Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: The MS Claria debate; Intrusions via MS05-017; some more light reading SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
The MS Claria debate; Intrusions via MS05-017; some more light reading

Microsoft anti-spyware and the Claria debate

There's been some recent talk about Microsoft spyware classification methods and its objectivity in doing so. We received some inquiries about the Claria classification and decided to look into a bit further.

(For some background, check out the Techweb article on the subject:"> )

In looking a bit deeper, it appears Microsoft made a formal response to the allegations late last week. In its response (posted in a letter available
here ) Microsoft states:

"Upon review of their software against our criteria, we determined that continued detection of Claria's products was indeed appropriate. We also decided that adjustments should be made to the classification of Claria software in order to be fair and consistent with how Windows AntiSpyware (Beta) handles similar software from other vendors."

We also found the following policy doc to be a good starting point on Microsoft's anti-spyware policy and process:

"Windows AntiSpyware (Beta): Analysis approach and categories"">

I think it's important that folks keep an eye on these types of issues as the entire adware/spyware problem continues to evolve, but it appears that this particular round of actions were "above board."

Intrusions via MS05-017

We received a comment about MS05-017 (Message Queuing vulnerability) based attacks being successfully executed, and some questions concerning where/what installs the service in the first place. According to MS it is not installed by default with OS installations, so this might be another one of those services (like the MSDE / Visio problems of years past) that has a "stealth-install" side to it. In short, keep an eye out for this guy running on your systems...

<h4>Some light reading</h4>

Amit Klein released an article on Cross Site Scripting which attacks a user's client without sending malicious content to the web server:">

Fellow handler Scott forwarded an interesting Instant Messenger (IM) threat tracking site:">

Happy Monday,



3 Posts
Jul 12th 2005

Sign Up for Free or Log In to start participating in the conversation!