Windows registry
Normally, when a user tries to open an e-mail attachment, the user is
presented an Opening Mail Attachment dialog. If the user chooses to open
the file, the file is saved locally and handed off to Windows. Windows
will try to find a program associated to this specific type of file
(through its extension). If such a program is found, Windows will launch
the file according to its Shell Open Command in the Windows Registry.
http://www.akitasecurity.nl/advisory/AK20100601/002-outlook_open_mail_attachment.png
Figure 2: Opening Mail Attachment dialog.
For certain files, Outlook does not show the open dialog, but instead
Class of IPM.Document.txtfile indicates that the attachment is a plain
text file, while IPM.Document.Excel.Sheet.12 indicates a Microsoft Excel
document created with Excel 2007.
If Outlook receives a message with its Message Class set to
IPM.Document.<type>, Outlook will search the Windows Registry
using the last part (<type>) of the Message Class to see if such a
file type is registered in Windows. If so, it will look in the Registry
to see if this file type has an icon associated (i.e.
HKEY_CLASSES_ROOT\txtfile\DefaultIcon). If so Outlook uses this icon as
the icon for the e-mail message.
1. If HP Software Update is reinstalled using the recovery solution, the procedure above must be repeated.
2. On a PC where HP Software Update is present, the procedure above must be followed even if HP Software Update is never used.
3. This resolution applies the Windows Registry kill bit to the following CLSIDs:
{60178279-6D62-43af-A336-77925651A4C6}
{DC4F9DA0-DB05-4BB0-8FB2-03A80FE98772}
{0C378864-D5C4-4D9C-854C-432E3BEC9CCB}
{93441C07-E57E-4086-B912-F323D741A9D8}
and import the following registry file for the corresponding version of
Office.
Office 2003:
Windows Registry Editor Version 5.00
[HKEY_CURRENT_USER\Software\Microsoft\Office\11.0\Word\Security\FileOpenBlock]
"HTMLFiles"=dword:00000001
Office 2007:
1. If HP Software Update is reinstalled using the recovery solution, the procedure above must be repeated.
2. On a PC where HP Software Update is present, the procedure above must be followed even if HP Software Update is never used.
3. This resolution applies the Windows Registry kill bit to the following CLSIDs:
{60178279-6D62-43af-A336-77925651A4C6}
{DC4F9DA0-DB05-4BB0-8FB2-03A80FE98772}
{0C378864-D5C4-4D9C-854C-432E3BEC9CCB}
{93441C07-E57E-4086-B912-F323D741A9D8}
ZoneAlarm to panic, if so you may (or may not) see your ping replies.
*** Registry entries start here ***
Windows Registry Editor Version 5.00
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run]
*** Registry entries end here ***
Save the following text as a .REG file and imported to set the kill bit
for this controls:
+--------------------------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{0C3874AA-AB39-4B5E-A768-45F3CE6C6819}]
"Compatibility Flags"=dword:00000400
Administrators can set the kill-bit for the vulnerable ActiveX control
with the following .reg file. This will prevent the control from
loading within Internet Explorer.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{E9880553-B8A7-4960-A668-95C68BED571E}]
"Compatibility Flags"=dword:00000400
found that the /Datapath argument can be included and directed to a remote SMB
share directly through a specially crafted Skype URI.
The Datapath argument specifies the location of the Skype configuration files and
security policy. Specifying a Datapath argument will override any local security
policy defined in the Windows registry.
A remote user is capable of crafting a link that when clicked, will spawn
Skype.exe on a client using a Datapath location which is present on a remote
SMB share. The Skype client will load any configuration or security policy
present, and save the users Skype account information to the remote share.
===============
1) Introduction
===============
Pegasus Mail (PMail) is suitable for single or multiple users on stand-alone computers and for internal and Internet mail on local area networks. Pegasus Mail has minimal system requirements compared with competing products, for instance the installed program (excluding mailboxes) for version 4.51 requires only around 13.5 MB of hard drive space. Since Pegasus Mail does not make changes to the Windows registry or the system directory, it is suitable as a portable application for USB drives. Language packs are available for languages other than English.
Some commentators have described Pegasus Mail as convoluted and cumbersome to configure, whereas others value Pegasus Mail for the features it offers. A key feature of Pegasus Mail is that it does not use the HTML layout engine that is installed with every Microsoft operating system since 1997: The ubiquity of the Microsoft engine, which is used not only by all Microsoft products but by numerous 3rd party products as well, makes it a frequent target of malware such as Melissa and ILOVEYOU. Mail clients such as Pegasus Mail that have their own HTML rendering engine are inherently immune to these security exploits. Pegasus Mail will also not execute automation commands (for example ActiveX or JavaScript) embedded in an e-mail, further reducing the chances of a security breach.
(from Wikipedia website)
Set the Killbit for NewV CLSID’s:
{0B68B7EB-02FF-4A41-BC14-3C303BB853F9}
.Reg file:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\InternetExplorer\ActiveX Compatibility\{0B68B7EB-02FF-4A41-BC14-3C303BB853F9}]
"Compatibility Flags"=dword:00000400
-EOF-
https://www.rooms.hp.com
HP Virtual Rooms client v7.0.1 can be installed by using the "Test your setup" link at https://www.rooms.hp.com . Select "Test your setup" from the right navigation bar and follow the instructions.
Note: Installing this new release will also apply the Windows registry ‘kill bit’ for CLSID {00000032-9593-4264-8B29-930B3E4EDCCD}. The kill bit is explained in Microsoft article KB240797 or subsequent. http://support.microsoft.com/kb/240797 .
To completely remove HP Virtual rooms (HPVR) from your system:
Use the HPVR cleaner to remove HP Virtual Rooms from your system. The HPVR Cleaner will remove all HPVR executables and clear all registry entries – without the need to install the new version. Follow the instructions under "Removing HPVR components" here: https://www.rooms.hp.com/resources/ .
PRODUCT SPECIFIC INFORMATION
V. WORKAROUND
Disabling the 'VMnc' codec will prevent exploitation. In order to do so,
import the 'disable-vmnc-codec.reg' registry file as follows.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows
NT\CurrentVersion\Drivers32]
"VIDC.VMnc"=-
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
Save the following text as a .REG file and imported to set the kill bit
for this controls:
+--------------------------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{1E57C6C4-B069-11D3-8D43-00104B138C8C}]
"Compatibility Flags"=dword:00000400
File Version: 8.1.0.0
Safe for Scripting (Registry): TRUE
Safe for Initialization: TRUE
The readRegVal() method allows to dump specific values from
the Windows registry.
Frome the typelib:
..
/* DISPID=1 */
/* VT_BSTR [8] */
On 2010-03-08 Andrew Barkley wrote:
> The following illustrates how one can easily disable ZoneAlarm's
> security for whatever malevolent purposes. This "vector" so to speak,
> is merely "abusing" a particular branch of the Windows registry, by
> registering this security service as disabled. When "exploiting" this
> "vector" (administrative privileges are assumed
Anything starting with "a user with administrative privileges can ..."
is neither a vulnerability nor a design flaw. Administrators can by
design do anything they want on the system. Period.
Save the following text as a .REG file and imported to set the kill bit
for this control:
+--------------------------------------
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{6CCE3920-3183-4B3D-808A-B12EB769DE12}]
"Compatibility Flags"=dword:00000400
+--------------------------------------
Administrators can set the kill-bit for the vulnerable ActiveX control
with the following .reg file. This will prevent the control from
loading within Internet Explorer.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{53D40FAA-4E21-459f-AA87-E4D97FC3245A}]
"Compatibility Flags"=dword:00000400
|
