None of them protect .pif files which are covered by the MS "fix" - notice how both Sophos and GData emphasis on the .lnk files and say nth about the .pif ones; I wonder why as I've found out that they do play a rather important role and are often used for malicious actions.
2. GData's one requires a reboot, both for install and uninstall (but I didn't check if the registry changes take place only after the reboot), while the Sophos one doesn't (changes are in effect right away).
3. GData's Tool replaced all links considered unsafe with an ugly STOP sign icon - changed the icons of Local Connections, Internet Settings, Add/ Remove Programs and .txt files - didn't check the rest.
4. After uninstalling it, it had broken the default Windows icon for .txt files - had to reasign it through File Association.

So, for the time I'll stick with the Sophos one, even if it has a "flaw":
Quote:
What does the tool consider an exploit?
A Windows shortcut is deemed to contain the exploit if:
* it is a Control Panel shortcut,
* and it points to an existing file that can be opened for execution,
* and neither the shortcut nor the shortcut's target are on the computer's local disk.
I'm curious if one could make use of the MS "fix" regarding the .pif files protection with the other Tools without breaking the visuals of the OS.
__________________
26Dolphins
26Dolphins is offline   Reply With Quote
Old 28. Jul 2010, 06:50 PM   #17 (permalink)
Super Moderator
 
Anupam's Avatar
 
Join Date: Jul 2008
Location: India
Posts: 13,108
Default

Thanks for this 26Dolphins. I think I will stick to the original MS fix, since it covers both lnk and pif.
__________________
Anupam
Anupam is online now   Reply With Quote
Old 28. Jul 2010, 08:18 PM   #18 (permalink)
Site Manager
 
MidnightCowboy's Avatar
 
Join Date: Aug 2008
Location: South American Banana Republic, third bunch from the left
Posts: 12,929
Default

Quote:
Originally Posted by 26Dolphins View Post
Hi,

Now MC, why are you hurting Comodo's feelings?
Sorry, didn't know they had any
__________________
In love with life and desktops
MidnightCowboy is online now   Reply With Quote
Old 30. Jul 2010, 01:37 PM   #19 (permalink)
Senior Member
 
Join Date: Nov 2009
Posts: 445
Default

Hi,
Quote:
Originally Posted by MidnightCowboy View Post
Sorry, didn't know they had any
They don't? Forgive my ignorance.
__________________
26Dolphins
26Dolphins is offline   Reply With Quote
Old 30. Jul 2010, 08:34 PM   #20 (permalink)
Editor
 
Concerned User's Avatar
 
Join Date: Apr 2010
Location: இந்தியா, सिन्धु, India
Posts: 460
Default

Update:

Microsoft will be releasing an "out of band" (emergency) update on Monday, August 2. Glad that they realize the importance of this flaw:

http://blogs.technet.com/b/msrc/arch...y-2286198.aspx

A much more detailed article:

http://www.theregister.co.uk/2010/07...crosoft_patch/
Concerned User is offline   Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are Off
Pingbacks are Off
Refbacks are Off



All times are GMT +1. The time now is 02:48 AM.


Powered by vBulletin® Version 3.8.7
Copyright ©2000 - 2014, vBulletin Solutions, Inc.
SEO by vBSEO 3.6.0 PL2