Let's see how long it takes for the patch to come out.
http://www.neowin.net/comments.php?id=21670&category=main
-
Follow
Oops, something didn't work.
Sign In to be begin to follow this thread
What does this mean?
Following an item on Channel 9 allows you to watch for new content and comments that you are interested in. You need to be signed in to Channel 9 to use this feature.Getting "follow" information
Start following this thread
What does this mean?
Following an item on Channel 9 allows you to watch for new content and comments that you are interested in and view them all on your notifications page.Removing your "follow"
Setting up your "follow"
Did you know you can
sign up for email notifications?
-
ZippyV
Fired Up
-
I'm not saying it's not real, but I'm surprised that it hasn't hit BUGTRAQ or NTBUGTRAQ yet.
It's also suspicious because they're describing an exploit that apparently is embedded inside images.
This would imply that it's a vulnerability in one of the image rendering formats, like TIFF, JPG, or GIF.
If such a vulnerability exists, it's likely that it hits all browsers, not just IE. -
Another 0day? I'm getting a strange feeling of déjà vu.
/Lars. -
ZippyV
Fired Up
Is Microsoft investigating it?
-
Interesting. I wonder what eWeeks "Security experts" source is. Hope Microsoft is already hard at work fixing it. Break out the whip.
/Lars. -
Beats me, I don't work in MSRC.
I'd be surprised if they weren't, but that all depends on if this is real or not.
It also depends on if this is a new exploit or not. It might not be, there have been exploitable bugs in image decoding before.
Edit: One thing to keep in mind here: AFAIK, NeoWin.Net makes it's money by being as sensationalist as possible, so does eWeek. It's also critical for them to put news up as quickly as possible to avoid being "scooped".
Neowin in particular has a reputation of putting up news first and then verifying it.
I'm not saying this isn't real. It very well may be. But it'll be interesting to see how it plays out.
As I said before, if it was real, I'd expect that NTBUGTRAQ or BUGTRAQ would be all over this, but there's been no traffic on it so far today.
It may just be a slow day on the lists though, this could be another 0day exploit.
-
scobleizer
I'm the video guy
They almost certainly are. But, if you ever find an exploit please let us know at secure@microsoft.com -- they do watch that alias and respond to it (I know, I've sent a few things over there).
Stay tuned to http://www.microsoft.com/security/ for more updates. -
Good point Robert. secure@microsoft.com IS monitored, 24x7 (we've had people report problems on Sunday morning at 1am and because we didn't respond to the vulnerability within 12 hours they assumed we weren't listening and instead of working with MS, they just publicly announced the vulnerability).
I'm still not convinced about the reality of this one.
I looked at Netsec's web site and they don't have any information on it, which is actually good, because it implies that they're not announcing this to garner publicity for their company (this has happened before).
One of the issues with security is that for every eEye or NGSB out there, there are a bunch of people who would love to sell their products and are more than willing to cry wolf in order to increase their sales.
That's actually why I'm suspicious. Usually news of this kind of thing starts showing up on bugtraq before it hits the press.
The fact that Netsec hasn't put up a press release indicates that it's possible that they're working with MSRC to figure out what's going on. Which would be a good thing.
If it's real, there should be an announcement of some kind soon. -
Info from symantec on the virus:
http://securityresponse.symantec.com/avcenter/venc/data/js.scob.trojan.html
From Ziff-Davis:
http://zdnet.com.com/2100-1105_2-5247187.html
The same article from MSNBC:
http://www.msnbc.msn.com/id/5290386/
The vulnerability being exploited (according to ZD):
http://zdnet.com.com/2100-1105_2-5229707.html?tag=nl
The vulnerability in question was reported by Jelmer on Bugtraq about a week ago, XP SP2 isn't vulnerable to it. -
jonathanh
My mod color is red
More information from the Internet Storm Center, including the filenames found on compromised IIS systems, and the evidence to look for in proxy logs: http://isc.incidents.org/
-
jonathanh
My mod color is red
Ok, Microsoft's security team are calling it "Download.Ject". Here's the recommended steps for sysadmins to take:
http://www.microsoft.com/security/incident/download_ject.mspx
Currently looks like systems running IIS 5 on unpatched Windows 2000 are vulnerable. -
ZippyV
Fired Up
But what about Internet Explorer?
-
Apparently the tact that's being taken is to fix the vulnerable IIS machines.
I'm not 100% sure why, because it seems to me that this just fixes this particular vector of the vulnerabilty, but...
-
manickernel
anticipate consequences..
I am following Eeye suggestion and doing following registry edit for about 1000 users Monday, let you know how it goes. Have tested a couple of days and seems ok.
http://www.eeye.com/html/research/alerts/AL20040610.html
Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{00000566-0000-0010-8000-00AA006D2EA4}]
"Compatibility Flags"=dword:00000400[-HKEY_LOCAL_MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/hta]
Thanks Microsoft, I was one of your biggest supporters in my organization.
Linux looks better every day, and Opera/Firebird are a slam dunk.
Vance -
scobleizer
I'm the video guy
Microsoft has released a security alert. We have a team that is dedicated to these kinds of crisis situations.
They publish their findings at microsoft.com/security.
If you find a new exploit, or know of some security problem on one of our products, please send email to secure@microsoft.com.
Already this page has been updated a few times in the past 24 hours. If you think you have a security problem with a Microsoft product, please check the security site.
If you just want to make sure you are protected, then visit microsoft.com/protect.
-
XPSP2 where arth thou?
If this exploit uses the 'Jelmer vulnerability', fixing IIS still leaves MSIE open for someone else to exploit. Come on, either get XPSP2 out the door or fix ADODB.Stream already.
Hmm. Symantec has named it JS.Scob.Trojan. Are you moonlighting Scoble?
/Lars. -
Knute
Behave, or else...
manickernel wrote:
Thanks Microsoft, I was one of your biggest supporters in my organization.
Linux looks better every day, and Opera/Firebird are a slam dunk.
Vance
Vance, Come on man. When linux gets big enough the script kiddies will attack it as well. They get more bang for the buck by attacking MS right now.
~ Knute -
True that. It's not like Linux based systems are unheard of on Bugtraq or Full Disclosure. No one is perfect (including me).
/Lars.
Thread Closed
This thread is kinda stale and has been closed but if you'd like to continue the conversation, please create a new thread in our Forums,
or Contact Us and let us know.