|
Donations |
|
 |
|
|
|
|
|
|
Search |
|
|
|
|
|
|
|
|
Survey |
|
|
|
|
|
|
|
|
Translate |
|
|
|
|
|
|
|
|
Hosted By |
|
|
|
|
|
Computer Cops is a satisfied customer of [ JaguarPC ]
|
|
|
|
|
| View previous topic :: View next topic |
| Author |
Message |
LWC
Trooper
Joined: Feb 13, 2004
Posts: 11
Location: Israel
|
 Posted: Fri Feb 13, 2004 6:07 am Post subject: Scary! Script that ejects my CD drives! |
 |
|
With all my general protection and all the filters in Proxomitron, I thought I'm driving in a tank in the dark corridors of the Internet.
And then I surfed into http://faked.org and my CD drives started to eject one by one!
I thought I'm getting a heart attack.
Did this site just install me a trojan, I thought.
But when I came back to my senses, I looked in the source code and found this, well, simple javascript:
| Code: |
<script language="javascript">
var oWMP = new ActiveXObject("WMPlayer.OCX.7");
var colCDROMS = oWMP.cdromCollection;
if (colCDROMS.Count >= 1){
for(i = 0; i <= colCDROMS.Count; i++)
colCDROMS.Item(i).Eject();
}
</script>
|
BTW, it works without the language="javascript" part just as well (i.e. simply <script>).
Now, of course I can just capture the entire thing and remove it all via a filter, but I want something to block any other "version" of this too.
How the hell did Microsoft allow an ActiveX to control my WMP remotely?!
If people can eject CD drives, what else can they do?
Now, someone here once helped me shut ActiveX completly so I wouldn't see those annoying SWF ads. So how do I shut it off when it comes in the shape of a javascript?
Or do you think I should just shut it off when it uses "WMPlayer.OCX.7"?
Thanks!
Last edited by LWC on Sat Mar 13, 2004 10:24 am, edited 2 times in total
|
|
| Back to top |
|
 |
LWC
Trooper
Joined: Feb 13, 2004
Posts: 11
Location: Israel
|
| Posted: Sun Feb 15, 2004 5:18 am Post subject: |
|
|
What are the odds?
I've just entered this page and the same thing happened - only this time via Vbscript!
| Code: |
<SCRIPT language=VBScript>
Set oWMP = CreateObject("WMPlayer.OCX.7" )
Set colCDROMs = oWMP.cdromCollection
if colCDROMs.Count >= 1 then
For i = 0 to colCDROMs.Count - 1
colCDROMs.Item(i).Eject
Next ' cdrom
End If
</SCRIPT>
|
Note: unlike the javascript, this one will only run if you specify the "language=VBScript" part. Is it because Javascript is assumed as default or what?
|
|
| Back to top |
|
|
z12
Sergeant
Joined: Jul 17, 2002
Posts: 87
Location: USA
|
| Posted: Sun Feb 22, 2004 8:26 am Post subject: |
|
|
lol, if your going to browse sites like that with ActiveX enabled, your asking for trouble.
If you must use IE, I recommend setting you Internet zone security settings to High & then setting the trusted zone settings to medium.
Or, better yet, use Firefox. ActiveX and VbScripts don't work with it since that stuff is MS only.
Do you really trust running software from warez sites?
Mike |
|
| Back to top |
|
|
LWC
Trooper
Joined: Feb 13, 2004
Posts: 11
Location: Israel
|
| Posted: Sun Feb 22, 2004 8:56 am Post subject: |
|
|
What do you mean "running a program"? It's not like someone asked me. This is NOT an ActiveX control or something like that! It's just a script. Every site can use it. It's not like those messages which ask "would you like to download X"? It's just a simple script!
Besides, the first example is not even ActiveX! It's Javascript!
And the ActiveX one is not so much ActiveX as it is VBScript!
And in XP, IE's security settings are automatically changed into "custom".
Anyway, I think there should be a Proxomitron filter that gets rid of every script that uses "curse words" like "WMPlayer.OCX.7".
And speaking of ActiveX (and this doesn't have to be related!), another filter altogether that gets rid of ActiveX scripts, for that matter. Why? Well, because, unlike Javascripts, ActiveX scripts are basically VBScript. And VBScript has unlimited power...
When I want to automate something, I'll use VBScript. But not online, thank you. |
|
| Back to top |
|
|
z12
Sergeant
Joined: Jul 17, 2002
Posts: 87
Location: USA
|
| Posted: Sun Feb 22, 2004 12:09 pm Post subject: |
|
|
LWC,
Hi. First of all, I'm having a bit of a problem following your reply, bit here we go...
When I looked at the link in your 2nd post, ://youarelame.com/warez/, I couldn't help but laugh.
warez = hacked software
Personally, I wouldn't trust any software downloaded from a warez site, no telling what your getting.
heres a code snippet from that site:
| Code: |
<title>You Are Lame</title>
<meta name="keywords" content="you, are, lame, lamer, idiot, stupid, loser">
<meta name="description" content="Yes, you truly deserve it. You Are Lame!">
|
About ActiveX, from example #1:
var oWMP = new ActiveXObject("WMPlayer.OCX.7");
from example #2:
Set oWMP = CreateObject("WMPlayer.OCX.7" )
Both of these scripts depend upon ActiveX. If ActiveX is disabled, they will fail.
The default security settings for IE in XP do not disable ActiveX.
Anyway, VbScript & ActiveX don't work with firefox, and thats the way I like it. 
Mike
|
|
| Back to top |
|
|
Structure
Cadet
Joined: Mar 03, 2004
Posts: 9
Location: USA
|
| Posted: Fri Mar 12, 2004 6:16 pm Post subject: |
|
|
| Just turn off ActiveX. |
|
| Back to top |
|
|
LWC
Trooper
Joined: Feb 13, 2004
Posts: 11
Location: Israel
|
| Posted: Sat Mar 13, 2004 10:27 am Post subject: |
|
|
First of all, I've already mentioned it's more of a Vbscript that it is ActiveX.
Secondly, instead of disabling legitimate uses by innocent sites, I rather disable just this one specific use. |
|
| Back to top |
|
|
Structure
Cadet
Joined: Mar 03, 2004
Posts: 9
Location: USA
|
| Posted: Sun Mar 14, 2004 12:57 am Post subject: |
|
|
I understand, but turning off the ActiveX controls in the Internet Options will prevent the ejects. Whatever you want to call the code, it is disabled by the ActiveX settings.
There are also other malicious things in ActiveX, but I don't know them by name. I know once I went to a link pasted in a chatroom which displayed a picture. Innocent enough I thought, but on the way to close I was prompted to allow an ActiveX control. (I had previously set it to Prompt mode) I said no, and later found out it was a virus that corrupts your Windows install after execution.
ActiveX is too much of a security problem imo, that's why I recommend turning it off. Yea it kills flash and certain other things, but I don't miss them much. |
|
| Back to top |
|
|
Lepus
Trooper
Joined: Mar 02, 2004
Posts: 10
Location: USA
|
| Posted: Sun Mar 14, 2004 1:52 am Post subject: |
|
|
| LWC wrote: |
First of all, I've already mentioned it's more of a Vbscript that it is ActiveX.
Secondly, instead of disabling legitimate uses by innocent sites, I rather disable just this one specific use. |
No, as other have said it most certainly is a ActiveX thing. It has nothing to do with the scripting language - an ActiveX object can be created in VB script or Javascript and it's the media player ActiveX object they're using to eject the drive. You could make a Proxo filter for it too, but you're safer by far to just disable or restrict ActiveX in IE. IMO there's little to no "legitimate" use for ActiveX - we're not talking about disabling all scripting. Most pages don't need it, and I'd be suspicious of any pages that do.
|
|
| Back to top |
|
|
PrivateEye
Cadet
Joined: Feb 13, 2004
Posts: 3
Location: Netherlands
|
| Posted: Thu Mar 18, 2004 11:26 am Post subject: |
|
|
There is some functionality in IE6 that allows you to control which ActiveX controls are allowed to run on your machine (and blocks the rest).
In Internet Explorer, go to Tools>Options>Security>Custom Level>
Find the option: "Run ActiveX controls and plug-ins" and change it to "Administrator Approved"
Next, open regedit and go to:
HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\AllowedControls
Add a DWORD entry for each CLSID value of the ActiveX component that you wish to allow and set the value to ZERO (to allow).
If you don't know the the CLSID value, you can find the ones already loaded on your machine by going to ..\WINDOWS\Downloaded Program Files. Right click on the ActiveX component concerned and select Properties.
You might want to check this folder anyway to see which ActiveX components you are already using and add them to the list - be sure to run ad-aware/Pest-Patrol/Spycop or some other program that is capable of detecting which ActiveX components are adware/spyware. You don't want to authorise those ones by mistake!). SIGNED (and therefore relatively trustworthy ActiveX controls will give you an indication as to what they are and what they are for. The company name ought to be visible in the version tab - if not, do not trust it (rule of thumb). If you don't know the company, at least check it out on the web...
Some common CLSID's:
{9F1C11AA-197B-4942-BA54-47A8489BB47F} Windows update
{DF6A0F17-0B1E-11D4-829D-00C04F6843FE} Microsoft Office update
{D27CDB6E-AE6D-11CF-96B8-444553540000} Flash Shockwave
{22D6F312-B0F6-11D0-94AB-0080C74C7E95} MediaPlayer
{06DD38D3-D187-11CF-A80D-00C04FD74AD8} Plug-ins, including Acrobat Reader
{CA8A9780-280D-11CF-A24D-444553540000} Acrobat Reader
{CFCDAA03-8BE4-11CF-B84B-0020AFBBCCFA} Real Player
{02BF25D5-8C17-4B23-BC80-D3488ABDDC6B} QuickTime
As you can see from the list above, there ARE legitimate reasons for allowing ActiveX with IE6. ActiveX was not designed solely with advertisers and hackers in mind... |
|
| Back to top |
|
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
You cannot attach files in this forum
You can download files in this forum
|
Powered by phpBB 2.0.8 © 2001 phpBB Group
Version 2.0.6 of PHP-Nuke Port by Tom Nitzschner © 2002 www.toms-home.com
Version 2.2 by Paul Laudanski © 2003-2004 Computer Cops
|
You can syndicate our news using the file RSS 0.91, ultramode.txt, or RSS 1.0.
Forum FAQ
Search
Usergroups
Profile
Login to check your private messages
Login
