Threat Level: green Handler on Duty: Russell Eubanks

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Excel new vuln FAQ

Published: 2006-06-19
Last Updated: 2006-06-19 21:08:13 UTC
by Adrien de Beaupre (Version: 2)
0 comment(s)
Update 2 <06/19/2006 21:00 UTC>  Microsoft released an official advisory a little while ago which details other workarounds for the Microsoft Excel Remote Code Vulnerability.  This advisory is located at http://www.microsoft.com/technet/security/advisory/921365.mspx.   Please read the advisory and see which of the suggested actions fits your environment the best.  

Update: A perl script was published on Milw0rm, which appears to exploit *some* Excel vulnerability. It creates a spreadsheet inclusing a very long URL. Once the user click on the URL, Excel will crash. As our reader Dominic pointed out, the script does not claim to be the 0day under discussion. Virustotal does not trigger any signatures based on the Excel file generated by the exploit.

Juha-Matti, a regular ISC contributor has written up some information into a FAQ. This is with regards to a recently discovered previously unknown vulnerability in Microsoft Excel. Gotten tired of the phrase '0day'?  I sure have.

http://blogs.securiteam.com/?p=451

Although I do not entirely agree with all of his advice, I think that the first and only defense is - defense in depth.
Do NOT rely solely on antivirus.
Do NOT rely solely on filtering by extension.
Do NOT open Excel files that appear unsolicited in your mailbox.
No single tool or measure is sufficient.

I am hoping that the point is getting accross, do not rely on traditional defensive measures, it is quite likely they will prove inadequate against a custom made targeted trojan built just to penetrate your infrastructure. Particularly using an undisclosed vulnerability. No signature based tool can help you in this case.

Cheers,
Adrien
(Maddison's Baba)
Keywords:
0 comment(s)

Empty emails?

Published: 2006-06-18
Last Updated: 2006-06-18 19:29:26 UTC
by Adrien de Beaupre (Version: 1)
0 comment(s)
I got the first completely empty email sometime late friday evening, and deleted it without investigating any further. Then I received two more Saturday morning. Now I've gotten almost a dozen, each from a different netblock around the world, and sent to different domains. The SANS NOC has seen 500+. The Internet Storm Center has gotten two queries about them.

There is some speculation it may be malware related, as in a poorly written piece of code spewing out empty emails. One other theory involves confirming known good addresses to seed a new piece of malware or spam. Is this related to Yamanner (sp?)?

Cheers,
Adrien
Keywords:
0 comment(s)
Diary Archives