Chris Mosby at myITforum.com

OK folks, this is probably it for me a while.  I am off for a well deserved (in my opinion anyway) vacation.

See you next month!!

Not much more to say, but man is this sad…

BBC NEWS | Entertainment | Star Trek's Scotty dies aged 85

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Further Reports of Exploits Against MS05-037
A reader desiring anonymity told us that he’s seen some exploits of his systems by malicious websites using Microsoft Internet Explorer Javaprxy.DLL COM Object Instantiation Heap Overflow Vulnerability (described in MS Security Bulletin MS05-037) to install malware. Looks like we better step up that patch rate, since this one could be a big problem.

Tales from the Longbox » Blog Archive » From the BEAT: Legendary artist Jim Aparo dies

From the BEAT: Legendary artist Jim Aparo dies
by Mozbe @ 2:35 pm. Edit This Filed under News

I caught this sad news item over at the BEAT. This really bothers me, to see another legend like this to pass on. Mr. Aparo was always one of my favorite Batman artists. My family’s thoughts go out to Mr. Aparo’s friends and family during this difficult time.

Here is an excerpt fromt the BEAT post:

July 19, 2005
RIP Jim Aparo
Art Dealer Spencer Beck writes with the sad news that veteran BATMAN artist Jim Aparo has passed away.

The Aparo Family has asked me to send this information out to all parties. It is with the deepest regret I have to inform you of the passing of the legendary Jim Aparo early Tuesday Morning, July 19, 2005. Mr. Aparo, who was 72, died from complications relating to a recent illness. All Funeral arrangements will be a private ceremony for Family and Friends of Jim.

You can read the full post here: http://www.comicon.com/thebeat/archives/2005/07/rip_jim_aparo.html

Rod made a good point in his post yesterday.  Firefox has had more flaws this year. 

What Rod didn’t mention, was that the flaw that was reported the other day, has absolutely nothing to do with security vulnerabilities. There was a change in the browser API with 1.0.5 that broke some feature enhancing extensions (something that IE doesn’t even offer).  You can read more about it here: http://www.mozillazine.org/talkback.html?article=6950

Rod also didn’t mention something else.  Of the 17 security vulnerabilities that Secunia has listed for 2005, all put three of them are patched.  Of the three vulnerabilities that are left, two of those have partial fixes available.

As far as IE goes, it is a different story.  IE has 9 security vulnerabilities listed on Secunia’s website for 2005.  Of those 9, only 3 have have full patches, and 1 has a partial fix.  That leaves 5 unpatched IE vulnerabilities. 

When you look at the numbers for this year, that leaves Firefox with only 6% of its security vulnerabilities unpatched.  Meanwhile, IE still has 55% of its venerabilities for this year that still need some kind of patch or workaround.

Lets look back even further, things look even clearer.  Here are some graphs from Secunia’s website:

Internet Explorer

Firefox

When you look at these numbers, looks like Microsoft is the one that needs to catch up with security.

It’s kind of funny the way that Rod posted about this earlier today; you would think that IE never had any flaws.  You have to give Mozilla credit, their response time on issues like this is better than Microsoft.

Firefox 1.0.6 Candidate Builds Available - MozillaZine Talkback

Firefox 1.0.6 Candidate Builds Available
Saturday July 16th, 2005

Marcia Knous writes: "The Mozilla Quality Assurance team is requesting help from the community to test the 1.0.6 builds. Please visit the post in the QA blog to get more information regarding the testing."

More info on Firefox 1.0.6 can be found in our earlier story.

Update: Note that candidate builds of Mozilla Thunderbird 1.0.6 and the Mozilla Application Suite 1.7.10 are also available (there will now be no Mozilla 1.7.9 release).

Here is more information on that JPEG vulnerability I posted about just a minute ago

Microsoft Internet Explorer JPEG Image Rendering CMP Fencepost Denial Of Service Vulnerability

Bugtraq ID: 14284
Class: Boundary Condition Error
CVE: CVE-MAP-NOMATCH
Remote: Yes
Local: No
Published: Jul 15 2005 12:00AM
Updated: Jul 15 2005 07:57PM
Credit: Michal Zalewski is credited with the discovery of this vulnerability.
Vulnerable: Microsoft Internet Explorer 6.0 SP2

You can read the details here: Microsoft Internet Explorer JPEG Image Rendering CMP Fencepost Denial Of Service Vulnerability

Here we go again….

Virus.Org :: Information Technology Security News And Updates

New Internet Explorer JPEG Rendering Overflow Vulnerability Discovered
. Posted by: Editor on Friday, July 15, 2005 - 07:59 PM

The security researcher Michal Zalewski has discovered a new vulnerability with Internet Explorer’s JPEG rendering engine that can allow an attacker with a specially crafted JPEG picture can trigger a buffer overflow which can allow code execution.
The vulnerability is a buffer overflow in the JPEG image rendering library employed by Internet Explorer. The issue is due to the code failing to properly bounds check input data prior to copying to a fixed size memory buffer. The issue affects Internet Explorer SP2, earlier versions of Internet Explorer may be affected.

The vulnerability allows an attacker to control a memory write operation, resulting in the ability to control the flow of execution of the program. This can allow an attacker to be able to execute arbitrary machine code in the context of the affected application.

At this time there is no patch available from Microsoft for the issue, so it is highly recommended that users of affected browsers disable JPEG support or switch to an alternative web browser such as Firefox.

Once again Harry Waldron is on the ball and alerts us of a new mass mailing/network aware worm that has attention from F-Secure.  Good job Harry!!

This new emailer/downloader/network worm is sophisticated and starting to spread. F-Secure ranks it as Medium Risk currently.

W32/Reatle@MM Worms - Medium Risk by F-Secure

W32/Reatle@MM Worms - Medium Risk by F-Secure
http://www.f-secure.com/v-descs/lebreat.shtml
http://vil.nai.com/vil/content/v_134885.htm


This detection is for several variants of a mass-mailing worm written in MSVC, and packed with MEW. The worm bears the following characteristics:

1. Contains its own SMTP engine for mailing itself outgoing messages have spoofed From: address

2. Attempts to propagate to remote machines via two old exploits:

MS03-026 - DCom RPC

MS04-011 - LSASS

3. Attempts to download 2 other binaries. At the time of writing these are detected as W32/Generic.m, and W32/Sdbot.worm.gen.bj with the specified DATs.) The worm attempts to download a binary via a URL hardcoded in its body.

4. In addition the worm opens a backdoor on TCP port 8885.

5. Administrators should block access to the following domain ... Please do not go to this malicious site:

h t t p : / / j 0 r . b i z



6. Attachment names in the EMAIL message

The attachment is a copy of the worm, with one of the following filenames:

quote:

account-report.exe
payment.doc (many spaces) .scr
about.doc (many spaces) .bat
help.doc (many spaces) .exe
about.cpl
archive.cpl
about.scr
archive.exe
box.bat
inbox.cpl
box.scr
inbox.exe
docs.cpl
admin.bat
docs.scr
read.cpl
readme.cpl
read.exe
readme.scr
data.scr
file.cpl
data.bat
document.cpl
doc.pif
document.exe
order.cpl
order.exe

It seems that Trend Micro has renamed the virus that I posted about yesterday to JS_JAPROX.A .  In the meantime, Secunia has a unified entry for this now, and there are three other vendors that now have listings for this virus, so it must be spreading to some degree.

 #1 - MCAFEE – Backdoor-AZU

 #2 - SOPHOS – Troj/DownLdr-XD

 #3 - COMPUTER ASSOCIATES – Win32.Harbag.A

Patch’em or lose’em: http://www.microsoft.com/technet/security/bulletin/MS05-037.mspx

It doesn’t surprise me that this is out already, the exploit for this has been public for a while now.

JS_EXPLOIT.F - Description and solution

This malicious JavaScript exploits the JView Profiler vulnerability to enable a remote user to execute commands locally on the affected machine. For more information on this vulnerability please check Microsoft's Security Bulletins Web site:

Microsoft Security Bulletin MS05-037

In addition, this malicious JavaScript uses the abovementioned vulnerability to change the homepage of the affected system's Internet Explorer.

It also connects to the adult Web site http://pornoz.ru?ft=t{BLOCKED}imfa.ru.

This doesn’t sound good, keep on the lookout everyone…

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Port 80 spike

http://www.dshield.org/port_report.php?port=80

Dshield is showing the beginning of what looks like a large spike in probes to port 80. The cause is unknown at this time, but could be attributable to any number of new vulnerabilities being exploited, a new skiddie toy, or new worm variants.

Looks like we got off easy this month.  All of this months patches are detectable by the standard SMS/MBSA\Office scanners.  If there are any weird install switches, I will be sure to post about them.

Enjoy!

This is hot off the Net, so all the links might not work yet.  More details as they come in.

Vulnerability in JView Profiler Could Allow Remote Code Execution (903235): MS05-037

Vulnerability in Microsoft Color Management Module Could Allow Remote Code Execution (901214): MS05-036

Vulnerability in Microsoft Word Could Allow Remote Code Execution (903672): MS05-035

Looks like the Trojan that Harry Waldron posted about the other day, is picking up steam.  Secunia’s page for this now has four other vendors that have listings for this Trojan.  “Virus Name Game” rules do apply.

Here is what we have so far:

#1 - TREND MICRO – TROJ_DONBOMB.A

#2 - SYMANTEC – Trojan.Spexta

#3 - SOPHOS  – Troj/Spexta-A

#4 - F-SECURE  – Delf.h

 #5 - MCAFEE – Spam-SPM

You can find the Secunia listing here: http://secunia.com/virus_information/19645/spam-spm/

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Microsoft anti-spyware and the Claria debate

There's been some recent talk about Microsoft spyware classification methods and its objectivity in doing so. We received some inquiries about the Claria classification and decided to look into a bit further.

(For some background, check out the Techweb article on the subject: http://www.techweb.com/wire/security/165701020 )

In looking a bit deeper, it appears Microsoft made a formal response to the allegations late last week. In its response (posted in a letter available here ) Microsoft states:

"Upon review of their software against our criteria, we determined that continued detection of Claria's products was indeed appropriate. We also decided that adjustments should be made to the classification of Claria software in order to be fair and consistent with how Windows AntiSpyware (Beta) handles similar software from other vendors."

We also found the following policy doc to be a good starting point on Microsoft's anti-spyware policy and process:
"Windows AntiSpyware (Beta): Analysis approach and categories"
http://www.microsoft.com/athome/security/spyware/software/isv/analysis.mspx

I think it's important that folks keep an eye on these types of issues as the entire adware/spyware problem continues to evolve, but it appears that this particular round of actions were "above board."

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Intrusions via MS05-017

We received a comment about MS05-017 (Message Queuing vulnerability) based attacks being successfully executed, and some questions concerning where/what installs the service in the first place. According to MS it is not installed by default with OS installations, so this might be another one of those services (like the MSDE / Visio problems of years part) that has a "stealth-install" side to it. In short, keep an eye out for this guy running on your systems...

Considering how many AOL users there are out there, this just might spread. 

Symantec Security Response - W32.Rants.A@mm

W32.Rants.A@mm
Category 2
Discovered on: July 10, 2005
Last Updated on: July 11, 2005 04:19:58 PM

W32.Rants.A@mm is a mass-mailing worm that spreads using Microsoft Outlook and America Online user interface. It also lowers security settings by ending security-related processes and by disabling several Windows security features.

When W32.Rants.A@mm is executed, it performs the following actions:

1. Copies itself as %System%\updater32.exe.
   
   Note: %System% is a variable that refers to the System folder. By default this is C:\Windows\System (Windows 95/98/Me), C:\Winnt\System32 (Windows NT/2000), or C:\Windows\System32 (Windows XP).
   
   
2. Adds the value:
   
   "SVCHOST" = "%System%\updater32.exe"
   
   to the registry subkey:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
   
   so that the risk runs every time Windows starts.
   
   
3. Adds the value:
   
   "FirewallDisableNotify" = "1"
   
   to the registry subkeys:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\security center
   HKEY_CURRENT_USER\Software\Microsoft\security center
   
   in order to disable notification of firewall status through the Windows Security Center.
   
   
4. Adds the value:
   
   "UpdatesDisableNotify" = "1"
   
   to the registry subkeys:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\security center
   HKEY_CURRENT_USER\Software\Microsoft\security center
   
   in order to disable notification of update status through the Windows Security Center.
   
   
5. Adds the value:
   
   "AntiVirusDisableNotify" = "1"
   
   to the registry subkeys:
   
   HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\security center
   HKEY_CURRENT_USER\Software\Microsoft\security center
   
   in order to disable notification of antivirus status through the Windows Security Center.
   
   
6. Adds the value:
   
   "NoAutoUpdate" = "1"
   
   to the registry subkey:
   
   HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\WindowsUpdate\AU
   
   to disable automatic Windows Updates.
   
   
7. Adds the following registry entries:
   
   "DisableTaskMgr" = "1"
   "DisableRegistryTools" = "1"
   
   to the registry subkey:
   
   HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies\System
   
   to disable access to the Windows Task Manager and registry editing tools.
   
   
8. Sends an email to all email addresses it finds in the Microsoft Windows Outlook addess book using Microsoft Outlook.
   
   The email has the following characteristics:
   
   Subject: Fwd: Microsoft SP2 Update
   
   Message: Microsoft SP2 Update Download It
   
   Attachment: SP2 UPDATE.EXE
   
   
9. Sends the following message to other AOL users on the compromised computer using the America Online interface:
   
   [http://]j0r.biz/[removed]?funnyyeah  it's funny :P
   
   Note: If the recipient clicks on the URL above, a variant of W32.Spybot.Worm is downloaded and executed on the compromised computer.
   
   
10. Creates and runs the file C:\killer.bat. This is a batch script that ends the following processes, some of which may be security-related: (see link above, as this is a very large list)

As was mentioned earlier by Rod and Reed, here is the first post from my new comic book blog.

Tales from the Longbox » Blog Archive » How I got started reading comic books..

How I got started reading comic books..
by Mozbe @ 11:35 am. Edit This Filed under On a personal note..

Welcome to Tales from the Longbox and thanks from coming by.

In this first “real” post, before I actually start writing about comic books, I am going to tell you about myself by establishing my comic book “cred”, for lack of a better term. I will do this by telling you the story of how I got started reading comics in the first place.

Before I start, you might need to get some Kleenex, or a pillow, depending on how this translates to the web. So go ahead, I’ll wait….

I see Rod Trent let the cat out of the bag on the comic book blog I am working on. 

I need to practice my writing, and they always say “write what you know”, so I figured that would be a good way to go about it. 

I don’t have anything up there yet, so all of you comic book fans hold on, this should be fun.  :-)

If you want to be notified when things are posted to this new site, the RSS feed can be found here: http://www.mosby.org/longbox/?feed=rss2

- http://www.microsoft.com/technet/security/bulletin/MS05-025.mspx

http://msevents.microsoft.com/CUI/WebCastEventDetails.aspx?EventID=1032276892&EventCategory=4&culture=en-US&CountryCode=US

New Mozilla Firefox and Mozilla Thunderbird 1.0.5 Test Builds - MozillaZine Talkback

New Mozilla Firefox and Mozilla Thunderbird 1.0.5 Test Builds
Wednesday July 6th, 2005

The Mozilla Quality weblog has some new Mozilla Firefox 1.0.5 test builds available for download. These are likely to be the last set of test builds before the final release of Firefox 1.0.5. Mozilla Thunderbird 1.0.5 test builds will be posted shortly.

The 1.0.5 releases of Firefox and Thunderbird are minor updates to fix some security vulnerabilities.

Military Picks CA for Hefty Anti-Spyware Contract
By Paul F. Roberts
July 6, 2005

Millions of U.S. military computers will be protected from spyware using software from Computer Associates, the company said Wednesday.

The Defense Information Systems Agency awarded Science Applications International Corp. and Computer Associates International Inc. a $6.9 million order to provide an enterprisewide spyware detection, eradication and protection product, which DISA calls "SDEP."

As part of the deal, CA's PestPatrol anti-spyware product will be installed on about four million systems owned by the U.S. Department of Defense and branches of the armed services, DISA (the Defense Information Systems Agency) said.

The deal is a major win for CA, and it's a blow to anti-virus vendors Symantec Corp. and McAfee Inc., which already protect military systems from viruses.

Read the rest of the article here: Military Picks CA for Hefty Anti-Spyware Contract

- http://www.microsoft.com/technet/security/bulletin/MS05-009.mspx

- http://www.microsoft.com/technet/security/bulletin/MS05-029.mspx

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System - Current Infosec News and Analysis

Firefox GIF image handling heap overflow exploit

The FrSIRT release new exploit for Firefox. The vulnerability is due to a heap overrun error when processing a specific extension block in GIF images, which may be exploited to run arbitrary code on a vulnerable system via a web page or email message containing a specially crafted GIF image. The affected version is Firefox version 1.0.1 and prior.

Blogger’s Note: To be clear, anyone with Firefox version 1.0.2 and higher is not affected by this exploit.  The latest version of Firefox is 1.0.4 and you can get it here

Looks like info on this is getting better.  At least there is something you can do about the problem since there isn’t a patch.

- Web site: http://go.microsoft.com/fwlink/?LinkId=49999

There are some very interesting names on this list, makes you wonder…

Symantec completes Veritas merger, names new board | InfoWorld | News | 2005-07-05 | By Peter Sayer, IDG News Service

Symantec completes Veritas merger, names new board
John W. Thompson remains as chairman, CEO of new, larger Symantec

By Peter Sayer, IDG News Service
July 05, 2005

Symantec has named the six former Symantec directors and four former Veritas directors who will sit on its 10-member board, following the completion of its merger with Veritas Software Saturday.

The merger brings Symantec, of Cupertino, California, new lines of backup, archiving and file system software to add to its existing range of software for protecting home and office computer systems and networks from viruses and intrusions.

As previously announced, John W. Thompson will remain as chairman and chief executive officer of the enlarged Symantec, while the former CEO of Veritas, Gary Bloom, will become vice chairman and co-president of the merged company, Symantec said Tuesday.

The other directors are:

-- William Coleman, a Symantec board member since January 2003 and former chairman and CEO of software developer BEA Systems (Profile, Products, Articles) Inc.;

-- David Mahoney, a Symantec board member since April 2003 and now CEO of health care IT services company iMcKesson LLC.;

-- Robert S. Miller, a Symantec board member since Sept. 1994 and also CEO of Delphi Corp.;

-- George Reyes, a Symantec board member since July 2000 and chief financial officer (CFO) of Google (Profile, Products, Articles) Inc.;

-- Daniel H. Schulman, a Symantec board member since March 2000 and also CEO of mobile phone operator Virgin Mobile USA;

-- Michael Brown, a Veritas board member since 2003 and former chairman and CEO of data backup system manufacturer Quantum (Profile, Products, Articles) Corp.;

-- David Roux, a Veritas board member since 2002, and now managing director of a private equity firm he co-founded, Silver Lake Partners;

-- Paul Unruh, a member of the Veritas board since 2003, and a former CFO of construction company Bechtel Group Inc.

The board members will be eligible for re-election at the company's next annual stockholder meeting, a date for which has not yet been announced.

MIT is performing a survey for people that have blogs.  To participate, click on the image below.

- Web site: http://go.microsoft.com/fwlink/?LinkId=49999