New Shell Extension CLSID Black List
 andre protas (randori82) <aprotas eeye com> |
Friday, April 14 2006 01:57.24 CDT |
There's a new reg key to black list CLSIDs for Shell Extensions from the latest MS patch set(MS06-015).
Here's a bit of detail on the keys for Shell Extensions (http://support.microsoft.com/kb/216384/EN-US/):
HKLM:Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved is the CLSID list of Shell Extensions that are approved to run.
This is compared against when 'EnforceShellExtensionSecurity' is set to 1 in HKLM:Software\Microsoft\Windows\CurrentVersion\Policies\Explorer. Nothing new there, that's existing functionality.
However, with MS06-015, there's a new key: HKLM:Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Blocked that also gets referenced from ShouldLoadShellExt.
The *blocked list* is checked before the *allowed list*, so anything that is blocked will not run, whether or not it's in the *allowed list*.
So, following MS06-015, you can make sure hosts will not run Shell Extensions by adding their CLSID to the *blocked list*.
Obviously this couldn't be put in the workaround for this patch, but for future Shell Extension vulnerabilities, this is definatley a workaround.
This new key was found while reversing MS06-015 for XP.
~Andre Protas
Comments
| Posted: Wednesday, December 31 1969 18:00.00 CST | |