MS04-009 Upgraded to Critical, Disable Outlook HTML Parser, 'Phatbot', NetSky Day

Published: 2004-03-11
Last Updated: 2004-03-12 02:21:24 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
(Handler's comment: we got off by one day on our diaries. The material below was originally posted on March 10th. I've updated it to reflect new information from March 11th. We'll be back on track tomorrow. -sachs)



MS04-009 Updated to 'Critical'. One of yesterday's Microsoft advisories ("Outlook 2002 mailto arbitrary code execution") was upgraded from 'Important' to 'Critical'. The initial advisory indicated that the vulnerability is mitigated by using a default homepage other then "Outlook Today". However, as pointed out in a proof of concept exploit, it is possible to cause code execution even if another view (e.g. Inbox) is used as default homepage. We strongly recommend application of the respective patches as quickly as possible.


(Update 3/11/04) iDefense reported that it is possible for an attacker to force Outlook to start in the "Outlook Today" view. Details are at
http://www.idefense.com/application/poi/display?id=79&type=vulnerabilities

Reading HTML e-mail as plain text in Outlook. By default, Outlook will parse "nonsecure" HTML e-mail. This feature has been abused by numerous phishing e-mails and similar cognitive hacking schemes. Microsoft published a step by step guide on how to turn off the HTML parser. This modification has no effect on digitally signed or encrypted HTML e-mail. See http://support.microsoft.com/default.aspx?scid=kb;en-us;Q307594 for details. This feature is only available with Outlook 2002 if SP1 for Microsoft Office XP is installed.

Phatbot. For the last couple of days yet another bot is hunting for MyDoom infected systems. This bot/worm will also scan for vulnerable dame-ware installs, systems vulnerable to the RPC DCOM exploit, and open file shares. At this point, this bot does not appear to make a significant impact globally. This bot is however significant as it is using P2P techniques to communicate. Infected systems can be spotted by outbound port 1025 scans. At this point, we track about 5,000 infected systems.

http://isc.sans.org/port_details.html?port=1025

http://www.dslreports.com/forum/remark,9614814~mode=flat
(Update 3/11/04) Netsky Day. An advisory yesterday from Pandasoft suggested that March 11th might show an increase in Netsky virus activity. The ISC did not detect any such increase. There was a new variant of Netsky released late on the 10th, and it seems to function much like the previous versions. http://www.pandasoftware.com/about/press/viewNews.aspx?noticia=4852


------

Johannes Ullrich, jullrich_AT_sans.org (handler 3/10/04)

Marcus H. Sachs, msachs_AT_sans.org (handler 3/11/04)

Keywords:
0 comment(s)

Comments


Diary Archives