Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Issues on MS patches?

Published: 2006-10-14
Last Updated: 2006-10-14 18:40:18 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)
One reader reported that the standby hibernate mode on some of his systems is being disable after applying the recent Microsoft patches. If you also encounter similar issue or any other major issue, do drop us a note.

0 comment(s)


Published: 2006-10-14
Last Updated: 2006-10-14 17:06:56 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)
We have received reports from our readers that previously Microsoft Update, MBSA 2.0, and ITMU may not indicate the need to install additional package for this security update if you have Microsoft XML Core Services 4.0 SP2 (but MBSA 1.2.1 did). However, it seems that Microsoft has updated the scan files and is now able to detect the need of additional package.

From Microsoft Knowledge Base article number (924191):
If you have multiple versions of the Microsoft XML Parser or Microsoft XML Core Services (MSXML) installed, you may have to install multiple packages for this security update. Additionally, if you install a version of MSXML after you install this security update, you may have to install an additional package for this security update.

One of our reader suspected the MBSA 2.0, Microsoft Update and ITMU are only considering the patch to be applicable if the MSXML4.DLL was installed as part of a MSI package for XML 4.0:

Microsoft's patch detection code for Microsoft Update as of 4 PM ADT 10/13/2006 wasn't detecting MSXML4 SP2 if it was installed via the merge module (i.e. as the result of installing a third party product that redistributed Microsoft's code using the Microsoft-approved method for doing this).  Sometime between then and now, Microsoft updated the scan files.  In the original scan files (released on Tuesday), Microsoft would only consider the patch applicable if the MSI version of MSXML4 SP2 was installed.

The new scan files work around this - they still detect language-specific variants of the MSI if they are installed (and generate unique UpdateIDs for those variants), but if no MSI is installed it will fallback to the UpdateID that was used in the original scan files if (and only if) the 1033 (i.e. US English) version of the MSI was installed.

In this aspect, it is recommended that you rescan your systems to determine whether you need any additional patch that was not reported earlier.

0 comment(s)

Cisco Security Advisory: Default Password in Wireless Location Appliance

Published: 2006-10-14
Last Updated: 2006-10-14 16:14:43 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)
Cisco has earlier published a security advisory, reporting a vulnerability in Cisco Wireless Location Appliance (WLA). The appliance uses a default password for the 'root' administrative account. A user with knowledge of the password can login and gain full control of the device.

As reported in the advisory, the default password is the same in all installations of the product prior to version when shipped as part of a new product purchase. The vulnerability still exists on upgraded installations unless explicit steps have been taken to change the password after the initial installation of the product.

Cisco has issued a fix for the version and later. Previous versions of software which have been upgraded will not prompt the user to change the password for the root user during the upgrade. So get your password change if you have not done so on your vulnerable version.

Cisco indicates that there have been several instances in which Cisco Wireless Location Appliances have been compromised due to this vulnerability.

0 comment(s)

Website with Malware

Published: 2006-10-14
Last Updated: 2006-10-14 12:54:24 UTC
by Koon Yaw Tan (Version: 1)
0 comment(s)
Our reader, Micheal, has notified us a website which could cause users to download a malware.

http:// c n n w a r n e w s . c o m/

A lookup at the domain shown that it is a newly registered domain (registered date is 12 Oct 06).

The website will load a normal webpage from an australian news website (through using frame). It will also however attempt to open a malware from another site.

http:// z a g e v q s o i i .b i z /dl/l o a d a d v 4 3 3 . e x e

VirusTotal shows the result of this malware:

Antivirus    Version        Update        Result
AntiVir    10.13.2006    TR/Dldr.Small.dib.6
Authentium    4.93.8    10.13.2006    Possibly a new variant of W32/Downloader-Sml-based!Maximus
Avast        4.7.892.0    10.13.2006    Win32:Small-BSO
AVG        386    10.13.2006    Downloader.Harnig.AM
BitDefender    7.2    10.14.2006    DeepScan:Generic.Malware.dld!!g.07E540DB
CAT-QuickHeal    8.00    10.14.2006    no virus found
ClamAV        devel-20060426    10.13.2006    Trojan.Downloader.Small-2840
eTrust-InoculateIT    23.73.22    10.13.2006    Win32/SillyDL!Trojan
eTrust-Vet    30.3.3131    10.13.2006    Win32/Harnig!generic
DrWeb        4.33    10.14.2006    Trojan.DownLoader.13549
Ewido        4.0    10.13.2006    no virus found
Fortinet    10.14.2006    W32/Dowadv.CU!tr.dldr
F-Prot        3.16f    10.13.2006    Possibly a new variant of W32/Downloader-Sml-based!Maximus
F-Prot4    10.13.2006    W32/Downloader-Sml-based!Maximus
Ikarus    10.13.2006    no virus found
Kaspersky    10.14.2006
McAfee        4873    10.13.2006    no virus found
Microsoft    1.1603    10.14.2006    TrojanDownloader:Win32/Vxidl
NOD32v2        1.1803    10.13.2006    a variant of Win32/TrojanDownloader.Small.DIB
Norman        5.80.02    10.13.2006    W32/DLoader.gen2
Panda    10.14.2006    Suspicious file
Sophos        4.10.0    10.13.2006    no virus found
TheHacker    10.14.2006    Trojan/Downloader.Tibs.gen
UNA        1.83    10.13.2006    no virus found
VBA32        3.11.1    10.13.2006    suspected of Downloader.Small.3 (paranoid heuristics)
VirusBuster    4.3.7:9    10.13.2006    Trojan.DL.Harnig.Gen.3

It just shown that seemly harmless website may not be that harmless at all. You should be extremely vigilant when visiting unfamiliar websites. If in doubt, it is always good to tighten your browser configuration (e.g. disable Java/ Java script/ ActiveX) before making any attempts to visit the site. This is of course assuming you have the usual security measures in place (latest patch, virus definition etc.).

0 comment(s)
Diary Archives