Disabling the ADODB.Stream Object

Last week, I wrote about two ways to quickly and easily work around problems with Microsoft ADO databases (ADODB). One solution is a registry script from eEye Digital Security and the other is PivX Solutions' Qwik-Fix. As far as I know, both of these solutions can disable parts of ADODB. If you missed last week's newsletter, you can read about the solutions at

http://www.winnetmag.com/article/articleid/43131/43131.html

The combined attack method that I wrote about last week involves the use of the ADODB.Stream object, which Microsoft says is essentially a memory-based file. Now Microsoft has released an official fix to disable ADODB.Stream for Windows Server 2003, Windows XP, and Windows 2000. You can download the "Critical Update for Microsoft Data Access Components - Disable ADODB.Stream object from Internet Explorer" fix at:

http://www.microsoft.com/downloads/details.aspx?familyid=4d056748-c538-46f6-b7c8-2fbfd0d237e3&displaylang=en

According to the related Microsoft article "How to disable the ADODB.Stream object from Internet Explorer," the fix makes changes to the registry that prevent the ADODB.Stream object from accessing the local disk drives via Microsoft Internet Explorer (IE). However, other applications that use the object can still access the disk if necessary.

http://support.microsoft.com/?kbid=870669

In addition to installing the Microsoft fix, which I think most security professionals would recommend, you might want to consider other configuration changes to your IE installations. Another Microsoft article, "How to strengthen the security settings for the Local Machine zone in Internet Explorer," describes how to disable ActiveX controls and Java applets, prompt the user before running scripts, prompt the user before accessing a database in another zone, control how zone security is applied (e.g., per user or the same settings for all users, whether users can change those settings), and use Group Policy to control IE security zone settings. Be aware that you might experience unwanted effects (as noted in the article) when you make some of the recommended changes.

http://support.microsoft.com/?kbid=833633

Two other articles--"How to Stop an ActiveX Control from Running in Internet Explorer" and "How to Remove an ActiveX Control in Windows"--describe how to prevent IE from using particular ActiveX controls and how to remove ActiveX controls if you need to do that for whatever reason. By using some or all of the recommended IE security settings, you can significantly increase browser security

http://support.microsoft.com/?kbid=240797

http://support.microsoft.com/?kbid=154850

Microsoft said that in the coming weeks it will release a series of security updates for IE that will provide additional protection; however, the company hasn't said what those updates might actually entail. The company also said that it's working on a "comprehensive update for all supported versions of Internet Explorer [which] will be released once it has been thoroughly tested and found to be effective across a wide variety of supported versions and configurations of Internet Explorer."

The company also said that the upcoming XP Service Pack 2 (SP2) will better protect users against attacks and unwanted content, including downloads. So in addition to the already-mentioned fixes and configuration changes, more help is on the way.