Threat Level: green Handler on Duty: Bojan Zdrnja

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2004-09-27 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

MS04-028 Public Exploit Attempts, VENDORS TAKE NOTE, Contacting ISC

Published: 2004-09-27
Last Updated: 2004-09-27 21:08:27 UTC
by Joshua Wright (Version: 1)
0 comment(s)
MS04-028 Public Exploit Attempts


A post on the BUGTRAQ mailing list led us to a MS04-028 exploit attempt that was posted to adult-oriented newsgroups. The malicious image appears to have been created with one of the more recent MS04-028 exploit kits. Most popular anti-virus scanners are able to detect these exploitative JPG's including BitDefender, Kaspersky, McAfee, Symantec and TrendMicro, identifying them as "Exploit-MS04-028" or "Bloodhound.Exploit.13" (Symantec).

Testing this exploit image on vulnerable Windows 2000 and Windows XP SP1 machines with Internet Explorer only caused the application to crash. However, we suspect that a working exploit is very close to widespread availability. Thanks to Johannes Ullrich and Bob Hutzley for offering up assistance in testing.



Vendors Take Note


Many people have written in indicating that they are detecting vulnerable non-Microsoft applications with the ISC GDIScan tool. Reader Neal L. Lester writes in:

"Your GDI scanner found a vulnerable copy of gdiplus.dll in my "HP CD-DVD" directory. I contacted HP and they had me install an old patch. Well, I've learned enough to know that asking why a two year old patch will cure a recent vulnerability isn't going to get me anywhere so I did as I was asked: Still There."

Vendors - If your software redistributes Microsoft DLL's that are vulnerable to the MS04-028 flaw, your software may be vulnerable to attack as well. Please work toward offering a solution for resolving this issue for your customers!



Contacting ISC


All of the Internet Storm Center Incident Handlers value the anonymity of the individuals who submit information to us. Anyone who wishes to anonymously share information or confidentially ask a question is welcome to do so by using the form at http://isc.sans.org/contact.php . However, if you ask us a question and do not supply your email address, it is very difficult for us to respond to your request. In some cases, Tom Liston will use his psychic ability to "IM" you back, but that is quite rare.




-Joshua Wright/Handler-on-Duty
Keywords:
0 comment(s)
Diary Archives