Images Events Jobs Premium Services Media Kit Network Map E-mail Offers Vendor Solutions Webcasts
IT Management Webcasts:
The Role of Security in IT Service Management

Preparing for an IT Audit

More Webcasts

Search EarthWeb Network

Be a Commerce Partner
Condos For Sale
Laptop Batteries
GPS Devices
Car Donations
Corporate Awards
Promotional Pens
Desktop Computers
Hurricane Shutters
Compare Prices
Online Universities
Online Education
Promos and Premiums
Corporate Gifts

Linked Data Planet Conference & Expo

IT Management : Columns : Executive Tech: Should You Disable Windows Scripting Host?

Hyper-V: The Killer Feature in Windows Server 2008
It's fair to say that while many of the other new features are evolutionary, Hyper-V, by contrast, is revolutionary. Paul Rubens explores Microsoft's big step into virtualization. »

Download the Windows Server 2008 Trial
With Windows Server 2008 you can develop, deliver, and manage rich user experiences and applications, provide a secure network infrastructure, and increase technological efficiency and value within your organization. »

Reduce Complexity and Costs with Microsoft Identity and Access Solutions
Your organization depends on making digital information accessible to a broad spectrum of users over range of devices and networks. Register now for free Identity and Access Solutions from Microsoft. »

Virtualization from the Data Center to the Desktop
Integrated virtualization solutions from Microsoft can help you meet evolving demands more effectively as you transform your IT infrastructure from a cost center to a strategic business asset. »

- ITSMWatch Newsletter -
Tech Focus: Security

Cybersecurity: Laws Only Go So Far

Mozilla Firefox vs. Internet Explorer: Which is Safer?

Is Your Blog Leaking Trade Secrets?

The Las Vegas Counterfeiting Story: Is Your Privacy Worth More Than a Poker Chip?

Stopping Spammers at The Point of Sale

Product Watch
IOGEAR KVM - Includes Audio/Peripheral Sharing
Coverity Prevent / Coverity Thread Analyzer - Analyze Source Code For Defects, Security Vulnerabilities
USSD Series - SDRAM-Based Solid State Drives to 256 GB
UltraSMS - Send SMS From Your PC
Sentinel Sensors - Wi-Fi Based Temperature Monitoring Especially For Cold Storage

more products >>

Datamation Definitions
data mining
grid computing
network appliance
FREE Tech Newsletters

Download: SQL Compare Pro 6--For improving the speed and quality of your database changes SQL Compare has no comparison. It's faster, easier and it's around 90% more cost effective than the alternatives. Try it today for free!

Should You Disable Windows Scripting Host?
November 16, 2004
By Brian Livingston

Brian Livingston You've probably received from acquaintances dozens of e-mail messages like the following: "Hi, this is Bob. I'll be out of the office next week and won't be checking my e-mail. If you need something, try me after that..." and so forth.

Now imagine that you're checking your bank account online a few hours later. Unbeknownst to you, your browser has been redirected to a hacker site. The login screen looks exactly like your bank's, but the form is silently transmitting your username and password to thieves.

You didn't open an attachment that came with the e-mail from "Bob." You didn't even click a link in the message. By merely previewing the e-mail, a program was planted on your PC that allows someone to quietly eavesdrop when you log into almost any financial site.

That's the frightening hacker attack that MessageLabs, a respected e-mail and virus monitoring company, warns is just starting to make its way around the Internet.

The Most Inhospitable Hosts

Here's how the scam is said to work:

Fan Mail From Some Friend. Virus-infected PCs send out e-mails using names and addresses found on the local hard drive. That's why the message you received seemed to be from someone you know.

Exploits Without Attachments. Many viruses require that the victims open an e-mail attachment or visit a malicious Web site. But the "phishing" exploit described above requires none of this. Instead, the e-mail plants a program on your computer using a built-in feature of Microsoft Windows called the Windows Scripting Host (WSH).

Where You Go, You Know Not Where. The hacker's program adds lines into an unrelated Windows document known as the "Hosts" file. When you enter, for example, in your browser, the Hosts file can tell your browser to go instead to, a completely different site. The name of the hacker site may look slightly different in your browser's address bar than the name of your legitimate banking site, but many people don't notice such small details.

It's A Numbers Game. The hacker's look-alike site can't really log you into your online banking account — but it doesn't have to. After you type your username and password into the phony login screen, it will probably display a realistic "error message" saying a bad password was entered. The hacker's program will then deliver you to the real banking site, where your password this time works fine.

Most people would assume they'd made a simple typographical error on their first try and think nothing of it. But the thieves now know the right username and password to your account because you entered them correctly when using the hackers' look-alike screen.

Adopting Effective Counter-Measures

When reports started circulating last week about MessageLabs' warning, the writers tended to suggest that end users should disable or uninstall the Windows Scripting Host, without explaining what the feature does or how you would get rid of it.

I'll go into that in a minute, but first take a deep breath. Don't panic. You may already have defenses in place that make you immune to "phishing" attacks of this new type.

The Windows Scripting Host exists to run programs called scripts, usually VisualBasic or Jscript. Unfortunately, vulnerable browsers and e-mail programs can be induced to run these scripts without any notice to you.

The key in that last sentence is "vulnerable" browsers and e-mail programs. Your applications are not vulnerable if they categorize incoming e-mail messages as part of the so-called "Restricted Zone." When restricted, such messages cannot execute many kinds of potentially harmful files.

Microsoft's own Outlook XP and 2003 e-mail programs, for example, automatically classify e-mail as part of this Restricted Zone. And you can add this protection to older versions of Outlook by installing Mirosoft's "E-Mail Security Update" on top of Outlook 2000 and Outlook 98.

In addition, Microsoft has released a patch for current versions of Windows to give them immunity to the latest style of attack (more on that later).

Only users of Outlook 97 and older, therefore, would be susceptible to a stealth attack, such as the one described above. If your company still uses Outlook 97, you should immediately upgrade to a modern version of the program.

Bedtime For Windows Scripting Host

On the other hand, the fact that a powerful capability like Windows Scripting Host was fully enabled by default in Windows, where it could be accessed silently by an e-mail message, is the kind of boneheaded mistake that has made the defense of Windows a nightmare for end users and network administrators alike. (WSH is factory-installed in Windows 2000, Me, XP, and 2003 and is added to Windows 95, 98, and NT when you install Internet Explorer 5 or higher.)

If you don't use or need the features of WSH, it's possible to disable it to prevent it from running script files at any time.

There's a different procedure to disable WSH under different versions of Windows, so I can't give you all the necessary instructions here. A good step-by-step guide is provided on the WSH page of Sophos PLC, a security consulting firm.

If you're in a company of any size, however, there's a good chance that scripts may play an important role in keeping your business going.

"A lot of corporations are using WSH to do systems management," says Jason Chan, consulting services technical lead for security firm Symantec Corp. "To the extent that a corporation is doing these things, they're going to be restricted in disabling this."

Chan cautions that Windows users who would otherwise be protected can expose themselves to the risk of script attacks if they lower their security settings. Configuring an e-mail program to consider e-mails as part of the Trusted Zone, for example, can open the door to threats that otherwise would be turned away.

Besides using a modern e-mail program that refuses to run scripts, your company gets a great deal of protection against phishing attacks by running the basic security repertoire that every network should have. That includes a hardware firewall or personal (software) firewall, an antivirus scanner, an antispam filter, and a spyware remover. (Details on the best of these components, which comprise what I call a "security baseline," are available in a separate article.)

Patching Windows Is Smarter Than Disabling WSH

MessageLabs has reportedly seen only about 30 copies of "silent e-mails" around the world that seek to hijack users' Hosts files. Still, that could easily be the leading edge of a wave of new and more virulent e-mails.

Such a wave of malignant messages might primarily affect only Windows 95 and 98 users. But there are enough of those users connected to the Internet that they could seriously threaten corporate networks via the spam and denial-of-service attacks the compromised machines could launch.

Maksym Schipka — a Ukrainian national who is a senior antivirus researcher for MessageLabs in its Gloucester, England, office — says PC users who've upgraded to the latest security patches for Windows within the past four months are fully protected against the new "phishing" attack. In addition, he says, Service Pack 2 for Windows XP, which was released last August, closes the security hole.

"This problem was previously addressed by Microsoft to invalidate these attempts," Schipka says. Of course, that still leaves at risk many PC users who haven't upgraded to the latest software — but they're vulnerable to many other problems besides the new Windows Scripting Host exploit. These users should immediately run Windows Update (or use a commercial patch-management program) to protect themselves against such threats.

Schipka wasn't immediately able to identify the specific Microsoft patch that corrects the security vulnerability. Nor had MessageLabs at press time posted on its Web site a technical bulletin about the new-style attack.


In my view, keeping your operating system and your security applications freshly updated will do more to protect you from harm than disabling WSH will.

Brian Livingston is the editor of and the co-author of Windows Vista Secrets and 10 other books. Send story ideas to him via his contact page. To subscribe free and receive Executive Tech via e-mail, visit our signup page.

Add to your favorites
Add to your browser search box
IE 7 | Firefox 2.0 | Firefox 1.5.x
Receive news via our XML/RSS feed

Executive Tech Archives



Jupitermedia Corporation has two divisions: Jupiterimages and JupiterOnlineMedia

Jupitermedia Corporate Info

Legal Notices, Licensing, Reprints, & Permissions, Privacy Policy.

Advertise | Newsletters | Tech Jobs | Shopping | E-mail Offers

Whitepapers and eBooks
Microsoft Article: Will Hyper-V Make VMware This Decade's Netscape?
Microsoft Article: 7.0, Microsoft's Lucky Version?
Microsoft Article: Hyper-V--The Killer Feature in Windows Server 2008
Avaya Article: How to Feed Data into the Avaya Event Processor
Microsoft Article: Install What You Need with Windows Server 2008
HP eBook: Putting the Green into IT
Whitepaper: HP Integrated Citrix XenServer for HP ProLiant Servers
Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 1
Intel Go Parallel Portal: Interview with C++ Guru Herb Sutter, Part 2--The Future of Concurrency
Avaya Article: Setting Up a SIP A/S Development Environment
IBM Article: How Cool Is Your Data Center?
Microsoft Article: Managing Virtual Machines with Microsoft System Center
HP eBook: Storage Networking , Part 1
Microsoft Article: Solving Data Center Complexity with Microsoft System Center Configuration Manager 2007
Intel Video: Are Multi-core Processors Here to Stay?
On-Demand Webcast: Five Virtualization Trends to Watch
HP Video: Page Cost Calculator
Intel Video: APIs for Parallel Programming
HP Webcast: Storage Is Changing Fast - Be Ready or Be Left Behind
Microsoft Silverlight Video: Creating Fading Controls with Expression Design and Expression Blend 2
Downloads and eKits
Sun Download: Solaris 8 Migration Assistant
Sybase Download: SQL Anywhere Developer Edition
Red Gate Download: SQL Backup Pro and free DBA Best Practices eBook
Red Gate Download: SQL Compare Pro 6
Iron Speed Designer Application Generator
Tutorials and Demos
How-to-Article: Preparing for Hyper-Threading Technology and Dual Core Technology
eTouch PDF: Conquering the Tyranny of E-Mail and Word Processors
IBM Article: Collaborating in the High-Performance Workplace
HP Demo: StorageWorks EVA4400
Intel Featured Algorhythm: Intel Threading Building Blocks--The Pipeline Class
Microsoft How-to Article: Get Going with Silverlight and Windows Live