Jump to content

thx1200

Members
  • Content Count

    8
  • Joined

  • Last visited

About thx1200

  • Rank
    Newbie
  1. I forgot to log back on and check to see if you had any questions about my post and I saw today via RSS that you reversed the change in the latest version. I just wanted to say thanks! The settings that were changed (other than breaking some other systems as I saw earlier in this post) govern much more than just CD Writing, as I'm sure you've noticed, as they change the way that Windows handles removable drives in several different aspects. In my particular case, one of the settings specifically controlled how the DVD-ROM was exposed as shared resource. The way CDBurnerXP changed the setti
  2. I'm not sure I like the new Group Policy settings. I frequently use shared CDROMs on my systems, so I would prefer allocatecdroms=0, although I'm assuming this will break limited user CD Writing. Why can't we have an option in the installer to user either the new GP settings or the classic NMSAccess version for those of us that do not want the side effects of the GP settings?
  3. Sorry to pollute your forum with their problem. I was just expressing some frustration with what seemed to be a potential legitimate security problem (however unlikely) and the feeling of "nobody caring." Actually, I just got an email back from NuMedia. They explained in greater detail some of the mitigating factors required to get the exploit script to work (it seems quite a bit more complicated than the security bulletin made it sound) and I'm satisfied this is a non-issue. The security bulletin makes it seem as if only a few flipped flags in IE will enable the exploit, but in the wild
  4. If a script created a dangerous ISO file, it would still require you to burn that ISO to a disk and manually execute the dangerous content, which is two more steps required -- greatly increasing the scripting effort and time for a user to figure out what's going on (not to mention that you have to hope they have a blank CD already in the drive in addition to a low security IE in the first place). Creating an arbitrary text file that contains script code that is malicious that can be executed all within a browser all at once without user intervention is more dangerous. I also don't really
  5. You can blame the platform (IE), sure. But the fact remains that a burning API is providing a scriptable mechanism to write arbitrary data to an arbitrary location in the file system. Why? Why does NuMedia open that can of worms? It's poorly designed from a security perspective. This is similar to the WMF exploit, only on a smaller scale. WMF contained features it didn't need to (left over from 16-bit Windows) that gave a graphical image format the ability to script out dangerous code and execute it, unbenownst to the user. Who expects opening an image file will execute a dangerous scrip
  6. Perhaps... But how many other web browser components provide a method that acts as an unfiltered gateway to the filesystem for scripts without a user prompt (such as a "save file" dialog)? If a MS component allowed this, it'd be big news. Right now it's just "security through obscurity." NuMedia really should fix this.
  7. I have to say that although the likelihood of "in the wild" exploit is small, there is still a risk. The "LogMessage" method should be augmented so that if it detects IE as a host, it will not allow file writing. I've written NuMedia directly to see what their reaction is. Never underestimate the stupidity/ignorance of users. There are many forms of malware (disgusing itself as useful) that users readily install that greatly relax IE security settings during installation (after the user has elevated under Vista), which will make IE ripe for this type of attack by other malware loading th
  8. Maybe I'm just a moron, but I still don't understand the relation of that component to CDBurnerXP. In your advisory, I see something about a "behavior is by design" -- what behavior, exactly? What does that have to do with CDBurnerXP? Additionally, the securityreason.com article is how to exploit NMSDVDX.dll, not what it does for CDBurnerXP. Nothing explains how this component relates to CDBurnerXP. An example would be, "NMSDVDX.DLL provides DVD writing capabilities to CDBurnerXP and is a required component" or "NMSDVDX.DLL is optional and only for situations x, y, and z, so if you can de
×
×
  • Create New...

Important Information

We have placed cookies on your device to help make this website better. You can adjust your cookie settings, otherwise we'll assume you're okay to continue.