Is also L'n'S affected?

Discussion in 'LnS English Forum' started by Ipex, Oct 1, 2005.

Thread Status:
Not open for further replies.
  1. Ipex

    Ipex Guest

  2. WSFuser

    WSFuser Registered Member

    Joined:
    Oct 7, 2004
    Posts:
    10,632
    i would guess that every program has its own set of vulnerabilities. however LnS could also share this problem due to its lack it of thorough component/process control or anything like teh OSFirewall or processguard features builtin.
     
  3. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    If IE is not running yet, Look 'n' Stop will display the message "This application has started the following application, which connects to internet...", so it will detect the launcher program.

    If IE already started, the running instance will be used, and so it will bypass Look 'n' Stop. There is however a way to force the execution of a new IE process in some cases. When the DDE access is coming from a system execution (with ShellExecute, CreateProcesss...), it is possible to disable the DDE starting method like explained here:
    http://support.microsoft.com/default.aspx?scid=kb;en-us;256953
    => this will cause a new process to be created when ShellExecute... are used, and so Look 'n' Stop will detect this kind of attempt (the one demonstrated by ZaBypass.exe).

    Yet, it remains the DDE direct access method, I guess it will work, is there any leaktest (or real troyan) using that ?

    Frederic
     
  4. DavidR

    DavidR Registered Member

    Joined:
    Sep 28, 2005
    Posts:
    6
    Location:
    United Kingdom
    @Frederic
    This will obviously only work if IE is your default browser, since the zabypass.exe PoC uses the default browser.

    I have also had very mixed results with other browsers (IE based and non-IE based) as the default with the DDE off. http://outpostfirewall.com/forum/........postcount=24
     
  5. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    This should work with any browser (I tested it with Opera) since it changes how URLs are handled by Windows Explorer.
     
  6. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    hi frederic - i've only just caught up with this thread - i'm a little confused here when i click on your link i get "OLEXP: How to Configure Outlook Express to Open Links in E-mail Messages in a New Browser Window" is this the DDE fix? or am i missing something here?
     
  7. StevieO

    StevieO Guest

    Top,

    The link is the same as in the other thread i posted in.

    I can 100% assure you the details given on the MS www are the ones i followed to the letter. It may talk about OE but it applies to IE also. That's because it's actually a Windows Explorer issue that the fix is for. But it affects the URL settings for DDE with IE and OE etc etc and others too.


    StevieO
     
  8. toploader

    toploader Registered Member

    Joined:
    Aug 19, 2005
    Posts:
    707
    hi StevieO - i'm not really familiar with this whole DDE thing yet so was somewhat confused by the whole outlook express thing.

    is this a problem for windows 2000, 95 and 98 only? from what i can see there is no mention of XP anywhere?

    yours truly
    confused of tunbridge wells :D
     

    Attached Files:

    • out.jpg
      out.jpg
      File size:
      11.8 KB
      Views:
      292
    Last edited: Oct 10, 2005
  9. Frederic

    Frederic LnS Developer

    Joined:
    Jan 9, 2003
    Posts:
    4,354
    Location:
    France
    Yes, this microsoft page is not specific to OE. It works as soon as the system is asked to "execute" an URL.
    I tested the Win2000 procedure on WinXP and it worked.

    Frederic
     
  10. Paranoid2000

    Paranoid2000 Registered Member

    Joined:
    May 2, 2004
    Posts:
    2,839
    Location:
    North West, United Kingdom
    It is probably worth noting that this change should be made to https also ("URL:HyperText Transfer Protocol with Privacy").
     
Thread Status:
Not open for further replies.