Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-07-11 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

The MS Claria debate; Intrusions via MS05-017; some more light reading

Published: 2005-07-11
Last Updated: 2005-07-12 14:48:35 UTC
by Greg Shipley (Version: 1)
0 comment(s)

Microsoft anti-spyware and the Claria debate



There's been some recent talk about Microsoft spyware classification methods and its objectivity in doing so. We received some inquiries about the Claria classification and decided to look into a bit further.


(For some background, check out the Techweb article on the subject:
http://www.techweb.com/wire/security/165701020">
http://www.techweb.com/wire/security/165701020 )


In looking a bit deeper, it appears Microsoft made a formal response to the allegations late last week. In its response (posted in a letter available
here ) Microsoft states:


"Upon review of their software against our criteria, we determined that continued detection of Claria's products was indeed appropriate. We also decided that adjustments should be made to the classification of Claria software in order to be fair and consistent with how Windows AntiSpyware (Beta) handles similar software from other vendors."


We also found the following policy doc to be a good starting point on Microsoft's anti-spyware policy and process:

"Windows AntiSpyware (Beta): Analysis approach and categories"

http://www.microsoft.com/athome/security/spyware/software/isv/analysis.mspx">
http://www.microsoft.com/athome/security/spyware/software/isv/analysis.mspx


I think it's important that folks keep an eye on these types of issues as the entire adware/spyware problem continues to evolve, but it appears that this particular round of actions were "above board."



Intrusions via MS05-017



We received a comment about MS05-017 (Message Queuing vulnerability) based attacks being successfully executed, and some questions concerning where/what installs the service in the first place. According to MS it is not installed by default with OS installations, so this might be another one of those services (like the MSDE / Visio problems of years past) that has a "stealth-install" side to it. In short, keep an eye out for this guy running on your systems...



<h4>Some light reading</h4>

Amit Klein released an article on Cross Site Scripting which attacks a user's client without sending malicious content to the web server:
http://www.webappsec.org/projects/articles/071105.shtml">
http://www.webappsec.org/projects/articles/071105.shtml


Fellow handler Scott forwarded an interesting Instant Messenger (IM) threat tracking site:
http://imlogic.com/im_threat_center/index.asp">
http://imlogic.com/im_threat_center/index.asp



Happy Monday,

-Greg

Keywords:
0 comment(s)
Diary Archives