I post this because sometimes it is easy to overlook path re-releases, especially when they are off schedule. According to a Microsoft spokesperson, the original patch itself is not flawed, it just fails to correctly set the kill bit for the Microsoft XML Parser 2.6.

The kill bit is a registry setting that prevents Internet Explorer from creating the object in the browser. This is a defense-in-depth measure that reduces exposure to any future exploits of this object.

The update only affects the Windows 2000 version of the path, other operating systems are not affected.

Have you ever needed to audit which icons users click on the Start Menu? It makes quite an impressive forensics report when you can say exactly who clicked what and when. Well you can do it in Windows pretty easily. First, enable auditing on all files under C:\Documents and Settings\All Users\Start Menu as well as individual user start menus. Make sure your local security policy is set to audit object access, and every time someone clicks on a Start Menu icon, it will generate an Event Log entry.

Here’s a Log Parser query you can use to build a list of clicked icons:

logparser “SELECT TimeGenerated, RESOLVE_SID(SID), EXTRACT_PREFIX(EXTRACT_FILENAME(Path), 0, ‘.lnk’) AS Item USING EXTRACT_TOKEN(Strings,2,’|') AS Path FROM Security WHERE Path LIKE’%Start Menu%.lnk’ ORDER BY TimeGenerated” -i:evt

You could also extend this to include icons on the desktop and on quick launch toolbars.

Hint: do you need to re-create Start Menu clicks on a system that didn’t have auditing enabled? Try looking at the last accessed date of each .lnk file. It’s not as accurate as the Event Log, but you’d be surprised what you can discover.

Using Log Parser, virtualization, and a little psychology. The article is available here to subscribers of Windows IT Security.

.

Click abuse:  http://click-abu.zers.net/