Sign in with
Sign up | Sign in
Your question

Spybot DSO Exploit

Last response: in Windows XP
Share
Anonymous
September 9, 2004 12:35:20 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

The problem can be fixed easily if you do it right. It seems no one has
properly advised us beginners on how to correct the problem. In my case I
had five different "0\1004" zones that needed to be changed. I found the
solution by chance. I changed all of them the same way. I will just
illustrate one.

SpyBot's DSO Exploit:
HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet
Settings\Zones\0\1004!=W=3

What the program is saying is the the "W" has to be changed to 3. The "W" in
this case is the "Dword".

1.If you follow the above path in the registry to the 0 zone folder you will
see in the right hand window the number 1004 in the name column.
2. In the next column, the Data column, you will find a blank. This blank
has to be changed to "x00000003(3)"
3. To do this you have to right click on the data column. A "NEW" will
appear. Click on it. From popup screen select "DWORD Value".
4. This will put a "NEW Value #1" at the bottom of the window. Left click on
the small icon on the left of the "New Value #1" file.
5. An "Edit DWORD Value" screen will appear.
6. In the "Value Data" window insert the number 3. (make sure the Base
Hexadecimal is checked) then click ok.
7. Then go back and delete the original 1004 file.
8. Rename the "NEW Value #1" number "1004".

Once you've done all the registry entries showing in SPYBot's DSO
Exploit...the problem will be solved.

FM

More about : spybot dso exploit

Anonymous
September 9, 2004 1:17:02 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

Actually in my registry the key is a string value and it's left blank. Here
is a quote from the Spybot forum. Note that if you have properly updated and
patched your XP OS this is not an issue any more. The problem was fixed by a
patch ages ago. Get updated and you won't have this problem. here is the
quote. "Well, yes and no. You see, there are several reports of this issue
here in the Spybot forum, which shows that it is happening for a lot of
people, so in that sense it's normal - meaning your system is reacting like
many others...

However, the fact that Spybot isn't properly fixing this is just a simple
bug that I'm sure will be fixed soon.

Basically what's happening is that Spybot is finding that the security
setting for "Download unsigned ActiveX controls" for the (normally) hidden
"My Computer" zone in Internet Explorer is not set to disabled.

Given that anyone who is properly patched (via Windows Update) is not
vulnerable to this exploit anymore, this is really not a serious issue, so
provided your system is patched, you have nothing to worry about and can just
ignore this until the fix comes out.

As to why Spybot isn't fixing it right, and what exactly it is doing when it
goes to fix the value, here's a little analysis from testing this a few
minutes ago...

Decoding the values displayed:


QUOTE
..\Internet Settings\Zones\0\1004!=W=3


The "\0\" points to the My Computer Zone. The key "1004" holds the value for
the specific setting "Download unsigned ActiveX controls". The "!=" means
"not equal". "W=3" (word value of 3) specifically means "disabled".
Therefore, Spybot is finding that this setting is not disabled for various
users defined on the system.

When it actually goes to fix that value, (ie. to simply change whatever it
is set to currently to a value of 3), the bug is that it isn't setting it to
the proper type of data element - a DWORD value. Therefore, that registry
item ends up with no value at all after the fix is performed, and so every
time you run a scan again, Spybot still finds that the value in that/those
keys is not equal to 3.
Anonymous
September 9, 2004 1:25:46 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

The Unknow P

Very good. I got the basic same answer on the patch from spybot. Now I can
ignore the constant repeat. If I understand you correctly, I have
effectively made the change that Spybot intended to make, which was not a
problem in the first place?.

FM


"The Unknown P" <( mikisiw@msn.com )> wrote in message
news:D 17D054C-799F-40CB-A142-0FD268E23FF3@microsoft.com...
> Actually in my registry the key is a string value and it's left blank.
Here
> is a quote from the Spybot forum. Note that if you have properly updated
and
> patched your XP OS this is not an issue any more. The problem was fixed by
a
> patch ages ago. Get updated and you won't have this problem. here is the
> quote. "Well, yes and no. You see, there are several reports of this issue
> here in the Spybot forum, which shows that it is happening for a lot of
> people, so in that sense it's normal - meaning your system is reacting
like
> many others...
>
> However, the fact that Spybot isn't properly fixing this is just a simple
> bug that I'm sure will be fixed soon.
>
> Basically what's happening is that Spybot is finding that the security
> setting for "Download unsigned ActiveX controls" for the (normally) hidden
> "My Computer" zone in Internet Explorer is not set to disabled.
>
> Given that anyone who is properly patched (via Windows Update) is not
> vulnerable to this exploit anymore, this is really not a serious issue, so
> provided your system is patched, you have nothing to worry about and can
just
> ignore this until the fix comes out.
>
> As to why Spybot isn't fixing it right, and what exactly it is doing when
it
> goes to fix the value, here's a little analysis from testing this a few
> minutes ago...
>
> Decoding the values displayed:
>
>
> QUOTE
> .\Internet Settings\Zones\0\1004!=W=3
>
>
> The "\0\" points to the My Computer Zone. The key "1004" holds the value
for
> the specific setting "Download unsigned ActiveX controls". The "!=" means
> "not equal". "W=3" (word value of 3) specifically means "disabled".
> Therefore, Spybot is finding that this setting is not disabled for various
> users defined on the system.
>
> When it actually goes to fix that value, (ie. to simply change whatever it
> is set to currently to a value of 3), the bug is that it isn't setting it
to
> the proper type of data element - a DWORD value. Therefore, that registry
> item ends up with no value at all after the fix is performed, and so every
> time you run a scan again, Spybot still finds that the value in that/those
> keys is not equal to 3.
>
>
Related resources
Can't find your answer ? Ask !
Anonymous
September 9, 2004 12:03:55 PM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

On Wed, 8 Sep 2004 20:35:20 -0700, "FM" <fm@ncinternet.com> wrote:

>The problem can be fixed easily if you do it right. It seems no one has
>properly advised us beginners on how to correct the problem. In my case I
>had five different "0\1004" zones that needed to be changed. I found the
>solution by chance. I changed all of them the same way. I will just
>illustrate one.
>
>SpyBot's DSO Exploit:
>HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet
>Settings\Zones\0\1004!=W=3
>
>What the program is saying is the the "W" has to be changed to 3. The "W" in
>this case is the "Dword".
>
>1.If you follow the above path in the registry to the 0 zone folder you will
>see in the right hand window the number 1004 in the name column.
>2. In the next column, the Data column, you will find a blank. This blank
>has to be changed to "x00000003(3)"
>3. To do this you have to right click on the data column. A "NEW" will
>appear. Click on it. From popup screen select "DWORD Value".
>4. This will put a "NEW Value #1" at the bottom of the window. Left click on
>the small icon on the left of the "New Value #1" file.
>5. An "Edit DWORD Value" screen will appear.
>6. In the "Value Data" window insert the number 3. (make sure the Base
>Hexadecimal is checked) then click ok.
>7. Then go back and delete the original 1004 file.
>8. Rename the "NEW Value #1" number "1004".
>
>Once you've done all the registry entries showing in SPYBot's DSO
>Exploit...the problem will be solved.
>
>FM
>
A much easier way to avoid SpyBot S&D constantly showing the DSO
Exploit, which does not require Registry entries, is outlined below:
1) Make sure you have the latest version of SpyBot S&D installed
(1.3.0.12).
2) Open SpyBot S&D, click on "Settings".
3) Click on "Ignore products".
4) Click on "All Products" tab
5) Scroll down list until you come to the "DSO Exploit" entry.
6) Put a check mark beside it.
7) Close SpyBot S&D.

Donald L McDaniel
Keep the thread intact
Post reply to original newsgroup
=======================================================
Anonymous
September 9, 2004 1:07:09 PM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

There is a patch\update on the way from Spybot. I think though that you
missed my main point. You will not get any DSO exploits at all if you have
your Windows system up to date. This is a rather old patch from MS that
addressed this issue. If you have all of the latest patches from Windows
Update, the DSO Exploit
is a non-issue. Spybot has a bug, and you can safely set Spybot to ignore
the DSO Exploit; as long as Windows is current with the patches. {]:~)
Anonymous
September 9, 2004 11:40:31 PM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

FM wrote:
> The problem can be fixed easily if you do it right. It seems no one
> has properly advised us beginners on how to correct the problem. In
> my case I had five different "0\1004" zones that needed to be
> changed. I found the solution by chance. I changed all of them the
> same way. I will just illustrate one.
>
> SpyBot's DSO Exploit:
> HKEY_USERS\S-1-5-19\Software\Microsoft\Windows\CurrentVersion\Internet
> Settings\Zones\0\1004!=W=3
>
> What the program is saying is the the "W" has to be changed to 3.
> The "W" in this case is the "Dword".
>
> 1.If you follow the above path in the registry to the 0 zone folder
> you will see in the right hand window the number 1004 in the name
> column.
> 2. In the next column, the Data column, you will find a blank. This
> blank has to be changed to "x00000003(3)"
> 3. To do this you have to right click on the data column. A "NEW"
> will appear. Click on it. From popup screen select "DWORD Value".
> 4. This will put a "NEW Value #1" at the bottom of the window. Left
> click on the small icon on the left of the "New Value #1" file.
> 5. An "Edit DWORD Value" screen will appear.
> 6. In the "Value Data" window insert the number 3. (make sure the
> Base Hexadecimal is checked) then click ok.
> 7. Then go back and delete the original 1004 file.
> 8. Rename the "NEW Value #1" number "1004".
>
> Once you've done all the registry entries showing in SPYBot's DSO
> Exploit...the problem will be solved.
>
> FM


That's a lot of work, just to prevent a false positive that can
easily be turned off from within SpyBot S&D.

The DSO exploit was patched long ago by IE Cumulative Update
MS02-015, in March of 2002. If you've installed this specific patch,
or any subsequent IE Cumulative Updates, or IE Service Pack 1, you're
safe. It would appear that the latest version of Spybot S&D is only
checking for Internet zone settings in the registry that could be used
as work-around protection, and not for the presence of any corrective
patches. Hopefully, the makers of Spybot will soon fix this bug.

MS02-015 March 28, 2002 Cumulative Patch for Internet Explorer
http://support.microsoft.com/default.aspx?scid=kb;EN-US;319182

If you like, you can test your system for this particular
vulnerability at this web site:
http://www.grey.com/security/advisories/gm001-ie/

The makers of SpyBot S&D have acknowledged the problem and will
fix it on their next update:
http://www.safer-networking.org/index.php?page=paragrap...

In the meantime, in SpyBot S&D, click Mode > Advanced > Settings >
Ignore Products > Security > DSO Exploit, to turn off the false alarm.

--

Bruce Chambers

Help us help you:
http://dts-l.org/goodpost.htm
http://www.catb.org/~esr/faqs/smart-questions.html

You can have peace. Or you can have freedom. Don't ever count on
having both at once. - RAH
!