hey_moe
December 17th, 2008, 04:20
Internet Explorer (http://www.extremetech.com/topic/0,2944,t=Microsoft%20Internet%20Explorer&s=27771,00.asp) has sprung a leak, and Microsoft (http://www.extremetech.com/topic/0,2944,t=Microsoft%20Corporation&s=27771,00.asp) advises that you batten down the hatches. A recent security advisory (http://www.microsoft.com/technet/security/advisory/961051.mspx) explains that a vulnerability in all modern versions of IE could allow an attacker to execute malicious code. As pointed out earlier (http://www.extremetech.com/article2/0,2845,2336805,00.asp), there are a number of workarounds to plug this potential leak. They're pretty complicated, though, so I'll walk you through the process. http://blogs.pcmag.com/securitywatch/images/ie1.png
#1. Set security zone settings to "High". Click Tools in IE and select Internet Options. Click the Security tab. Click the Internet icon and slide the security level slider up to High. Click the Local intranet icon and slide the slider up to high. If you see "Custom" and no slider, click the Default Level button to bring back the slider.
http://blogs.pcmag.com/securitywatch/images/ie2.png
This action doesn't come without consequences. Sites that use ActiveX controls and ActiveX scripting will now trigger a confirmation prompt - you'll have to answer Yes to proceed. To eliminate that prompt for known, trusted sites, go back to the Security tab in Internet Options, click the Trusted sites icon, and click the Sites button. Uncheck the "Require server (http://www.extremetech.com/article2/0,2845,2337008,00.asp#) verification..." box and add your trusted sites. They especially recommend that you add *.update.microsoft.com and *.windowsupdate.microsoft.com, since those sites use an ActiveX control to check which updates you need.
http://blogs.pcmag.com/securitywatch/images/ie3.png
#2. Limit active scripting. You've already set the security level to high for both the Internet and Local intranet zones. There's one more tweak to make things even safer. Still in the Internet Options dialog's Security tab, click the Internet icon and click Custom level. Scroll way down the resulting list to find the Scripting section. Set the item titled "Active Scripting" to Prompt or Disable and click OK. Click the Local intranet icon and repeat the process. This setting will also interfere with some web sites, but as before you can add them to the trusted sites list.
http://blogs.pcmag.com/securitywatch/images/ie4.png
#3. Enable Data Execution Prevention. Data Execution Prevention (DEP) in Vista stops malicious attacks that try to inject code into what should be data and then execute it. To turn it on you'll have to launch IE as an administrator. Click the Start orb and type "Internet explorer", but don't press Enter. You'll see "internet explorer" at the top of the menu. Right-click it, choose "Run as administrator", and confirm that you want to proceed. Now click Tools, select Internet Options, and click the Advanced tab. Scroll all the way down until you can see "Enable memory protection to help mitigate online attacks". Check that box and click OK. Microsoft warns this may crash some IE add-ons.
http://blogs.pcmag.com/securitywatch/images/ie5.png
#4. Disable OLEDB32.DLL. OLEDB32.DLL is a Windows component that programs can call upon for database support. Apparently it's implicated in the current leak, so Microsoft advises disabling it. This one's pretty tough - you have to enter some complex commands in an Administrator-privileged Command Prompt. Click Start, click Run, enter CMD, but don't press Enter. Right-click CMD.EXE in the Start menu and choose Run as administrator. The next step depends on which operating system you're using. If it's a 32-bit edition of Windows 2000, Windows XP, or Windows Server (http://www.extremetech.com/article2/0,2845,2337008,00.asp#) 2003 copy the following command to the clipboard and paste it into the Command Prompt (by right-clicking the title bar and choosing Edit | Paste from the menu that appears):
cacls "C:\Program Files\Common Files\System\Ole DB\oledb32.dll" /E /P everyone:N If you're running 32-bit Windows Vista or Windows Server 2008 (http://www.extremetech.com/article2/0,2845,2337008,00.asp#) it's a bit more complex. Copy the three lines below and paste them into the Command Prompt:
takeown /f "C:\Program Files\Common Files\System\Ole DB\oledb32.dll"
icacls "C:\Program Files\Common Files\System\Ole DB\oledb32.dll" /save %TEMP%\oledb32.32.dll.TXT
icacls "C:\Program Files\Common Files\System\Ole DB\oledb32.dll" /deny everyone:(F) Check the Microsoft advisory (http://www.microsoft.com/technet/security/advisory/961051.mspx) for commands specific to 64-bit Windows editions. Don't close that Command Prompt, as you'll need it for the next step.
#5. Unregister OLEDB32.DLL. This one's simple. For any 32-bit Windows edition copy the command below and paste it into the Command Prompt:
Regsvr32.exe /u "C:\Program Files\Common Files\System\Ole DB\oledb32.dll" #6. Disable Data Binding (IE8 Only). Here's a Registry tweak to further secure Internet Explorer 8. Launch Notepad and copy the three lines below into it:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DATABINDING_S UPPORT]
"iexplore.exe"=dword:00000000 Save the file on the desktop (http://www.extremetech.com/article2/0,2845,2337008,00.asp#) as "nodatabinding.reg" - put quotes around the filename so Notepad doesn't give it a .txt extension. Now double-click the file to launch it. Microsoft notes that this tweak will interfere with web sites that use data binding, and offers no workaround.
Back to Normal. OK, you've tweaked Internet Explorer to keep malefactors from exploiting this particular vulnerability. As noted, many of the tweaks have unpleasant side-effects. Sooner or later Microsoft will patch Internet Explorer, making these tweaks unnecessary. When that happens, here's how to reverse them all.
#6. To restore IE8's data binding, create a .reg file as described before, but include just this single line:
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DATABINDING_S UPPORT] #5. To re-register OLEDB32.DLL, open an Administrator-privileged Command Prompt as described earlier. Then copy and paste this command into it:
Regsvr32.exe "C:\Program Files\Common Files\System\Ole DB\oledb32.dll" #4. To re-enable OLEDB32.DLL, copy and paste the appropriate commands into the already-open Command Prompt. For 32-bit Windows XP, 2000, and Server 2008 (http://www.extremetech.com/article2/0,2845,2337008,00.asp#) use this command:
cacls "C:\Program Files\Common Files\System\Ole DB\oledb32.dll" /E /R everyone If you're running 32-bit Vista or Server 2008, this is the command:
icacls "C:\Program Files\Common Files\System\Ole DB" /restore %TEMP%\oledb32.32.dll.TXT #3. To turn off DEP just do exactly what you did to turn it on, but un-check the box.
#2 and #1. Click Internet Options from the Tools menu and click the Security tab. Click the Internet icon and click the Default Level button. Click the Local intranet icon and click the Default Level button.
That's it. Everything is back the way it was. Thanks, Microsoft, for sending us on this adventure. Let's hope it doesn't happen again.
#1. Set security zone settings to "High". Click Tools in IE and select Internet Options. Click the Security tab. Click the Internet icon and slide the security level slider up to High. Click the Local intranet icon and slide the slider up to high. If you see "Custom" and no slider, click the Default Level button to bring back the slider.
http://blogs.pcmag.com/securitywatch/images/ie2.png
This action doesn't come without consequences. Sites that use ActiveX controls and ActiveX scripting will now trigger a confirmation prompt - you'll have to answer Yes to proceed. To eliminate that prompt for known, trusted sites, go back to the Security tab in Internet Options, click the Trusted sites icon, and click the Sites button. Uncheck the "Require server (http://www.extremetech.com/article2/0,2845,2337008,00.asp#) verification..." box and add your trusted sites. They especially recommend that you add *.update.microsoft.com and *.windowsupdate.microsoft.com, since those sites use an ActiveX control to check which updates you need.
http://blogs.pcmag.com/securitywatch/images/ie3.png
#2. Limit active scripting. You've already set the security level to high for both the Internet and Local intranet zones. There's one more tweak to make things even safer. Still in the Internet Options dialog's Security tab, click the Internet icon and click Custom level. Scroll way down the resulting list to find the Scripting section. Set the item titled "Active Scripting" to Prompt or Disable and click OK. Click the Local intranet icon and repeat the process. This setting will also interfere with some web sites, but as before you can add them to the trusted sites list.
http://blogs.pcmag.com/securitywatch/images/ie4.png
#3. Enable Data Execution Prevention. Data Execution Prevention (DEP) in Vista stops malicious attacks that try to inject code into what should be data and then execute it. To turn it on you'll have to launch IE as an administrator. Click the Start orb and type "Internet explorer", but don't press Enter. You'll see "internet explorer" at the top of the menu. Right-click it, choose "Run as administrator", and confirm that you want to proceed. Now click Tools, select Internet Options, and click the Advanced tab. Scroll all the way down until you can see "Enable memory protection to help mitigate online attacks". Check that box and click OK. Microsoft warns this may crash some IE add-ons.
http://blogs.pcmag.com/securitywatch/images/ie5.png
#4. Disable OLEDB32.DLL. OLEDB32.DLL is a Windows component that programs can call upon for database support. Apparently it's implicated in the current leak, so Microsoft advises disabling it. This one's pretty tough - you have to enter some complex commands in an Administrator-privileged Command Prompt. Click Start, click Run, enter CMD, but don't press Enter. Right-click CMD.EXE in the Start menu and choose Run as administrator. The next step depends on which operating system you're using. If it's a 32-bit edition of Windows 2000, Windows XP, or Windows Server (http://www.extremetech.com/article2/0,2845,2337008,00.asp#) 2003 copy the following command to the clipboard and paste it into the Command Prompt (by right-clicking the title bar and choosing Edit | Paste from the menu that appears):
cacls "C:\Program Files\Common Files\System\Ole DB\oledb32.dll" /E /P everyone:N If you're running 32-bit Windows Vista or Windows Server 2008 (http://www.extremetech.com/article2/0,2845,2337008,00.asp#) it's a bit more complex. Copy the three lines below and paste them into the Command Prompt:
takeown /f "C:\Program Files\Common Files\System\Ole DB\oledb32.dll"
icacls "C:\Program Files\Common Files\System\Ole DB\oledb32.dll" /save %TEMP%\oledb32.32.dll.TXT
icacls "C:\Program Files\Common Files\System\Ole DB\oledb32.dll" /deny everyone:(F) Check the Microsoft advisory (http://www.microsoft.com/technet/security/advisory/961051.mspx) for commands specific to 64-bit Windows editions. Don't close that Command Prompt, as you'll need it for the next step.
#5. Unregister OLEDB32.DLL. This one's simple. For any 32-bit Windows edition copy the command below and paste it into the Command Prompt:
Regsvr32.exe /u "C:\Program Files\Common Files\System\Ole DB\oledb32.dll" #6. Disable Data Binding (IE8 Only). Here's a Registry tweak to further secure Internet Explorer 8. Launch Notepad and copy the three lines below into it:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DATABINDING_S UPPORT]
"iexplore.exe"=dword:00000000 Save the file on the desktop (http://www.extremetech.com/article2/0,2845,2337008,00.asp#) as "nodatabinding.reg" - put quotes around the filename so Notepad doesn't give it a .txt extension. Now double-click the file to launch it. Microsoft notes that this tweak will interfere with web sites that use data binding, and offers no workaround.
Back to Normal. OK, you've tweaked Internet Explorer to keep malefactors from exploiting this particular vulnerability. As noted, many of the tweaks have unpleasant side-effects. Sooner or later Microsoft will patch Internet Explorer, making these tweaks unnecessary. When that happens, here's how to reverse them all.
#6. To restore IE8's data binding, create a .reg file as described before, but include just this single line:
[-HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\MAIN\FeatureControl\FEATURE_DATABINDING_S UPPORT] #5. To re-register OLEDB32.DLL, open an Administrator-privileged Command Prompt as described earlier. Then copy and paste this command into it:
Regsvr32.exe "C:\Program Files\Common Files\System\Ole DB\oledb32.dll" #4. To re-enable OLEDB32.DLL, copy and paste the appropriate commands into the already-open Command Prompt. For 32-bit Windows XP, 2000, and Server 2008 (http://www.extremetech.com/article2/0,2845,2337008,00.asp#) use this command:
cacls "C:\Program Files\Common Files\System\Ole DB\oledb32.dll" /E /R everyone If you're running 32-bit Vista or Server 2008, this is the command:
icacls "C:\Program Files\Common Files\System\Ole DB" /restore %TEMP%\oledb32.32.dll.TXT #3. To turn off DEP just do exactly what you did to turn it on, but un-check the box.
#2 and #1. Click Internet Options from the Tools menu and click the Security tab. Click the Internet icon and click the Default Level button. Click the Local intranet icon and click the Default Level button.
That's it. Everything is back the way it was. Thanks, Microsoft, for sending us on this adventure. Let's hope it doesn't happen again.