Threat Level: green Handler on Duty: Jan Kopriva

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Greetings awareness - Awareness greetings ?

Published: 2005-12-14
Last Updated: 2005-12-15 09:31:16 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
It is the seasonal greetings time of the year again and with the migration from the traditional postal cards to short text messages, e-mails and e-cards it's time to warn users of the dangers associated with the e-mails and e-cards.


Plain text messages obviously are little risk and don't need warnings against them. It gets worse when there are attachments involved. Some of these attachements will not be just a simple picture. Many will include executable programs. Those attachments might contain gifts you just do not want to receive.  The best policy with it is to ignore those wishes from people you do not know to start with and to even be extremely careful with the attachments to E-mails, even of the people you do know.  Let's face it many of those attachments are not created from scratch by the well-wisher, they contain foreign components where you might not have the needed trust in the creator.

Also show the good example and just send plain old text messages to your contacts. It's a matter of leading by example. We'll come back to this ...


E-cards are a different story. From a sender's perspective, there are a number of companies trying to offer a responsible service but how do you recognize them? If you use one of the services you give the company behind it the list of e-mail addresses of your friends. If the company is trustworthy that should cause little concern, but how can you be sure?

On the receiving end it gets worse, sometimes it says who tried to send you something, sometimes it doesn't. Sometimes you know the company sending you the e-card, sometimes you've never heard of them. You do know that the sender sometimes gets confirmations you went are read the card.
If you read this regularly, you might even be aware of possible cross site scripting issues that could be exploited somehow.

So what to do?

Start you own chain of secure greetings this year

Send out the E-mail greetings early this year to your contacts. Keep it plain text and ask them to please not send you e-cards as you will not read them this year over security reasons.

If enough people do that, there will hopefully be a few less incidents of people getting infected with all sorts of malware and loss of privacy.

Swa Frantzen
0 comment(s)

Black tuesday - the day after

Published: 2005-12-14
Last Updated: 2005-12-14 20:22:34 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
Traditionally we brace for impact on the Wednesday after the second Tuesday of the month. So far today has been rather uneventful. Big part is probably that the important update is actually fixing things that have been exploited already and therefore are already over their peak.

So in summary: Make sure you grab the MS05-054 update. It has fixes for things that have been exploited since last month.
It also fixes 3 more vulnerabilities, but the one actively exploited vulnerability makes this patch mandatory.

Swa Frantzen
0 comment(s)

Microsoft December Patches

Published: 2005-12-14
Last Updated: 2005-12-14 19:17:32 UTC
by Johannes Ullrich (Version: 6)
0 comment(s)
Greetings everyone.  It is Microsoft Patch Tuesday.   Without any further ado.....Here are the Microsoft Security Bulletins. 

Update for SUS 1 Users:
We got this note from our Australian reader Scott A.:
After the latest MS patches were announced I synchronised my SUS server. Now ALL previously approved patches are marked as updated but not approved.
claims that:
Atter speaking with a SUS engineer, It has been confirmed that if you have syncronized your SUS server anytime after 5:00A.M PST there is an issue with a corrupt catalog file that will make all of your APPROVED updates show as UPDATED and you will have to manually re-approve everything that was previously approved.

Microsoft is aware of this issue and has published a
Microsoft Knowledge Base Article 912307. It details the workaround if you have performed a synchronization and previously approved software updates have appeared as not approved.

MS05-054: Cumulative Security Update for Internet Explorer (905915)

This appears to be the long awaited IE patch which I had hoped would have come out a couple of weeks ago (see ).   This update addresses the following vulnerabilities:

File Download Dialog Box Manipulation Vulnerability - CAN-2005-2829
HTTPS Proxy Vulnerability - CAN-2005-2830
COM Object Instantiation Memory Corruption Vulnerability  - CAN-2005-2831
Mismatched Document Object Model Objects Memory Corruption Vulnerability - CAN-2005-1790

As this update addresses a number of problems, which do aggregate to a critical severity in all operating systems earlier then Windows 2003, the ISC is recommending that you patch this as soon as possible.

As we have been going through the documentation on this bulletin, we note that one there is a kill bit set for the First4Internet XCP uninstallation ActiveX control.  For those that do not remember, First4Internet is the maker of the "Sony rootkit" related to digitial rights management.  In the aftermath of this issue hitting the mainstream, an uninstaller was created using ActiveX controls which also had security vulnerabilities.

MS05-055: Vulnerability in Windows Kernel Could Allow Elevation of Privilege. (908523)

A vulnerability in the Asynchronous Procedure Call queue allows local users to escalate their privileges. A regular user (who has to be logged in first) could use this vulnerability to gain Administrator privileges.
Microsoft rates this vulnerability as "Important" as there is no direct remote vector to exploit this issue. However, coupled with an Internet Explorer vulnerability or similar issues, this could be used to gain Administrator privileges even if a user runs Internet Explorer as a less privileged user.

Note that remote exploit may be possible if user credentials are known.

MS05-011  Bulletin Update involving SMB

Microsoft update this bulletin to make technical staff aware of KB896427.  It would appear that in some cases after patching with MS05-011, you would not be able to view the contents of subfolders on a network share in Windows XP.  This is not necessarily a security issue, but may be critical for your organization.

MS05-050Bulletin Update involving DirectX

Microsoft also updated this bulletin to advise of a revised version of this security update for Windows 2000 SP4, Windows XP SP1 and Windows 2003.  Also, this may not be a super critical issue in general, but you should be aware of this release.

KB905648: Update for Outlook 2003 Junk Email Filter

As usual, Microsoft updated their Junk Email Filter for Outlook 2003 for December.

Malicious Software Removal Tool

Microsoft updated their Malicious Software Removal Tool again this month to include variants of IRCBot, Ryknos, and F4IRootkit.  For more information on this, take a look at  the malware sofware removal tool website.

Thanks Johannes for putting up the initial diary, and the other handlers for helping point out details to go into this extended diary.

Scott Fendley
Handler On Duty

0 comment(s)
Diary Archives