Nasty problem of site changing Homepage in IE 5.5? - Group Polcy failure

[George Hester]

This is a prime example of - what Microsoft Windows IMPLIES is NOT what Microsoft Windows DOES. For example.

You would think that if something is changing the home page of IE then all you would need to do is set it to what you want. Then go into Group Policy find the Windows Components | Internet Explorer and enable "Disable changing home page settings." What do you think? Doesn't this imply that changing home page settings has been disabled until this Group policy has been disabled? Doesn't this imply that? Seems so to me or I'm not all that bright. Oh forget about the Domain client issue that has been provided for.

BUT IT DOES NOT!!!

I don't know what good this Group policy setting is if it dosen't do what it imples. Seems to me this issue is a major security flaw not just of Microsoft Windows 2000 but of the company themselves. They do not realize that when they imply something can be used for security that in reality don't do sh*t, that is Security violation 101.

In this case my home page was reset to http://coolwebsearch.com with this Gorup policy enabled with a home page NOT set to this.

All ActiveX was off. All scripting disabled. No trojans lets not go there. That is just an excuse for avoiding this issue. No BHO's. No virus. Folks it is a security issue plain and simple. It is a failure of Group policy implying something it is unable to provide.

I could fix this I believe (of course I am going on implications not reality here) if I could set permmissions in regedt32 on a value not a key. But that cannot be done in Microsoft Windows 2000. You can only set permissions on a Key not on a value. Maybe this is why Group policy FAILS in this case. Because Group policy would have to set permissions on values (HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer:Search URl - REG_SZ - http://www.microsoft.com) not Keys (HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer) and that is not possible. So it seems to me any Group policy in Windows 2000 that imples making changes to just a value not a Key in the registry is doomed to fail.

 

[Mike Burgess]

George,
Sorry to hear you're having so much trouble ........... however:
1) Coolwebsearch *is* a trojan .......
http://www.spywareinfo.com/~merijn/cwschronicles.html#byteverify

2) When you set the "HomePage" restriction, was this applied to:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control
Panel]
"HomePage"=dword:00000001
[or]
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control
Panel]
"HomePage"=dword:00000001

In this case Coolwebsearch rewrites *all* the browser URLs on restart.
This occurs because there is a ".exe" loading at Startup that does this.
Most likely you also have a BHO installed that rewrites also.

If you *really* want to lock-down your machine there are a few more
restrictions that need to be added.
http://www.winguides.com/registry/

[example]
NoSearchCustomization
NoToolbarCustomize
NoExternalBranding
TrustedPublisherLockdown
ApplyTrustedPublisherLockdown
Security_Options_Edit
Security_HKLM_Only
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 12-01-03]
Please post replies to this Newsgroup, email address is invalid
--

This is a prime example of - what Microsoft Windows IMPLIES is NOT what
Microsoft Windows DOES. For example.

You would think that if something is changing the home page of IE then all
you would need to do is set it to what you want. Then go into Group Policy
find the Windows Components | Internet Explorer and enable "Disable changing
home page settings." What do you think? Doesn't this imply that changing
home page settings has been disabled until this Group policy has been
disabled? Doesn't this imply that? Seems so to me or I'm not all that
bright. Oh forget about the Domain client issue that has been provided for.

BUT IT DOES NOT!!!

I don't know what good this Group policy setting is if it dosen't do what it
imples. Seems to me this issue is a major security flaw not just of
Microsoft Windows 2000 but of the company themselves. They do not realize
that when they imply something can be used for security that in reality
don't do sh*t, that is Security violation 101.

In this case my home page was reset to http://coolwebsearch.com with this
Gorup policy enabled with a home page NOT set to this.

All ActiveX was off. All scripting disabled. No trojans lets not go there.
That is just an excuse for avoiding this issue. No BHO's. No virus. Folks
it is a security issue plain and simple. It is a failure of Group policy
implying something it is unable to provide.

I could fix this I believe (of course I am going on implications not reality
here) if I could set permmissions in regedt32 on a value not a key. But
that cannot be done in Microsoft Windows 2000. You can only set permissions
on a Key not on a value. Maybe this is why Group policy FAILS in this case.
Because Group policy would have to set permissions on values
(HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer:Search URl -
REG_SZ - http://www.microsoft.com) not Keys
(HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer) and that is not
possible. So it seems to me any Group policy in Windows 2000 that imples
making changes to just a value not a Key in the registry is doomed to fail.

 

[George Hester]

Ah thanks Mike. I hope you were addressing what I can do in IE icon | Properties | Security | Customize settings... because that is what I have to do now whever I get a hankering to surf the web. Just way too many arseholes out there.

Anyway the issue in this was noyt a trojan not a virus actually not nothing else then a website making avialable for surreptitious download arch.jar.

This downloads into the users Temporary Internet Files and executes. I suppose I could remove the default exe for Jar files but I'd rather a different way. Hope I can use what you had to say.

Anyway there are four classes in this jar:

Beyond.class
BlackBox.class
Dummy.class
VerifierBug.class

The class that is giving this change of the homepage and adding url's to Favorites is Beyond.class. I decompiled it and saw them all.

Now this still does NOT address the issue of Group policy being overidden. If it worked then seems to me the only wayh that should be available to change a group setting is either through ADSL or through the Group Policy interface itself. Any other way is a violation of Sercurity 101. And that is exactly what is happening in this case. A jar with a well made class downloaded surreptitiously over the web is changing Group policy. Not good!!!

--
George Hester
__________________________________

George,
Sorry to hear you're having so much trouble ........... however:
1) Coolwebsearch *is* a trojan .......
http://www.spywareinfo.com/~merijn/cwschronicles.html#byteverify

2) When you set the "HomePage" restriction, was this applied to:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control
Panel]
"HomePage"=dword:00000001
[or]
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control
Panel]
"HomePage"=dword:00000001

In this case Coolwebsearch rewrites *all* the browser URLs on restart.
This occurs because there is a ".exe" loading at Startup that does this.
Most likely you also have a BHO installed that rewrites also.

If you *really* want to lock-down your machine there are a few more
restrictions that need to be added.
http://www.winguides.com/registry/

[example]
NoSearchCustomization
NoToolbarCustomize
NoExternalBranding
TrustedPublisherLockdown
ApplyTrustedPublisherLockdown
Security_Options_Edit
Security_HKLM_Only
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 12-01-03]
Please post replies to this Newsgroup, email address is invalid
--

This is a prime example of - what Microsoft Windows IMPLIES is NOT what
Microsoft Windows DOES. For example.

You would think that if something is changing the home page of IE then all
you would need to do is set it to what you want. Then go into Group Policy
find the Windows Components | Internet Explorer and enable "Disable changing
home page settings." What do you think? Doesn't this imply that changing
home page settings has been disabled until this Group policy has been
disabled? Doesn't this imply that? Seems so to me or I'm not all that
bright. Oh forget about the Domain client issue that has been provided for.

BUT IT DOES NOT!!!

I don't know what good this Group policy setting is if it dosen't do what it
imples. Seems to me this issue is a major security flaw not just of
Microsoft Windows 2000 but of the company themselves. They do not realize
that when they imply something can be used for security that in reality
don't do sh*t, that is Security violation 101.

In this case my home page was reset to http://coolwebsearch.com with this
Gorup policy enabled with a home page NOT set to this.

All ActiveX was off. All scripting disabled. No trojans lets not go there.
That is just an excuse for avoiding this issue. No BHO's. No virus. Folks
it is a security issue plain and simple. It is a failure of Group policy
implying something it is unable to provide.

I could fix this I believe (of course I am going on implications not reality
here) if I could set permmissions in regedt32 on a value not a key. But
that cannot be done in Microsoft Windows 2000. You can only set permissions
on a Key not on a value. Maybe this is why Group policy FAILS in this case.
Because Group policy would have to set permissions on values
(HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer:Search URl -
REG_SZ - http://www.microsoft.com) not Keys
(HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer) and that is not
possible. So it seems to me any Group policy in Windows 2000 that imples
making changes to just a value not a Key in the registry is doomed to fail.

 

[George Hester]

Well my response to you got lost in the ether.

It is a jar (the executable) file that gets put in Temporary Internet Files in a class called Beyond.class.

This is a good example of the Security issues in Microsoft Windows. With the Group policy enabled a jar downloaded from the Internet should NOT have had the ability to overide it. Bad.because this jar can.

--
George Hester
__________________________________

George,
Sorry to hear you're having so much trouble ........... however:
1) Coolwebsearch *is* a trojan .......
http://www.spywareinfo.com/~merijn/cwschronicles.html#byteverify

2) When you set the "HomePage" restriction, was this applied to:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control
Panel]
"HomePage"=dword:00000001
[or]
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control
Panel]
"HomePage"=dword:00000001

In this case Coolwebsearch rewrites *all* the browser URLs on restart.
This occurs because there is a ".exe" loading at Startup that does this.
Most likely you also have a BHO installed that rewrites also.

If you *really* want to lock-down your machine there are a few more
restrictions that need to be added.
http://www.winguides.com/registry/

[example]
NoSearchCustomization
NoToolbarCustomize
NoExternalBranding
TrustedPublisherLockdown
ApplyTrustedPublisherLockdown
Security_Options_Edit
Security_HKLM_Only
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 12-01-03]
Please post replies to this Newsgroup, email address is invalid
--

This is a prime example of - what Microsoft Windows IMPLIES is NOT what
Microsoft Windows DOES. For example.

You would think that if something is changing the home page of IE then all
you would need to do is set it to what you want. Then go into Group Policy
find the Windows Components | Internet Explorer and enable "Disable changing
home page settings." What do you think? Doesn't this imply that changing
home page settings has been disabled until this Group policy has been
disabled? Doesn't this imply that? Seems so to me or I'm not all that
bright. Oh forget about the Domain client issue that has been provided for.

BUT IT DOES NOT!!!

I don't know what good this Group policy setting is if it dosen't do what it
imples. Seems to me this issue is a major security flaw not just of
Microsoft Windows 2000 but of the company themselves. They do not realize
that when they imply something can be used for security that in reality
don't do sh*t, that is Security violation 101.

In this case my home page was reset to http://coolwebsearch.com with this
Gorup policy enabled with a home page NOT set to this.

All ActiveX was off. All scripting disabled. No trojans lets not go there.
That is just an excuse for avoiding this issue. No BHO's. No virus. Folks
it is a security issue plain and simple. It is a failure of Group policy
implying something it is unable to provide.

I could fix this I believe (of course I am going on implications not reality
here) if I could set permmissions in regedt32 on a value not a key. But
that cannot be done in Microsoft Windows 2000. You can only set permissions
on a Key not on a value. Maybe this is why Group policy FAILS in this case.
Because Group policy would have to set permissions on values
(HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer:Search URl -
REG_SZ - http://www.microsoft.com) not Keys
(HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer) and that is not
possible. So it seems to me any Group policy in Windows 2000 that imples
making changes to just a value not a Key in the registry is doomed to fail.

 

[Mike Burgess]

George,
Did you have the 2 listed "Critical Updates" in place *before* this occured?
http://www.microsoft.com/technet/security/bulletin/MS03-011.asp
http://www.microsoft.com/technet/security/bulletin/ms00-075.asp
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 12-01-03]
Please post replies to this Newsgroup, email address is invalid
--

Well my response to you got lost in the ether.

It is a jar (the executable) file that gets put in Temporary Internet Files
in a class called Beyond.class.

This is a good example of the Security issues in Microsoft Windows. With
the Group policy enabled a jar downloaded from the Internet should NOT have
had the ability to overide it. Bad.because this jar can.

--
George Hester
__________________________________

George,
Sorry to hear you're having so much trouble ........... however:
1) Coolwebsearch *is* a trojan .......
http://www.spywareinfo.com/~merijn/cwschronicles.html#byteverify

2) When you set the "HomePage" restriction, was this applied to:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control
Panel]
"HomePage"=dword:00000001
[or]
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control
Panel]
"HomePage"=dword:00000001

In this case Coolwebsearch rewrites *all* the browser URLs on restart.
This occurs because there is a ".exe" loading at Startup that does this.
Most likely you also have a BHO installed that rewrites also.

If you *really* want to lock-down your machine there are a few more
restrictions that need to be added.
http://www.winguides.com/registry/

[example]
NoSearchCustomization
NoToolbarCustomize
NoExternalBranding
TrustedPublisherLockdown
ApplyTrustedPublisherLockdown
Security_Options_Edit
Security_HKLM_Only
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 12-01-03]
Please post replies to this Newsgroup, email address is invalid
--

This is a prime example of - what Microsoft Windows IMPLIES is NOT what
Microsoft Windows DOES. For example.

You would think that if something is changing the home page of IE then all
you would need to do is set it to what you want. Then go into Group Policy
find the Windows Components | Internet Explorer and enable "Disable changing
home page settings." What do you think? Doesn't this imply that changing
home page settings has been disabled until this Group policy has been
disabled? Doesn't this imply that? Seems so to me or I'm not all that
bright. Oh forget about the Domain client issue that has been provided for.

BUT IT DOES NOT!!!

I don't know what good this Group policy setting is if it dosen't do what it
imples. Seems to me this issue is a major security flaw not just of
Microsoft Windows 2000 but of the company themselves. They do not realize
that when they imply something can be used for security that in reality
don't do sh*t, that is Security violation 101.

In this case my home page was reset to http://coolwebsearch.com with this
Gorup policy enabled with a home page NOT set to this.

All ActiveX was off. All scripting disabled. No trojans lets not go there.
That is just an excuse for avoiding this issue. No BHO's. No virus. Folks
it is a security issue plain and simple. It is a failure of Group policy
implying something it is unable to provide.

I could fix this I believe (of course I am going on implications not reality
here) if I could set permmissions in regedt32 on a value not a key. But
that cannot be done in Microsoft Windows 2000. You can only set permissions
on a Key not on a value. Maybe this is why Group policy FAILS in this case.
Because Group policy would have to set permissions on values
(HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer:Search URl -
REG_SZ - http://www.microsoft.com) not Keys
(HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer) and that is not
possible. So it seems to me any Group policy in Windows 2000 that imples
making changes to just a value not a Key in the registry is doomed to fail.

 

[George Hester]

Hi Mike. I was not able to verify the second link you gave and I also cannot find it. The rules are to get it from the Windows Update site and it doesn't show as available. So that one I am not able to say one way or the other.

The first link you gave it seems I did not have that installed. I did qfecheck and didn't see it. But that one I was able to get and installed it.

I'm hoping that one is sufficient to avoid this issue in the futrure. Do you thnk so? Anway thanks for your help.

--
George Hester
__________________________________

George,
Did you have the 2 listed "Critical Updates" in place *before* this occured?
http://www.microsoft.com/technet/security/bulletin/MS03-011.asp
http://www.microsoft.com/technet/security/bulletin/ms00-075.asp
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 12-01-03]
Please post replies to this Newsgroup, email address is invalid
--

Well my response to you got lost in the ether.

It is a jar (the executable) file that gets put in Temporary Internet Files
in a class called Beyond.class.

This is a good example of the Security issues in Microsoft Windows. With
the Group policy enabled a jar downloaded from the Internet should NOT have
had the ability to overide it. Bad.because this jar can.

--
George Hester
__________________________________

George,
Sorry to hear you're having so much trouble ........... however:
1) Coolwebsearch *is* a trojan .......
http://www.spywareinfo.com/~merijn/cwschronicles.html#byteverify

2) When you set the "HomePage" restriction, was this applied to:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control
Panel]
"HomePage"=dword:00000001
[or]
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control
Panel]
"HomePage"=dword:00000001

In this case Coolwebsearch rewrites *all* the browser URLs on restart.
This occurs because there is a ".exe" loading at Startup that does this.
Most likely you also have a BHO installed that rewrites also.

If you *really* want to lock-down your machine there are a few more
restrictions that need to be added.
http://www.winguides.com/registry/

[example]
NoSearchCustomization
NoToolbarCustomize
NoExternalBranding
TrustedPublisherLockdown
ApplyTrustedPublisherLockdown
Security_Options_Edit
Security_HKLM_Only
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 12-01-03]
Please post replies to this Newsgroup, email address is invalid
--

This is a prime example of - what Microsoft Windows IMPLIES is NOT what
Microsoft Windows DOES. For example.

You would think that if something is changing the home page of IE then all
you would need to do is set it to what you want. Then go into Group Policy
find the Windows Components | Internet Explorer and enable "Disable changing
home page settings." What do you think? Doesn't this imply that changing
home page settings has been disabled until this Group policy has been
disabled? Doesn't this imply that? Seems so to me or I'm not all that
bright. Oh forget about the Domain client issue that has been provided for.

BUT IT DOES NOT!!!

I don't know what good this Group policy setting is if it dosen't do what it
imples. Seems to me this issue is a major security flaw not just of
Microsoft Windows 2000 but of the company themselves. They do not realize
that when they imply something can be used for security that in reality
don't do sh*t, that is Security violation 101.

In this case my home page was reset to http://coolwebsearch.com with this
Gorup policy enabled with a home page NOT set to this.

All ActiveX was off. All scripting disabled. No trojans lets not go there.
That is just an excuse for avoiding this issue. No BHO's. No virus. Folks
it is a security issue plain and simple. It is a failure of Group policy
implying something it is unable to provide.

I could fix this I believe (of course I am going on implications not reality
here) if I could set permmissions in regedt32 on a value not a key. But
that cannot be done in Microsoft Windows 2000. You can only set permissions
on a Key not on a value. Maybe this is why Group policy FAILS in this case.
Because Group policy would have to set permissions on values
(HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer:Search URl -
REG_SZ - http://www.microsoft.com) not Keys
(HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer) and that is not
possible. So it seems to me any Group policy in Windows 2000 that imples
making changes to just a value not a Key in the registry is doomed to fail.

 

[Mike Burgess]

George,
Glad to see you are making progress .........
You should have *all* "Critical Updates" installed!
"Recommended Updates" are optional, the Critical Updates plug the
holes\exploits. Some of these earlier Criticals were rolled into the
"Cumulative Patches", depending on your OS.

There is a big hint on the following page:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-075.asp
Web sites placed within the Restricted Sites zone in Internet Explorer will
not be able to exploit this vulnerability.

http://www.mvps.org/winhelp2002/restricted.htm
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 12-01-03]
Please post replies to this Newsgroup, email address is invalid
--

Hi Mike. I was not able to verify the second link you gave and I also
cannot find it. The rules are to get it from the Windows Update site and it
doesn't show as available. So that one I am not able to say one way or the
other.

The first link you gave it seems I did not have that installed. I did
qfecheck and didn't see it. But that one I was able to get and installed
it.

I'm hoping that one is sufficient to avoid this issue in the futrure. Do
you thnk so? Anway thanks for your help.

--
George Hester
__________________________________

George,
Did you have the 2 listed "Critical Updates" in place *before* this occured?
http://www.microsoft.com/technet/security/bulletin/MS03-011.asp
http://www.microsoft.com/technet/security/bulletin/ms00-075.asp
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 12-01-03]
Please post replies to this Newsgroup, email address is invalid
--

Well my response to you got lost in the ether.

It is a jar (the executable) file that gets put in Temporary Internet Files
in a class called Beyond.class.

This is a good example of the Security issues in Microsoft Windows. With
the Group policy enabled a jar downloaded from the Internet should NOT have
had the ability to overide it. Bad.because this jar can.

--
George Hester
__________________________________

George,
Sorry to hear you're having so much trouble ........... however:
1) Coolwebsearch *is* a trojan .......
http://www.spywareinfo.com/~merijn/cwschronicles.html#byteverify

2) When you set the "HomePage" restriction, was this applied to:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control
Panel]
"HomePage"=dword:00000001
[or]
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control
Panel]
"HomePage"=dword:00000001

In this case Coolwebsearch rewrites *all* the browser URLs on restart.
This occurs because there is a ".exe" loading at Startup that does this.
Most likely you also have a BHO installed that rewrites also.

If you *really* want to lock-down your machine there are a few more
restrictions that need to be added.
http://www.winguides.com/registry/

[example]
NoSearchCustomization
NoToolbarCustomize
NoExternalBranding
TrustedPublisherLockdown
ApplyTrustedPublisherLockdown
Security_Options_Edit
Security_HKLM_Only
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 12-01-03]
Please post replies to this Newsgroup, email address is invalid
--

This is a prime example of - what Microsoft Windows IMPLIES is NOT what
Microsoft Windows DOES. For example.

You would think that if something is changing the home page of IE then all
you would need to do is set it to what you want. Then go into Group Policy
find the Windows Components | Internet Explorer and enable "Disable changing
home page settings." What do you think? Doesn't this imply that changing
home page settings has been disabled until this Group policy has been
disabled? Doesn't this imply that? Seems so to me or I'm not all that
bright. Oh forget about the Domain client issue that has been provided for.

BUT IT DOES NOT!!!

I don't know what good this Group policy setting is if it dosen't do

what

it
imples. Seems to me this issue is a major security flaw not just of
Microsoft Windows 2000 but of the company themselves. They do not realize
that when they imply something can be used for security that in reality
don't do sh*t, that is Security violation 101.

In this case my home page was reset to http://coolwebsearch.com with this
Gorup policy enabled with a home page NOT set to this.

All ActiveX was off. All scripting disabled. No trojans lets not go there.
That is just an excuse for avoiding this issue. No BHO's. No virus. Folks
it is a security issue plain and simple. It is a failure of Group policy
implying something it is unable to provide.

I could fix this I believe (of course I am going on implications not reality
here) if I could set permmissions in regedt32 on a value not a key. But
that cannot be done in Microsoft Windows 2000. You can only set permissions
on a Key not on a value. Maybe this is why Group policy FAILS in this case.
Because Group policy would have to set permissions on values
(HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer:Search URl -
REG_SZ - http://www.microsoft.com) not Keys
(HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer) and that is not
possible. So it seems to me any Group policy in Windows 2000 that imples
making changes to just a value not a Key in the registry is doomed to fail.

 

[George Hester]

I had every critical patch installed except for the MDAC security update Windows 2000 SP3. I doubt I would have gotten the JVM security patch if I had installed that. Now that Microsoft's getting out oif the Java business and going full-blown into .NET well you saw the result. The patches for the JVM did NOT appear at the Windows update site. In fact I had to use the Update catalog to get your first link.

Nothing more shows there (other then .NET Fra,ework and IE 6 oh and the MDAC 2.8 patch) so if I'm supposed to do anything more Microsoft Windows Update site is no use. Nothing shows there except what I mentioned above and I cannot verify it.

So far it hasn't happend since I did what you said. But I am turning off Java now too while I surf.

--
George Hester
__________________________________

George,
Glad to see you are making progress .........
You should have *all* "Critical Updates" installed!
"Recommended Updates" are optional, the Critical Updates plug the
holes\exploits. Some of these earlier Criticals were rolled into the
"Cumulative Patches", depending on your OS.

There is a big hint on the following page:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-075.asp
Web sites placed within the Restricted Sites zone in Internet Explorer will
not be able to exploit this vulnerability.

http://www.mvps.org/winhelp2002/restricted.htm
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 12-01-03]
Please post replies to this Newsgroup, email address is invalid
--

Hi Mike. I was not able to verify the second link you gave and I also
cannot find it. The rules are to get it from the Windows Update site and it
doesn't show as available. So that one I am not able to say one way or the
other.

The first link you gave it seems I did not have that installed. I did
qfecheck and didn't see it. But that one I was able to get and installed
it.

I'm hoping that one is sufficient to avoid this issue in the futrure. Do
you thnk so? Anway thanks for your help.

--
George Hester
__________________________________

George,
Did you have the 2 listed "Critical Updates" in place *before* this occured?
http://www.microsoft.com/technet/security/bulletin/MS03-011.asp
http://www.microsoft.com/technet/security/bulletin/ms00-075.asp
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 12-01-03]
Please post replies to this Newsgroup, email address is invalid
--

Well my response to you got lost in the ether.

It is a jar (the executable) file that gets put in Temporary Internet Files
in a class called Beyond.class.

This is a good example of the Security issues in Microsoft Windows. With
the Group policy enabled a jar downloaded from the Internet should NOT have
had the ability to overide it. Bad.because this jar can.

--
George Hester
__________________________________

George,
Sorry to hear you're having so much trouble ........... however:
1) Coolwebsearch *is* a trojan .......
http://www.spywareinfo.com/~merijn/cwschronicles.html#byteverify

2) When you set the "HomePage" restriction, was this applied to:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control
Panel]
"HomePage"=dword:00000001
[or]
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control
Panel]
"HomePage"=dword:00000001

In this case Coolwebsearch rewrites *all* the browser URLs on restart.
This occurs because there is a ".exe" loading at Startup that does this.
Most likely you also have a BHO installed that rewrites also.

If you *really* want to lock-down your machine there are a few more
restrictions that need to be added.
http://www.winguides.com/registry/

[example]
NoSearchCustomization
NoToolbarCustomize
NoExternalBranding
TrustedPublisherLockdown
ApplyTrustedPublisherLockdown
Security_Options_Edit
Security_HKLM_Only
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 12-01-03]
Please post replies to this Newsgroup, email address is invalid
--

This is a prime example of - what Microsoft Windows IMPLIES is NOT what
Microsoft Windows DOES. For example.

You would think that if something is changing the home page of IE then all
you would need to do is set it to what you want. Then go into Group Policy
find the Windows Components | Internet Explorer and enable "Disable changing
home page settings." What do you think? Doesn't this imply that changing
home page settings has been disabled until this Group policy has been
disabled? Doesn't this imply that? Seems so to me or I'm not all that
bright. Oh forget about the Domain client issue that has been provided for.

BUT IT DOES NOT!!!

I don't know what good this Group policy setting is if it dosen't do

what

it
imples. Seems to me this issue is a major security flaw not just of
Microsoft Windows 2000 but of the company themselves. They do not realize
that when they imply something can be used for security that in reality
don't do sh*t, that is Security violation 101.

In this case my home page was reset to http://coolwebsearch.com with this
Gorup policy enabled with a home page NOT set to this.

All ActiveX was off. All scripting disabled. No trojans lets not go there.
That is just an excuse for avoiding this issue. No BHO's. No virus. Folks
it is a security issue plain and simple. It is a failure of Group policy
implying something it is unable to provide.

I could fix this I believe (of course I am going on implications not reality
here) if I could set permmissions in regedt32 on a value not a key. But
that cannot be done in Microsoft Windows 2000. You can only set permissions
on a Key not on a value. Maybe this is why Group policy FAILS in this case.
Because Group policy would have to set permissions on values
(HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer:Search URl -
REG_SZ - http://www.microsoft.com) not Keys
(HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer) and that is not
possible. So it seems to me any Group policy in Windows 2000 that imples
making changes to just a value not a Key in the registry is doomed to fail.

 

[George Hester]

Hi Mike. Well it turns out I was not able to stop the issue even with all the updates to MSIE 5.5 SP2 and even by turning off all ActiveX; turning off all Scripting; and disabling Java. I have the latest MS JVM that can be obtained and installed in Windows 2000 with all security patches. But the issue persists.

So I did a search in Google for blackbox.class which is one of the components of this jar archive that causes this issue. The class that causes the change in homepage and the addition of entries in Favorites is included in this jar. I believe what happens is the jar downloads into the Temporary Internet Files and sits there until java is reenabled. Then it fires and the problem persists.

Going to Sun's site on this they talk about how this issue is caused by MS JVM security issues and they do make it somewhat clear that the issue has never been fixed. They go on to say that if Sun's JVM is enabled as the default Java Virtual Machine then this issue will not occur.

I don't really like Sun's JVM but they are getting better. The nag screens when visiting a Java Applet enabled page are being phased out. That's a big plus. In any case I tried what they suggested and it seemd to do the trick. I enabled Sun's JVM as the default Java Virtual Machine. I then turned off Java. And all the rest; ActiveX and Scripting.

I seemd to have stopped this issue for now. Also have to empty TIF when done visiting Unknown sites.

Boy it sure is a lot of work just to surf the net.

--
George Hester
__________________________________

George,
Glad to see you are making progress .........
You should have *all* "Critical Updates" installed!
"Recommended Updates" are optional, the Critical Updates plug the
holes\exploits. Some of these earlier Criticals were rolled into the
"Cumulative Patches", depending on your OS.

There is a big hint on the following page:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms00-075.asp
Web sites placed within the Restricted Sites zone in Internet Explorer will
not be able to exploit this vulnerability.

http://www.mvps.org/winhelp2002/restricted.htm
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 12-01-03]
Please post replies to this Newsgroup, email address is invalid
--

Hi Mike. I was not able to verify the second link you gave and I also
cannot find it. The rules are to get it from the Windows Update site and it
doesn't show as available. So that one I am not able to say one way or the
other.

The first link you gave it seems I did not have that installed. I did
qfecheck and didn't see it. But that one I was able to get and installed
it.

I'm hoping that one is sufficient to avoid this issue in the futrure. Do
you thnk so? Anway thanks for your help.

--
George Hester
__________________________________

George,
Did you have the 2 listed "Critical Updates" in place *before* this occured?
http://www.microsoft.com/technet/security/bulletin/MS03-011.asp
http://www.microsoft.com/technet/security/bulletin/ms00-075.asp
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 12-01-03]
Please post replies to this Newsgroup, email address is invalid
--

Well my response to you got lost in the ether.

It is a jar (the executable) file that gets put in Temporary Internet Files
in a class called Beyond.class.

This is a good example of the Security issues in Microsoft Windows. With
the Group policy enabled a jar downloaded from the Internet should NOT have
had the ability to overide it. Bad.because this jar can.

--
George Hester
__________________________________

George,
Sorry to hear you're having so much trouble ........... however:
1) Coolwebsearch *is* a trojan .......
http://www.spywareinfo.com/~merijn/cwschronicles.html#byteverify

2) When you set the "HomePage" restriction, was this applied to:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Internet Explorer\Control
Panel]
"HomePage"=dword:00000001
[or]
[HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Internet Explorer\Control
Panel]
"HomePage"=dword:00000001

In this case Coolwebsearch rewrites *all* the browser URLs on restart.
This occurs because there is a ".exe" loading at Startup that does this.
Most likely you also have a BHO installed that rewrites also.

If you *really* want to lock-down your machine there are a few more
restrictions that need to be added.
http://www.winguides.com/registry/

[example]
NoSearchCustomization
NoToolbarCustomize
NoExternalBranding
TrustedPublisherLockdown
ApplyTrustedPublisherLockdown
Security_Options_Edit
Security_HKLM_Only
____________________________________________________________
Mike Burgess [MVP Windows Shell\User] http://www.mvps.org/winhelp2002/
Blocking Spyware, Adware, Parasites, Hijackers, Trojans, with a HOSTS file
http://www.mvps.org/winhelp2002/hosts.htm [updated 12-01-03]
Please post replies to this Newsgroup, email address is invalid
--

This is a prime example of - what Microsoft Windows IMPLIES is NOT what
Microsoft Windows DOES. For example.

You would think that if something is changing the home page of IE then all
you would need to do is set it to what you want. Then go into Group Policy
find the Windows Components | Internet Explorer and enable "Disable changing
home page settings." What do you think? Doesn't this imply that changing
home page settings has been disabled until this Group policy has been
disabled? Doesn't this imply that? Seems so to me or I'm not all that
bright. Oh forget about the Domain client issue that has been provided for.

BUT IT DOES NOT!!!

I don't know what good this Group policy setting is if it dosen't do

what

it
imples. Seems to me this issue is a major security flaw not just of
Microsoft Windows 2000 but of the company themselves. They do not realize
that when they imply something can be used for security that in reality
don't do sh*t, that is Security violation 101.

In this case my home page was reset to http://coolwebsearch.com with this
Gorup policy enabled with a home page NOT set to this.

All ActiveX was off. All scripting disabled. No trojans lets not go there.
That is just an excuse for avoiding this issue. No BHO's. No virus. Folks
it is a security issue plain and simple. It is a failure of Group policy
implying something it is unable to provide.

I could fix this I believe (of course I am going on implications not reality
here) if I could set permmissions in regedt32 on a value not a key. But
that cannot be done in Microsoft Windows 2000. You can only set permissions
on a Key not on a value. Maybe this is why Group policy FAILS in this case.
Because Group policy would have to set permissions on values
(HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer:Search URl -
REG_SZ - http://www.microsoft.com) not Keys
(HKEY_CURRENT_USER\Software\Microsoft\Internet Explorer) and that is not
possible. So it seems to me any Group policy in Windows 2000 that imples
making changes to just a value not a Key in the registry is doomed to fail.