On Monday Microsoft released a white paper on the Malicious Software Removal tool.
It contains some very cool info on the metrics of the scan results.
Archive for June 2006
Microsoft Software Removal Tool: Progress Made Trends Observed
Additional Details on SAV 10 Vulnerability released by EEye
eEye has released additional details on the SAV 10 vulnerability.
http://www.eeye.com/html/research/advisories/AD20060612.html
As rumored the vulnerability is in the remote management, and would allow an attacker to run code with system priviledges.
Overview:
eEye Digital Security has discovered a vulnerability in the remote management interface for Symantec AntiVirus 10.x and Symantec Client Security 3.x, which could be exploited by an anonymous attacker in order to execute arbitrary code with SYSTEM privileges on an affected system. The management interface is typically enabled in enterprise settings and listens on TCP port 2967 by default, for both server and client systems.
Yahoo Zero Day: JS.Yamanner Update
The SANS Internet Storm Center has information answering my question on the conflicting info on whether or not you have to open the attachment.
To activate the mass-mailer it is sufficient to open the mail message without clicking on the attachment and it will scour your address list and send itself as an attachment (forwarded message) to everyone on it. It searches for both @yahoo.com and @yahoogroups.com e-mail addresses.
They go on to say that the virus is poorly coded and does not do everything the writer is trying to achieve. There are two versions in circulation, with the second being an attempt at a bug fix.
Symantec 6/12 virus defs detect this.
Yamanner is written in Javascript. It exploits a vulnerability in the Yahoo email service to send a copy of itself to the user’s Yahoo email contacts.
Mitigation is tough at this time. You can’t disable javascript and still access Yahoo Mail. The viral messages are from people you know. You could not open unexpected messages, but that kinda negates the purpose of the Internet in my opinion. Users in the Yahoo Mail beta are not effected.
Yahoo Zero Day: JS.Yamanner
There is some talk over on the Full Disclosure mailing list of a worm on Yahoo Mail. They say it is exploiting a vulnerability in Yahoo Mail so that when you open an email with the exploit it will send email to gathered yahoo addresses.
Symantec has a writeup here.
JS.Yamanner@m performs the following actions:
Arrives on the compromised computer as an HTML email containing Javascript. The email may have the following characteristics:
From: Varies
Subject: New Graphic Site
Message body: Note: forwarded message attached.
Once the email is opened the worm exploits a vulnerability in the Yahoo email service to run a script.
Sends a copy of itself to certain email addresses gathered from the Yahoo email folders.
Targets email addresses from the @yahoo.com and @yahoogroups.com domains.
Contacts the following URL:
[http://]www.av3.net/index.htm
Sends a list of email addresses gathered to the above URL.
Its not clear from this if the user is required to open an email attachment to be exploited or if it occurs as the email message is opened.
ISA 2004 Migration.
Saturday night, I swapped an ISA 2000 server with a ISA 2004 server running Windows 2003 SP1. Since I had new hardware I was able to set it up before hand and cut over without too much trouble. The main problem I had was on my test computer I had TLS 1.0 and SSL 3.0 enabled so I didn’t notice that SSL 3.0 was not enabled on the server. ON IE6 TLS 1.0 is not enabled by default. (pretty stupid in my opinion). So I had to go into the security policy and disable the requirement for FIPS encryption.
McAfee Misdetects EICAR
EICAR is the antivirus industry standard for verifying that the antivirus scanner is on, it can detect something. Its a harmless line of text.
According to a post on the Full Disclosure mailing list, McAfee is misidentifying EICAR as elspy.worm.
The misdetection was reported when McAfee VirusScan Enterprise 8.0.0 (tested unpatched and with Patch 11)
using the 4781 DAT file was used. I have not verified this report.
Why dont they just post my passwords online and be done with it.
POWWEB, the hosting company I use, was purchased and we migrated over to a new platform this week.
On of the things about the new company is they want your password when you contact support. Perhaps I”m kind of naive, but I expect when I provide a company a password that it is stored as a hash and the support drones are far from it. A system administrator could get it, but not a support drone. Either my webhost is storing the passwords in clear text or its encrypted but accessible by support, or they create a hash from the password I give them and compare it to the stored hash. Either way the potential for harm here is great.
Most people at best have 2 levels of passwords. One for the bank and another for all the throwaway accounts, mailing lists, etc. So what happens now, a support drone at my webhost is able to go to amazon, fidelity, bank of america and check if I used the same username/password there? Have these people not heard of insider attacks? Do they not read the news and see the AOL employee who sold the account roster to spammers? Do they not know of the Indian call center employees who are transferring money from customer accounts?
So what am I supposed to do, have a different password for every account that’s out there? That will be really convenient.
“Huge” Shortcut Flaw
The security gadflies thought they were onto something with the announcement that if a shortcut were named www.example.com and you typed that into your browser IE and Netscape would run what that shortcut pointed to.
The reason this isn’t a huge security vulnerability is that an attacker would have to be able to create files on the system for it to occur. Not much of an attack.
Adobe Reader 7.0.8
Adobe Reader 7.0.8 is out. The release notes indicate:
Security: several security bug fixes have been made, including one considered critical
According to Adobe a Critical vulnerability is “A vulnerability, which, if exploited would allow malicious native-code to execute, potentially without a user being aware.”
Why must Adobe be so mysterious? These vendors that hide critical security flaws behind “unspecified bug fixes” really annoy me. I have no way to know how important this patch is for my environment. Its like a product recall. They want to just update you silently because otherwise they’ll get bad press for having a security flaw.
