Return-Path: <sentto-279987-3981-1007080798-fc=all.net@returns.groups.yahoo.com> Delivered-To: fc@all.net Received: from 204.181.12.215 [204.181.12.215] by localhost with POP3 (fetchmail-5.7.4) for fc@localhost (single-drop); Thu, 29 Nov 2001 16:43:09 -0800 (PST) Received: (qmail 6655 invoked by uid 510); 30 Nov 2001 00:40:23 -0000 Received: from n18.groups.yahoo.com (216.115.96.68) by all.net with SMTP; 30 Nov 2001 00:40:23 -0000 X-eGroups-Return: sentto-279987-3981-1007080798-fc=all.net@returns.groups.yahoo.com Received: from [10.1.1.223] by n18.groups.yahoo.com with NNFMP; 30 Nov 2001 00:40:04 -0000 X-Sender: fc@red.all.net X-Apparently-To: iwar@onelist.com Received: (EGP: mail-8_0_0_1); 30 Nov 2001 00:39:58 -0000 Received: (qmail 42901 invoked from network); 30 Nov 2001 00:39:58 -0000 Received: from unknown (216.115.97.171) by m5.grp.snv.yahoo.com with QMQP; 30 Nov 2001 00:39:58 -0000 Received: from unknown (HELO red.all.net) (65.0.156.78) by mta3.grp.snv.yahoo.com with SMTP; 30 Nov 2001 00:39:57 -0000 Received: (from fc@localhost) by red.all.net (8.11.2/8.11.2) id fAU0frV14640 for iwar@onelist.com; Thu, 29 Nov 2001 16:41:53 -0800 Message-Id: <200111300041.fAU0frV14640@red.all.net> To: iwar@onelist.com (Information Warfare Mailing List) Organization: I'm not allowed to say X-Mailer: don't even ask X-Mailer: ELM [version 2.5 PL3] From: Fred Cohen <fc@all.net> X-Yahoo-Profile: fcallnet Mailing-List: list iwar@yahoogroups.com; contact iwar-owner@yahoogroups.com Delivered-To: mailing list iwar@yahoogroups.com Precedence: bulk List-Unsubscribe: <mailto:iwar-unsubscribe@yahoogroups.com> Date: Thu, 29 Nov 2001 16:41:53 -0800 (PST) Reply-To: iwar@yahoogroups.com Subject: [iwar] [fc:Worms:.Despite.patching,.infection.continues..Why?] Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Worms: Despite patching, infection continues. Why? By Robert Vamosi, AnchorDesk, 11/29/2001 <a href="http://dailynews.yahoo.com/h/zd/20011128/tc/worms_despite_patching_infection_continues_why__1.html">http://dailynews.yahoo.com/h/zd/20011128/tc/worms_despite_patching_infection_continues_why__1.html> Within the last few weeks, several worms have taken advantage of a single vulnerability in Internet Explorer to assault computers worldwide. It's a vulnerability that allows the worm's code to execute automatically on some computers. Instead of requiring a user to open an infected e-mail in Outlook and then actually click on the attached file to launch the program, these new worms work differently. They take advantage of the so-called "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability in Internet Explorer 5.01 and 5.5, which allows the worms to automatically execute upon arrival--no clicking necessary. WHAT IS ODD is that Microsoft patched this vulnerability earlier this year. Nevertheless, the Incorrect MIME vulnerability is hot, hot, hot within virus-writing circles. The vulnerability affects certain Multipurpose Internet Mail Extensions (MIME) types. For example, if someone sends a video e-mail, a viewer will open to display the video. In this case, if someone sends certain types of executable files, these also open automatically, even if they contain malicious code. As I write this, Badtrans.B has replaced Sircam as the #1 virus on Messagelabs' Top Ten daily graph. Badtrans.B achieved this distinction because it recycles existing e-mail, sending copies to people as though you were replying. RUNNING A CLOSE SECOND is Aliz, a pithy little file, just 4KB, that simply automatically executes copies of itself, flooding e-mail servers with excess junk mail. In recent weeks there was also the Klez worm, which appears to be nothing more than a job request, and Finaldo, short for Final Doom, which appears to be a worm in progress. The text within its code promises even greater damage from a future variation. Fortunately, Microsoft's MS01-020 patch for the Incorrect MIME vulnerability has been available since March 29, 2001. What? Never heard of it? Well, neither did I, until Nimda came along in September. YES, THE SAME PATCH that prevents Nimda can also prevent these new worms from spreading. So why haven't more people patched their systems? The answer's kind of complicated, like the solution. Virus outbreaks like Badtrans.B, Sircam, and ILOVEYOU get their biggest boosts from office environments, not home users. Offices warehouse millions of e-mail addresses, so infecting one company can send copies of a virus all over the world. Also, offices are less likely to have upgraded or patched their Internet Explorer programs because IT departments first evaluate new releases of software before installing them. Nevertheless, I think the whole Internet Explorer patch process is messed up--and the virus writers know that. In the past, I've advocated better methods of alerting users and installing patches. So far, no one method is without its own faults. Here, the patch itself is confusing as hell to install. For example, if you are still running Internet Explorer 4 or before, you're fine but missing much of the Internet. If you are using Internet Explorer 5.01, then download the MS01-020 patch. HOWEVER, if you already loaded the Service Pack 2 for 5.01, then you don't need to run the MS01-020 patch. If you're running Internet Explorer 5.5, then download the MS01-020 patch. Now that you have figured out whether you should or should not download the MS01-020 patch, you scroll through the lengthy digressions on the Microsoft site only to discover that MS01-027 has superseded MS01-020. What? While it is not immediately clear that these bulletins are discussing the same flaws, the patch described in "Flaws in Web Server Certificate Validation Could Enable Spoofing" also handles minor variations on the above-mentioned MIME vulnerability. So, really, you should download MS01-027, yet none of the antivirus sites says skip GO and head directly to MS01-027. MICROSOFT EXPLAINS the MIME problem in MS01-020, and has asked that readers start with that bulletin before jumping into MS01-027. Given the whole patch morass, you might decide to chuck the whole process and simply download a new version of Internet Explorer. But be careful: failure to chose full or typical install with version 6.0 could mean that your machine is still vulnerable. And, as mentioned in a recent AnchorDesk column, there's virtually no way to burn a disk with all the CAB files required for Internet Explorer, so office IT departments will have to download it one machine at a time. For the moment, while Badtrans.B and Aliz are loose, I think Microsoft should offer one clearly labeled patch and stop complicating things. In the future, perhaps Microsoft could work with the antivirus companies. One idea that's been suggested: have Microsoft patches included with any antivirus signature file. Might not be a bad idea. ------------------------ Yahoo! Groups Sponsor ---------------------~--> Universal Inkjet Refill Kit $29.95 Refill any ink cartridge for less! Includes black and color ink. http://us.click.yahoo.com/gwUrIA/MkNDAA/ySSFAA/kgFolB/TM ---------------------------------------------------------------------~-> ------------------ http://all.net/ Your use of Yahoo! Groups is subject to http://docs.yahoo.com/info/terms/
This archive was generated by hypermail 2.1.2 : 2001-12-31 21:00:00 PST