Spybot DSO Exploit

F

FM

The problem can be fixed easily if you do it right. It seems no one has
properly advised us beginners on how to correct the problem. In my case I
had five different "0\1004" zones that needed to be changed. I found the
solution by chance. I changed all of them the same way. I will just
illustrate one.

SpyBot's DSO Exploit:
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3

What the program is saying is the the "W" has to be changed to 3. The "W" in
this case is the "Dword".

1.If you follow the above path in the registry to the 0 zone folder you will
see in the right hand window the number 1004 in the name column.
2. In the next column, the Data column, you will find a blank. This blank
has to be changed to "x00000003(3)"
3. To do this you have to right click on the data column. A "NEW" will
appear. Click on it. From popup screen select "DWORD Value".
4. This will put a "NEW Value #1" at the bottom of the window. Left click on
the small icon on the left of the "New Value #1" file.
5. An "Edit DWORD Value" screen will appear.
6. In the "Value Data" window insert the number 3. (make sure the Base
Hexadecimal is checked) then click ok.
7. Then go back and delete the original 1004 file.
8. Rename the "NEW Value #1" number "1004".

Once you've done all the registry entries showing in SPYBot's DSO
Exploit...the problem will be solved.

FM
 
G

Guest

Actually in my registry the key is a string value and it's left blank. Here
is a quote from the Spybot forum. Note that if you have properly updated and
patched your XP OS this is not an issue any more. The problem was fixed by a
patch ages ago. Get updated and you won't have this problem. here is the
quote. "Well, yes and no. You see, there are several reports of this issue
here in the Spybot forum, which shows that it is happening for a lot of
people, so in that sense it's normal - meaning your system is reacting like
many others...

However, the fact that Spybot isn't properly fixing this is just a simple
bug that I'm sure will be fixed soon.

Basically what's happening is that Spybot is finding that the security
setting for "Download unsigned ActiveX controls" for the (normally) hidden
"My Computer" zone in Internet Explorer is not set to disabled.

Given that anyone who is properly patched (via Windows Update) is not
vulnerable to this exploit anymore, this is really not a serious issue, so
provided your system is patched, you have nothing to worry about and can just
ignore this until the fix comes out.

As to why Spybot isn't fixing it right, and what exactly it is doing when it
goes to fix the value, here's a little analysis from testing this a few
minutes ago...

Decoding the values displayed:


QUOTE
..\Internet Settings\Zones\0\1004!=W=3


The "\0\" points to the My Computer Zone. The key "1004" holds the value for
the specific setting "Download unsigned ActiveX controls". The "!=" means
"not equal". "W=3" (word value of 3) specifically means "disabled".
Therefore, Spybot is finding that this setting is not disabled for various
users defined on the system.

When it actually goes to fix that value, (ie. to simply change whatever it
is set to currently to a value of 3), the bug is that it isn't setting it to
the proper type of data element - a DWORD value. Therefore, that registry
item ends up with no value at all after the fix is performed, and so every
time you run a scan again, Spybot still finds that the value in that/those
keys is not equal to 3.
 
F

FM

The Unknow P

Very good. I got the basic same answer on the patch from spybot. Now I can
ignore the constant repeat. If I understand you correctly, I have
effectively made the change that Spybot intended to make, which was not a
problem in the first place?.

FM
 
D

Donald McDaniel

The problem can be fixed easily if you do it right. It seems no one has
properly advised us beginners on how to correct the problem. In my case I
had five different "0\1004" zones that needed to be changed. I found the
solution by chance. I changed all of them the same way. I will just
illustrate one.

SpyBot's DSO Exploit:
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3

What the program is saying is the the "W" has to be changed to 3. The "W" in
this case is the "Dword".

1.If you follow the above path in the registry to the 0 zone folder you will
see in the right hand window the number 1004 in the name column.
2. In the next column, the Data column, you will find a blank. This blank
has to be changed to "x00000003(3)"
3. To do this you have to right click on the data column. A "NEW" will
appear. Click on it. From popup screen select "DWORD Value".
4. This will put a "NEW Value #1" at the bottom of the window. Left click on
the small icon on the left of the "New Value #1" file.
5. An "Edit DWORD Value" screen will appear.
6. In the "Value Data" window insert the number 3. (make sure the Base
Hexadecimal is checked) then click ok.
7. Then go back and delete the original 1004 file.
8. Rename the "NEW Value #1" number "1004".

Once you've done all the registry entries showing in SPYBot's DSO
Exploit...the problem will be solved.

FM
Click to expand...
A much easier way to avoid SpyBot S&D constantly showing the DSO
Exploit, which does not require Registry entries, is outlined below:
1) Make sure you have the latest version of SpyBot S&D installed
(1.3.0.12).
2) Open SpyBot S&D, click on "Settings".
3) Click on "Ignore products".
4) Click on "All Products" tab
5) Scroll down list until you come to the "DSO Exploit" entry.
6) Put a check mark beside it.
7) Close SpyBot S&D.

Donald L McDaniel
Keep the thread intact
Post reply to original newsgroup
=======================================================
 
B

Bruce Chambers

FM said:
The problem can be fixed easily if you do it right. It seems no one
has properly advised us beginners on how to correct the problem. In
my case I had five different "0\1004" zones that needed to be
changed. I found the solution by chance. I changed all of them the
same way. I will just illustrate one.

SpyBot's DSO Exploit:
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3

What the program is saying is the the "W" has to be changed to 3.
The "W" in this case is the "Dword".

1.If you follow the above path in the registry to the 0 zone folder
you will see in the right hand window the number 1004 in the name
column.
2. In the next column, the Data column, you will find a blank. This
blank has to be changed to "x00000003(3)"
3. To do this you have to right click on the data column. A "NEW"
will appear. Click on it. From popup screen select "DWORD Value".
4. This will put a "NEW Value #1" at the bottom of the window. Left
click on the small icon on the left of the "New Value #1" file.
5. An "Edit DWORD Value" screen will appear.
6. In the "Value Data" window insert the number 3. (make sure the
Base Hexadecimal is checked) then click ok.
7. Then go back and delete the original 1004 file.
8. Rename the "NEW Value #1" number "1004".

Once you've done all the registry entries showing in SPYBot's DSO
Exploit...the problem will be solved.

FM
Click to expand...


That's a lot of work, just to prevent a false positive that can
easily be turned off from within SpyBot S&D.

The DSO exploit was patched long ago by IE Cumulative Update
MS02-015, in March of 2002. If you've installed this specific patch,
or any subsequent IE Cumulative Updates, or IE Service Pack 1, you're
safe. It would appear that the latest version of Spybot S&D is only
checking for Internet zone settings in the registry that could be used
as work-around protection, and not for the presence of any corrective
patches. Hopefully, the makers of Spybot will soon fix this bug.

MS02-015 March 28, 2002 Cumulative Patch for Internet Explorer
http://support.microsoft.com/default.aspx?scid=kb;EN-US;319182

If you like, you can test your system for this particular
vulnerability at this web site:
http://www.grey.com/security/advisories/gm001-ie/

The makers of SpyBot S&D have acknowledged the problem and will
fix it on their next update:
http://www.safer-networking.org/index.php?page=paragraphs&detail=currentfaqs

In the meantime, in SpyBot S&D, click Mode > Advanced > Settings >
Ignore Products > Security > DSO Exploit, to turn off the false alarm.

--

Bruce Chambers

Help us help you:



You can have peace. Or you can have freedom. Don't ever count on
having both at once. - RAH
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

Wesley-DSO Exploit 27
DSO Exploit glitch in Spybot? 4
Spybot 3
DSO Exploit 5
SpyBot detected DSO Exploit 2
OT How to remove DSO Exploit in Spybot S&D 1
Cannot Remove DSO EXPLOIT found by Spybot 5
DSO exploit question 8

Top