Feb 15th: New year new bugs

[Stormbringer]

Yet another E-mail Virus/Worm MyDoom

New NASTY variant of CoolWWWSearch

Realy fucking bad bug in MSIE (Patch is here)

Another really bad bug in MSIE

E-mail virus going around: W32.Beagle.A@mm


AIM Hack

[Thunderfire]

A new IE exploit based on the leaked windows code has been found.

[kojikun]

Thank Ein for this gem:

spyware remover: http://www.spywareinfo.com/downloads/to ... ckThis.exe

[Daltonator]

Einhander details a Fortunecities scam.

[phongn]

Please keep this thread clear of clutter. Post alerts (and if available, solutions) only.

[Xon]

Looks like there is a new expliot based on that acursed Windows Compiled HTML help out again.

It uses javascripting to execute, so just loading the page is enough to get infected.

Ran into this one in the wild, and infected some people who did have the latest windows updates. However it is fairly simple to remove.

Simple look and see if the process 'nosc32.exe' is running, if so kill it. If that doesnt work, reboot into safemode and kill it. (Taskmanager->Process->select 'nosc32.exe'->click 'end process'). It hooks into HKLM\Software\Microsoft\Windows\CurrentVersion\Run to get autostarted at boot, and might do HKCU as well.

To completely remove it, delete the following files after killing the process
"c:\windows\system32\nosc32.exe" (or where ever you system32 directory is).

Clear your internet temp files to get rid of the rest of the junk which it used to infect your system.

Following files: nosc32.exe, loi.exe, LOI.CHM, f-tri.html (Orig. page), loi.html, 7449-Booger.swf(the bait)

The virus spams irc channels to watch a flash move, the page then loads worm while the the flash movie is playing and starts spamming irc channels.

:edit:
And its finally been noticed:

Vulnerability in Internet Explorer ITS Protocol Handler

Currently, there is no complete solution for this vulnerability. Until a patch is available, consider the workarounds listed below.

Disable ITS protocol handlers
Disabling ITS protocol handlers appears to prevent exploitation of this vulnerability. Delete or rename the following registry keys:

Code: Select all

HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PROTOCOLS\Handler\{ms-its,ms-itss,its,mk} 

Disabling these protocol handlers will significantly reduce the functionality of the Windows Help system and may have other unintended consequences. Plan to undo these changes after patches have been tested and installed.

Follow good Internet security practices
These recommended security practices will help to reduce exposure to attacks and mitigate the impact of cross-domain vulnerabilities.

• Disable Active scripting and ActiveX controls
  
  NOTE: Disabling Active scripting and ActiveX controls will not prevent the exploitation of this vulnerability.
  
  Disabling Active scripting and ActiveX controls in the Internet and Local Machine Zones may stop certain types of attacks and will prevent exploitation of different cross-domain vulnerabilities. Disable Active scripting and ActiveX controls in any zones used to read HTML email.
  
  Disabling Active scripting and ActiveX controls in the Local Machine Zone will prevent malicious code that requires Active scripting and ActiveX controls from running. Changing these settings may reduce the functionality of scripts, applets, Windows components, or other applications. See Microsoft Knowledge Base Article 833633 for detailed information about security settings for the Local Machine Zone. Note that Service Pack 2 for Windows XP includes these changes.
• Do not follow unsolicited links
  Do not click on unsolicited URLs received in email, instant messages, web forums, or Internet relay chat (IRC) channels.
• Maintain updated anti-virus software
  Anti-virus software with updated virus definitions may identify and prevent some exploit attempts. Variations of exploits or attack vectors may not be detected. Do not rely solely on anti-virus software to defend against this vulnerability. More information about viruses and anti-virus vendors is available on the US-CERT Computer Virus Resources page.

[phongn]

New worm alert 1 May 2004:

Anyone who has not applied patch as listed in MS Security Bulletin MS04-011 should do so ASAP -- just hit Windows Update.

Details on the Sasser worm may be found here at SANS

[Faram]

New critical update @windowsupdate

This time it's an update of an old patch

Info at Microsoft

No reboot to apply this one for once

[Admiral Valdemar]

There's a new worm out called "Korgo". This strain is like Sasser and exploits a backdoor to your system, but installs a key logger app. and is used primarily to get sensitive data like bank account numbers and details.

[Crayz9000]

Another VERY BAD Internet Explorer hole has been discovered -- actually, two. Only one of them is fixed by WinXP Service Pack 2.

The only known solution right now is to disable Active Scripting for all but the websites that you trust.

The Secunia advisory can be read if you want more information.

[Crayz9000]

CERT is now recommending that IE users switch to non-affected browsers like Opera or Mozilla because of the js.scob.trojan virus that's now spreading across the Internet. I'm pretty sure this is related to the above hole.

CERT recommends that Explorer users consider other browsers that are not affected by the attack, such as Mozilla, Mozilla Firefox, Netscape and Opera. Mac, Linux and other non-Windows operating systems are immune from this attack. For people who continue to use the Internet Explorer, CERT and Microsoft recommend setting the browser's security settings to "high," but that can impair some browsing functions.

[Faram]

There is a new BHO (Browser Helper Object) that steals the passwords used in a SSL connection from internet explorer.

This stuff is bad and a full analysis of the attack can be found here:

Long URL to a PDF

To be safe, don't use IE when doing transactions, get some other browser and use that one.

[Faram]

Another VERY BAD Internet Explorer hole has been discovered -- actually, two. Only one of them is fixed by WinXP Service Pack 2.

The only known solution right now is to disable Active Scripting for all but the websites that you trust.

The Secunia advisory can be read if you want more information.

The fix is just in:

Frigging long link @ MS

The dokumentation:

http://support.microsoft.com/?kbid=870669

This update ain't in Windowsupdate yet but I think it will be there really soon.

--***--- EDIT ---***---

The Fix is availeble at www.windowsupdate.com suggest that you all go there and get it.

[Faram]

A shitload of updated appeared from MS at 20040713 but I haven't checked for updates du to vacation.

Anyways those you need can be found at windowsupdate or D/L the stuff from here:

Microsoft.com

This is the Juli update info

[Faram]

The latest update for MSIE is in.

Linky

If you use MSIE update ASAP it fixes some nasty stuff.

[Crayz9000]

El Reg reports that a yet-unnamed worm similar to Download.Ject is spreading via AIM and ICQ, with the message apparently being "My personal home page http://XXXXXXX.X-XXXXXX.XXX/" The page it links to is filled with exploits and malware goodness.

This is only a concern if your default browser is Internet Explorer, and then again, you shouldn't really be dumb enough to open links from complete strangers in IM anyway.

[Einhander Sn0m4n]

El Reg reports that a yet-unnamed worm similar to Download.Ject is spreading via AIM and ICQ, with the message apparently being "My personal home page http://XXXXXXX.X-XXXXXX.XXX/" The page it links to is filled with exploits and malware goodness.

This is only a concern if your default browser is Internet Explorer, and then again, you shouldn't really be dumb enough to open links from complete strangers in IM anyway.

Sounds like yet another variant of CWS to me. And I though lop.com and xupiter were bad?! Ha!

[Jade Falcon]

I've set ICQ and AIM that I only receive messages from people I know anyway, believe me, I learned through ICQ that if you don't, you'd never have time in the day to do anything else than dismiss spam messages.

[Crayz9000]

Guys, this really should be in another thread. This thread is for notices related to new Windows/MSIE bugs that are out.

[Faram]

A new critical bug.

Full info here:

Microsoft.com

Executive Summary:

This update resolves a newly-discovered, privately reported vulnerability. A buffer overrun vulnerability exists in the processing of JPEG image formats that could allow remote code execution on an affected system. The vulnerability is documented in this bulletin in its own section.

If a user is logged on with administrator privileges, an attacker who successfully exploited this vulnerability could take complete control of an affected system, including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges. Users whose accounts are configured to have fewer privileges on the system would be at less risk than users who operate with administrative privileges.

Microsoft recommends that customers apply the update immediately.

[phongn]

Said bug does not apply to XP SP2, BTW

[Faram]

Said bug does not apply to XP SP2, BTW

True but it affects a shitload of other applications:

Get some fixes from:

http://www.windowsupdate.com

http://www.officeupdate.com

Affected Software:

Microsoft Windows XP and Microsoft Windows XP Service Pack 1 – Download the update

Microsoft Windows XP 64-Bit Edition Service Pack 1 – Download the update

Microsoft Windows XP 64-Bit Edition Version 2003 – Download the update

Microsoft Windows Server™ 2003 – Download the update

Microsoft Windows Server 2003 64-Bit Edition – Download the update

Microsoft Office XP Service Pack 3 – Download the update

Microsoft Office XP Service Pack 2 – Download the administrative update

Microsoft Office XP Software:

Outlook® 2002

Word 2002

Excel 2002

PowerPoint® 2002

FrontPage® 2002

Publisher 2002

Microsoft Office 2003 – Download the update

Microsoft Office 2003 Software:

Outlook® 2003

Word 2003

Excel 2003

PowerPoint® 2003

FrontPage® 2003

Publisher 2003

InfoPath™ 2003

OneNote™ 2003

Microsoft Project 2002 Service Pack 1 (all versions) – Download the update

Microsoft Project 2003 (all versions) – Download the update

Microsoft Visio 2002 Service Pack 2 (all versions) – Download the update

Microsoft Visio 2003 (all versions) – Download the update

Microsoft Visual Studio .NET 2002 – Download the update

Microsoft Visual Studio .NET 2002 Software:

Visual Basic .NET Standard 2002

Visual C# .NET Standard 2002

Visual C++ .NET Standard 2002

Microsoft Visual Studio .NET 2003 – Download the update

Microsoft Visual Studio .NET 2003 Software:

Visual Basic .NET Standard 2003

Visual C# .NET Standard 2003

Visual C++ .NET Standard 2003

Visual J# .NET Standard 2003

The Microsoft .NET Framework version 1.0 SDK Service Pack 2 – Download the update

Microsoft Picture It!® 2002 (all versions) – Download the update

Microsoft Greetings 2002 – Download the update

Microsoft Picture It! version 7.0 (all versions) – Download the update

Microsoft Digital Image Pro version 7.0 – Download the update

Microsoft Picture It! version 9 (all versions, including Picture It! Library) – Download the update

Microsoft Digital Image Pro version 9 – Download the update

Microsoft Digital Image Suite version 9 – Download the update

Microsoft Producer for Microsoft Office PowerPoint (all versions) – Download the update

Microsoft Platform SDK Redistributable: GDI+ - Download the update

[Rogue 9]

Slashdot

New IM Worm On The Loose


Posted by CmdrTaco on Monday October 11, @07:28PM
from the head-for-the-hills dept.
elfarto writes "Techweb is reporting that a new worm that spreads via Microsoft's instant messaging client began badgering users Monday, several security firms said. Dubbed Funner, the worm propagates by sending itself to all the contacts listed in the user's copy of MSN Messenger, Microsoft's IM client. There is an analysis on Symantec Security Response Site; apparently the worm tries to download stuff from www.78p.com and adds entries to the hosts file pointing to more that 400 Chinese porn sites. The worm also sends itself to the whole contact list as funny.exe so it requires the user interaction to actually execute it. "

[Faram]

Patchtime is here again!

7 New critcal updates! And 3 importaint

Don't have the time to get into details here, read the page. Run windowsupdate and patch.

That makes 10 in October! Yay owertime here I come!

[Crayz9000]

OK, we have updates for every browser out there today.

First off, there are two CRITICAL vulnerabilities in Internet Explorer.

Description:
http-equiv has discovered two vulnerabilities in Internet Explorer, which can be exploited by malicious people to compromise a user's system, link to local resources, and bypass a security feature in Microsoft Windows XP SP2.

Solution:
Disable Active Scripting or use another product.

Then, there's a less critical Mozilla/Firefox/Camino bug that has to do with the tabbed browsing setup. It's been an annoyance for a while now since Mozilla doesn't control where your keyboard focus is.

Opera also suffers from a similar vulnerability
And so does Safari
And Netscape 6.x-7.x
And Konqueror (all versions with tabbed browsing)
And Maxthon, aka MyIE2
And Avant 9.x and 10.x

Description:
Secunia Research has discovered two vulnerabilities in Mozilla, Mozilla Firefox, and Camino, which can be exploited by malicious web sites to obtain sensitive information and spoof dialog boxes.

The vulnerability has been confirmed in the following versions:
* Mozilla 1.7.2 and 1.7.3
* Mozilla Firefox 0.10.1

Other versions may also be vulnerable.

Solution:
Don't visit trusted web sites while visiting untrusted web sites or disable JavaScript.