Threat Level: green Handler on Duty: Rob VandenBrink

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2006-06-15 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Potential Patch Problem with MS06-025

Published: 2006-06-15
Last Updated: 2006-06-16 13:16:52 UTC
by Lorna Hutcheson (Version: 1)
0 comment(s)
We have received some reports of a potential issue with MS06-025.  Here is a snippet of what appears to be the problem as it was report to us:

"We received couple of calls that users are
not able to dial up after applying MS06-025 (KB911280).

I verified this on a test machine and it looks like it breaks dial up.

We have some scripts that need to be run in order to authenticate the user
properly after the dial up connection is established.

It looks like the patch prevents scripts from running at all. Even when I
turned on the terminal window (in interactive logon and scripting) I can't
log in manually at all. After the connection is established I can see the
Username prompt in the terminal window but I can't enter any data.

Uninstalling the patch fixes this."

UPDATE:  The case number and guidance we received from Microsoft has been changed.  Sorry for the initial confusion that some of you may have faced trying to use this case number.   Here is the updated guidance from Microsoft that we have been given.  They want each customer to open their own case. You need to mention MS06-025 breaking dial up and your case will be created and then added to the master case.  The number to use to contact Microsoft for free support, for issues such as these, remains the same:   1-(866) PC-SAFETY.
Keywords:
0 comment(s)

E-mails with malicious links targeting Australia

Published: 2006-06-15
Last Updated: 2006-06-15 13:17:35 UTC
by Bojan Zdrnja (Version: 1)
0 comment(s)
We've received couple of reports about e-mails being spammed which contain browser exploits. What's interesting about this is that they are targeting Australia.

All e-mails we've received have the same content, but the URL seems to be moving around. The body is pasted below:

"People starting panic withdrawals, some of the accounts were reported closed due to technical reasons, many ATMs are not operating. Does it seem that one of the Australia's greatest goes bankrupt? The full story could be found here: <URL>
Well, hope that isn't true... Anyway You'd rather check your balance..."

The URL contains an obfuscated JavaScript. The JavaScript code will check which browser the user is running and will redirect him to the appropriate exploit, served by a CGI script.
The JavaScript will also detect if a user is running Service Pack 2, and append that information as a CGI parameter as well.

The following Internet Explorer vulnerabilities are exploited:

MS03-011
MS06-006
MS06-014

And one Mozilla FireFox vulnerability is exploited as well:

MFSA2005-50

For FireFox user, there is good add-on tool for preventing malicious Javascripts. The add-on tool called "NoScript". You can find more information following site : 
https://addons.mozilla.org/firefox/722/


Keywords:
0 comment(s)

Sendmail Multi-Part MIME Message Handling Denial of Service vulnarability

Published: 2006-06-15
Last Updated: 2006-06-15 13:05:13 UTC
by Kevin Hong (Version: 1)
0 comment(s)

The new Sendmail vulnerability reported and is cause due to an error in the termination of the recursive "mime8to7()" function when performing MIME conversions. It can be exploited to cause a certain sendmail process to crash when it runs out of stack space while processing a deeply nested malformed MIME message. It can be exploited by malicious people to cause a DoS (Denial of Service). You can apply patch or upgrade to 8.13.7 version.

Affected Version : 8.13.6 and prior.


The additional vulnerability information can be found following sites.
http://www.sendmail.org/releases/8.13.7.html
http://www.kb.cert.org/vuls/id/146718

Keywords:
0 comment(s)
Diary Archives