Microsoft Re-Releases Security Advisory
A recent Windows PnP vulnerability is hyped to be more dangerous than it really is.
Hacking/Denial of Service
Microsoft has re-released Security
to address malicious code exploiting the Microsoft Windows
plug-and-play remote code execution vulnerability.
Although there has definitely been a lot of media coverage for the worm(s)
exploiting this vulnerability, the actual effects may be overstated. There’s
no doubt that a number of large companies appeared to be affected, but the impact
seems to be mostly that they had to do emergency patch pushes to their systems.
Microsoft themselves stated that infections due to the worm(s) were low and
damage minor. There was only one report to NTBugtraq regarding infections, and
that report indicated that one bank in Malaysia may have been infected. Also,
it’s interesting to note that despite there not being a patch for Windows
2000 SP3 or below, there has been very little hue and cry about that patch not
being available. Generally, when there’s an extreme threat customers who
aren’t running a supported version of an affected OS will scream for a
patch. This didn’t happen this time, strongly suggesting the actual threat
was lower than being reported.
One final note, the vulnerability does affect Microsoft Windows NT 4.0 also.
Customers who have a service agreement directly with Microsoft for security
hotfix support for that OS have received a patch.
After a vulnerability and exploit were released exploiting a buffer overflow
in the MSDDS.DLL ActiveX control, research suggests the control should
not be prevalent on systems. The control is only installed as part of Visual
Studio, but may also be installed if a complete installation of Office Professional
is done because it too includes Visual Studio components in order to allow for
the development of Digital Dashboard applications.
Doing a complete installation of Office happens far too often, unfortunately.
Administrators, unclear what their users actually need, may just install everything
to avoid having to revisit the system. This is where the Microsoft Office group
has failed miserably, failing to provide relatively simple methods to do corporate-wide
Best practice says you should decide which options are required for every installation
you do. Having various images of your corporate builds allows you to pre-define
what options are going to be given to each person in your company, while at
the same time ensuring that installations are minimal. Do you really think everyone
in your company may author a Digital Dashboard application? Probably not.
Trojan: Backdoor.Mousey -- F-Secure and Symantec have released virus
definitions to detect W32.ESBot.A, a variant of Backdoor.Mousey. This variant
attempts to exploit the Microsoft Windows plug-and-play remote code execution
Trojan: SDBot (a.k.a. RBot) -- Multiple vendors have released new virus
definitions that detect aliases of SDBot variants. Reports indicate the new
SDBot variants may exploit the Microsoft vulnerability associated with MS05-039.
Once again we’ll restate our contention that bots are the first to implement
new attacks against a given vulnerability. Bots are modular today and are connected
to sites which allow them to be instructed to pick up and execute new modules
that exploit the new vulnerabilities. There is nothing new with this process
only taking a couple of days, unfortunately. That said, typically, you need
to already have a bot running on your network for a new vulnerability to be
exploited ... unless, of course, you have unprotected roving laptops or home
office worker systems which are equally unprotected.
It’s also worth reminding everyone that Cybertrust’s Anti-Virus
Policy Guide has for several years recommended that personal firewalls be installed
and conservatively configured on all systems used outside of the enterprise.
As such, the vulnerable ports (445 and/or 139) would be closed to Internet traffic,
thereby preventing an infection from anywhere other than from inside your own
Reports suggest that mobile viruses, such as Cabir, were prevalent
at the recent World Athletics’ Championships, and that the 2006
World Cup of Soccer in Germany may be "fertile ground" for the
In my opinion, someone was just looking to make some headlines here. Let’s
accept that the World Cup will be used as a launch pad for new viruses. However,
one need not be at an event with 100,000 other people in order to come close
to so many people with mobile devices. Consider the effects of someone traveling
up and down an elevator in any office building, or standing outside a Starbucks
or the subway in any busy part of town. So what’s so special about the
World Cup or sporting events?
column was originally published in our weekly Security Watch
newsletter. To subscribe, click here.
The Australian Broadcasting Corporation program "Four Corners"
recently aired a show claiming that it received a sales offer for the personal
details of 1,000 Australians, including names, addresses, telephone numbers,
birth details, Medicare numbers, driver's license numbers, bank card numbers
and passport information. The seller claimed the details were gathered from
Indian call centers. Four Corners did not buy the information, but was able
to confirm its authenticity, saying it appears to come from a call center in
Gurgaon, in the Haryana state of India.
The U.S. FCC has said the Communications Assistance to Law Enforcement
Act (CALEA) is going to be applied to IP telephony. Where they really expect
to apply it is to facilities-based services which interface to the public switched
telephone network. The act gives the Department of Justice (DoJ) the discretion
to impose on telecoms the responsibility to provide them with a service that
they can use to wiretap remotely without going anywhere, at its discretion without
the cooperation of the telco. Thus, in theory, the DoJ will police itself to
insure that its use is lawful. The DoJ wants to project that onto Vonage and
Skype. However, it looks to us as though if you use Skype-to-Skype, that is
PC-to-PC, Skype has no responsibility and doesn't have to provide any wiretap
Russ Cooper is a senior information security analyst with Verizon Business, Inc.
He's also founder and editor of NTBugtraq, www.ntbugtraq.com,
one of the industry's most influential mailing lists dedicated to Microsoft security.
One of the world's most-recognized security experts, he's often quoted by major
media outlets on security issues.