Recently in Security Alert Category

You are probably one of the millions of computer users that use a computer each and every day, yet have no idea how to look out for themselves. You run scared if you hear the words "malware", "virus", "trojan" or "APT". "DDOS" doesn't ring a bell, but "cybercrime" and "spam" sound familiar because you've heard about those on the news before.

Well, all of those are threats for sure, but you don't need to panic about them. Common sense will help you more then high tech software, firewalls and consultants.

Some tips :

  • Don't just click just every link you find or see on the internet, or receive by mail.
  • Keep your computer and programs up to date

The first tip is more about being aware that something could be fake or a potential issue, and as such avoiding it. Keeping your computer and the programs on it up to date can seem a difficult task, but I'll just point you to Secunia PSI, which is an excellent little tool to help you do that.

It's free, reputable and easy to use. Even if you run it in simple mode, it'll help you - or rather your computer - stay up to date, less prone to security issues and trouble.

So, take the next 30 minutes of your time (it'll probably take much less) and take a big step forward towards a safer computer experience.

  1. Surf to (I could link to it, but security awareness is not to just click whatever link you see, remember?)
  2. Find the free PSI tool, download and install it.
  3. Run the Personal Software Inspector (PSI)
  4. Be all amazed how many programs, applications actually need an update
  5. Follow the instructions to get things updated. Even if you can't make some things update, it'll have been worth it.
  6. Reboot your computer after you updated as much as you can.
  7. Surf to, pick your language and download Spybot S&D
  8. Install Spybot S&D and then run an update for it (Update Spybot-S&D)
  9. Run Spybot S&D and let it fix whatever issues it finds
  10. Reboot your computer
  11. Enjoy using it, feeling and being quite a bit safer.

The geek is on the loose

| No Comments

I'm sitting on my bed, wearing a boxer short and t-shirt, listening to the UK Top 100 Singles from December 11th 2010, typing away on my laptop. It's just past 9AM, and I've been awake for about 30 minutes. Last night I installed the new Secunia PSI tool (version 2.0 was released earlier this week) and scanned my system for end-of-life software and vulnerabilities. If you have Secunia PSI 1.5.x installed - and if I every laid hands on your computer, you probably have - I suggest you upgrade to the latest version.

It has to option to automatically download and install patches, but I've turned it off to be honest. I don't like software downloading and installing updates and patches I know nothing about. Instead I've set it to notify me if there are updates. Anyway, if you are a regular user of computers, you may want to leave it set to automatic. Find the new secunia PSI 2.0.x version here :

This morning I received a Microsoft security advisory - and with me millions of other people I suppose, I don't have a direct connection to MS that provides me with personalized advisories, lol - that talked about a vulnerability in all IE versions and that no active exploits were out (yet?). Anyway, to make a long story short, I grabbed EMET and configured IE, Firefox, Thunderbird and Acrobat Reader to use it. While being far from a bullet proof solution, it should help lock down - still unknown - vulnerabilities in the programs I use to access the web most frequently. I'll run some tests with it and then may include other programs as well. If you don't mind doing a bit of configuration - nothing too difficult or fancy - take a look at

Stay safe and have wonderful 2011!

Routing for efficiency

| No Comments

After having a full 4 hours of sleep, I feel like crap, yet I'm up again and ready to rumble. Gathering the last bits of information I need and then I'll be planning the most efficient route to get things done today. Sounds overly practical? You betcha!

If you're a user of firefox, update to version 3.5.1 now. Don't wait till tomorrow or even after lunch. This newest update fixes a critical vulnerability that is being used in the wild, and you don't wanna end up on the wrong side of the stick. Easiest way to update? Open firefox, go to "Help" menu and "Check for updates".

Security is a verb

| No Comments

I just got back home from a quick intervention to fix some computer related problems at J&S's place - their virus scanner needed an upgrade and while it's not all that complicated for someone familiar with the process, they opted to call me in to do it for them. Wise choice :)

This creates a win-win situation : they know that I won't just run in and out and leave things behind broken, and I get some spare cash out of my experience and knowledge. Today's task included upgrading the virus scanner on J's machine, update Spybot S&D, remove an old Java install and install the new one, cleaning up some no longer needed files and desktop links and a full test of all the programs he uses frequently to make sure nothing got fubar'ed.

On S's machine I verified the virus scanner installation, removed no less than 3 out of date Spybot installations and installed the latest version. Opera also got an update and an old flash version was patched as well. It still leaves her system rather vulnerable due to missing OS and Office patches, but that's something I can't fix that easily as they opted to "borrow" an installation disk from someone else, hence it's running a "not so legit" version of office.

All of that was done within the hour while having a nice chat and giving security tips along the way. Securing machines is a very rewarding job, believe me, even if there is no such thing as 100% security.

For those less in the know or up to date on vulnerabilities :
- Firefox version 3.0.10 was released recently, patching one additional vulnerability
- NoScript saw the release of version (Firefox plugin)
- Opera version 9.64 is available
- IE 8 has been deemed a critical update through Windows Update.

Hit the update button!

| No Comments

It's been a while since I urged everyone to patch their computers, but today seems like a perfect occasion to get everyone's attention. Take your pick, depending on whether or not you actually use the program and/or version mentioned. Remember to uninstall programs you no longer use - if it ain't installed, it can't be used as an attack vector!

If you don't trust the direct download links I'm providing, I'm also listing the homepage of the software creator so you can hunt down the correct link yourself.

  • Firefox 3.0.7 - download -
  • Adobe Acrobat Reader 9.1 - download -
  • Adobe Flash - download -
  • Windows - Various Patches - download -

It can be quite challenging to keep an eye on what new versions are released, what software needs patching, or where to get those updates. You could give the excellent Secunia PSI tool a try : Secunia PSI download.

It'll scan your machine and report what software is out of date, vulnerable or end-of-life, as well as give you - where possible - a direct download link so you can stay up to date easily. Run it every week or have it monitor your computer constantly, your choice, but I use it on all my machines and recommend it to most of my friends, relatives...

Good news I can finally share


A couple of days ago I got the official "all clear" from J&M to publicly write on the blog that they're expecting a first baby around February 2009. I had posted it before, but that was before everyone knew, so I pulled that one real fast :)

Something different now : if you use Gmail, make sure you have set it to always use SSL. If you are not certain on how to do it, or why you should, read on. Open your Gmail account and go to "settings". Then scroll to the bottom of the page and select "Browser connection: Always use https". Make sure you update this setting for all your Gmail accounts. Always log out of your account when you're done (not just when changing settings).

Forcing the browser to always use a secure connection will help prevent unauthorized access or even identity theft. Check the support entry for SSL on Gmail here : Enabling the HTTPS setting.

Tuesday, Patch Day!

| No Comments

Second Tuesday of the month, so Microsoft will be releasing their monthly patches today. Up on the list for June are 3 rated critical, 3 important and one moderate. As soon as they are available, apply them.

Apple released version 7.5 of their Quicktime player, fixing 5 vulnerabilities, and OpenOffice got bumped to version 2.4.1, fixing an overflow issue. Especially with the rise of third party software and plugins (such as Quicktime, Flash, ...) becoming the new method of gaining access to infect machines, you cannot delay these for too long.

Patch Time, Episode 20080409


It would be wise to run the secunia PSI tool on your computer today. Lots of my family and friends know what program I'm talking about, but for those that don't : it'll help you keeping your systems up to date and secure. Download it at Why do I tell you to do that today? Because yesterday Microsoft has released quite a few patches for Windows, and Adobe has released a newer version of their Flash Player. No doubt other programs may need to updated/patched as well. Go do it, now!

Unrelated note : I've taken a full 7 days off from work in May. I'll be traveling somewhere, but don't know the destination yet, lol.

Techy update : patch time

| No Comments

The Microsoft windows patches for the month are available, or should be very soon. Software affected includes Internet Explorer 7, Microsoft Word, VBScript, Microsoft Works and Office Publisher, as well as the windows TCP/IP stack, and some IIS vulnerabilities that allow remote code execution. Out of the 11 patches, 5 are deemed important, 6 are even critical. If you'd like to use your windows based computer relatively safely for the next couple of days, patch it now. According to the SANS institute, no exploits are publicly known, but I think it may be well under 48 hours before the first are in the wild.

Urgent action required


I had hoped I could avoid posting urgent update news for a couple of days, but it seems nothing is safe these days. On tuesday, no less than 12 new patches for Microsoft Windows and related applications will be released, some will be rated critical and require patching asap.

Onto third party applications : Adobe has released updates for Acrobat and Acrobat Reader (the tool you use to open and read .pdf files). Unfortunately, the patches that close some vulnerabilities are only available for Acrobat Reader 8 and not Acrobat Reader 7. Exploits are in the wild and attack vectors right now include mass mailing as well as banners served on otherwise legit portals. My suggestion : update immediately to Acrobat Reader 8.1.2. While at it, make sure your flash player version is up to date as well.

Firefox was bumped to version patching 10 issues of which 3 were deemed critical. Thunderbird patches are hopefully to follow soon. Update : according to one source (Hacker Webzine) version is still vulnerable to some directory traversal exploit. Using the NoScript plugin would mitigate abuse till a new and better patched version appears, probably version

If you have trouble keeping up with new releases or have no clue how to stay up to date or where to download, I'll once again suggest installing the Secunia Personal Software Inspector. Download from the secunia website : Secunia PSI.

I think the time has come to wake everyone up again about the importance of securing your computer. You do lock your doors when leaving your house or parking your car, and your valuables are stored in a vault somewhere, right? The time that you used your computer just to type out a letter or play some game is long gone. Your computer will contain traces of your identity, may have bank account information stored on it, your passwords and ID for the online stock market, e-mail account information, you name it. If you never thought about it, now is the time to start doing so.

Why do bring up all this? Because I've got an excellent story to share with you all, and while the specifics are beyond me and I never actually thought about it, the story in itself hardly comes as a surprise. Thanks for the scoop, Dad. I probably would have missed it otherwise (too many news feeds to follow).

According to these articles (article 1, article 2), researchers have found a way to print directly to your network connected printer, by including some malicious code to a web page. Yes, obviously that would allow spammers to deliver spam directly to your printer (aaargh!) but also could lead to your confidential data being printed on some printer halfway across the world. And nothing you would be able to do about it.

Well, as long as XSS (aka Cross Site Scripting) exploits and vulnerabilities exist, you can bet your money that they'll be (ab)used sooner rather than later. While browser developers scramble to close the holes, there is something you can do : turn off your printer and only turn it on when you actually need it. Simple as that.

While that would partially restrict the impact of this exploit, the underlying cause remains. Another option - if you use Firefox, that is - is to install the NoScript browser addon. It was specifically coded to prevent and catch XSS exploits. It's not the prince on the white horse, nor the savior of the universe, but the less options the bad guys get to manipulate your data and your browser sessions, the harder it'll be to succeed.

Note : I specifically point to this firefox addon because I tend to use and love it. If there are similar scripts or extensions for IE, Opera, Safari or whatever browser you may be using, please feel free to let me know. I'll happily include a link in this post.

Keep your eyes open!

| 1 Comment

Two hours ago I received a mail in one of the many mail accounts that I have that included a link and message from someone I didn't know. The text and subject was in Spanish (Trigger 1), the message came from someone I didn't know (Trigger 2) and it was linked to a site in the UK (Trigger 3) that I don't know either.

I decided to carefully check out the links and sure enough after I took some precautions, I downloaded a file named foto07_euevc.jpg__-____Tipo_-_Ima.jpg.sCR. It is supposed to look like an image in JPEG format, but the .scr extension was a dead giveaway for me : a screen saver.

I uploaded the sample to virustotal and only 16 of the 32 different scanning engines that examined the file were triggered. Out of that 50%, quite a few only marked it suspicious due to heuristic scanning, which makes the sample possibly new and/or unknown. Samples will be distributed and if this is new, most scanners should have virus definitions updated soon. (Results can be found here : Virustotal Scan Results)

I've sent a mail to the webmaster of the site that is abused to spread the links, though the file itself is served from elsewhere.

For the time being, I suggest blocking, from which the actual file is served. (Sanitized URL : http : / / www . laeslnetwork . com / board /images / anmf / - explore only if you know what you're doing!)

Update(s) : I made an error while handling the suspicious file - it once again shows you gotta be careful when dealing with malware. I really should dedicate a machine to it, or run a VM session to make sure whatever happens, things remain under control.

I knew something was amiss when two new files appeared in a directory I browse regulary, and it usually doesn't contain any .dat files. Now it did, so I launched ProcessExplorer and started hunting down my adversary. I've identified and killed the wnupd.exe process, deleted the wnupd.exe file in the temp directory and removed the run entry in the registry for the Ltaskup.exe file that was also dropped in my windows/media folder. 1 cold boot later, my machine is clean again.

I've found some results when searching for wnupd.exe and Ltaskup.exe, and this virus/malware may have first been seen in Spain on September 4th,2007. Makes me wonder why only 50% of the virus scanners pick it up?!

Update 2 : The sample I submitted to F-Secure (I do read their blog in my RSS newsreader and think high of them and their products) was analyzed and - as I expected - tagged as malicious. A signature will be added to their database for the next release of their virus scanner. A sample also has been sent to the guys at Sophos (currently analyzing), and the sample has also been submitted to AVG.

Update 3 : AVG Tech support just got back to me and identified the sample as a new variant of the Trojan Downloader.Banload. Seems I caught something new after all! Still waiting on the Sophos analysis...

Update 4 : Sophos analysis results arrived in my mailbox 18 minutes ago and they have added detection for the new sample. Info can be found at : Troj/Dloadr-BFJ.

Bring out the duck tape!

| No Comments

Just a quick entry pointing to Doomwatchers sound Windows and IE vuln alarm. "Vuln" of course is shorthand for vulnerability and for those of you not planning on actually reading the article, here's a quick rundown of important details :

1. vulnerabilities in windows API libraries MFC42 and MFC71. Scope : could be very broad as all sorts of third party applications could rely on these libraries to perform searches on windows OS based computers. Solution : none for now.

2. flaw in Apple QuickTime, allowing people to pass malicious code to Internet Explorer. Same bug and proof-of-concept exploit code exists for mozilla firefox. Scope : bad, as most systems have QT installed and users consider movie files to be harmless. Solution : Apple hasn't released a patch yet. Firefox released a patched version of their browser to prevent abuse on Tuesday. Update to firefox

3. vulnerability in Windows Media Player 9 series. Scope : broad as WMP 9 is the default player for windows XP SP2 systems, and even with automatic windows updates on, one is never prompted to install an update. Solution : update to Windows Media Player 10 or 11.

Beware of scammers!

| 1 Comment

I just received the following mail, at first look from someone interested in purchasing one of my domain names :


I would like to purchase your domain (domain name only, not any site or content).

If you are interested in selling please provide an asking price or we can submit an offer if you prefer.

Thank you,

Mark Hayes

Sounds like a legit mail from a potential buyer, doesn't it? Well, if this buyer was a professional, I'm sure we'd find something on the internet about him, especially as he claims to be in the business of buying and selling domain names. However, the first two entries... point out that he's a fraud. Add another fraud entry to your list Mark Hayes : we're getting the word out and you'll have to switch identity soon.


| No Comments

Got a security update yesterday, and version is available. A passive port FTP scan vulnerability (Mozilla Foundation Security Advisory 2007-11) was fixed, as well as some web compatibility issues. Updating should be automatic, though it may be faster if you tell it to check for updates using the Check for Updates function in the Help menu.

Check and update, people!

| 1 Comment

It's been a while since I posted really boring stuff - or so I hope - so here we go again. Remember that in the end, I'm only doing this to help you all out :)

- Skype - new release ( on January 24th 2007 (no change log to be found!)
- FileZilla - new release (2.2.30a) on January 2nd 2007(security update)
- Quicktime - v7.1.3.191 security update. Mac users can update, windows is troublesome.

Time to clean out your machine


It's been a while since I pointed out some security concerns, but today I'd like to take some time to do so. With the holidays and festivities coming up fast, loads of people will be out of the office the next week or two weeks. Security and systems administrators often fall back on a skeleton crew, or are only available on call. This situation is quite an opportunity for people with less than good intentions to access your system, don't you agree?

I should not have to ask you if you have already patched the recently announces vulnerabilities in Windows, because you should have done so by now. Patching and keeping your operating system up to date is one thing, what about all that other software that resides on it? Do you have the latest version of winamp, java sun, winzip, filezilla, outlook express, adobe flash player, adobe reader? The list goes on and on and is quite diverse as it depends on what's installed on your machine.

Here's my suggestion for the day :

Click on that button once you're done reading this post. It'll bring you to an online tool that'll check your machine for vulnerable versions. Click the "start" button and sit back. There is no need to select the "thorough system inspection" unless you are truly paranoid. It'll run for a couple of seconds/minutes and then give you a nice list :

Detection Statistics:
0 Applications Detected in Total
0 Insecure Versions Detected
0 Secure Versions Detected

At a first scan, I ended up with 11 total applications, 4 insecure and 7 secure. And - as you probably know by now - I'm quite security aware. I wonder what results you'll get. I've since resolved the issues presented and am now up to all secure (within limits of the scanner).

If you find insecure application versions, scroll down for pointers to new or patched applications. It sometimes will take some effort to get rid of old and insecure programs even if a newer version is installed. If that's the case, tell me next time we meet and I'll take a look at it. I for instance had some trouble getting Flash player 4, 7 and 9r16 off my system, even though I had installed 9r28.

Global Timing Differences?

| No Comments

According to a security bulletin just released by Secunia, MT installations with versions 3.3, 3.31 and 3.32 are vulnerable to a cross site scripting attack. This info was obtained from a Japanese researcher, and while the Japanese Sixapart site refers to this issue and seems to offer a patched version 3.33, the site mentions nothing (yet) at the time of this post.

Unfortunately, my Japanese is not as good as to know what has been released and what patches/updates are available. If anyone could translate, please do so and leave some feedback!

Update : Movable Type 3.33/MT Enterprise 1.03 released

It's been a while since I blogged about purely technical things, security and such, so here we go.

Owners of laptops with an Intel Centrino chipset, beware : Intel Centrino Vulnerabilities (Internet Storm Center) found. Also read Intel plugs Centrino vulns (The Register) and Centrino wireless flaw could be exploited by hackers to spread malware (Sophos). My suggestion? Patch now.

But there is more wireless news : 2 hackers will be showing how to hack a MacBook in front of a room full of hackers at the Black Hat conference. They plan to do this by exploiting vulnerabilities in the low level code of the wireless device drivers. Read the full article : Hijacking a Macbook in 60 Seconds or Less (Security Fix). Exploits such as these are not limited to the MacBook, the same vulnerabilities exists in drivers from other companies! To be continued for sure...

If you're using GnuPG (an implementation of the OpenPGP standard) you should update your install to version 1.4.5 as some vulnerabilities have been plugged. Download : GnuPG version 1.4.5 stable.

While reading various RSS feeds, I came across a short entry by Bruce Schneier : ScatterChat. ScatterChat is a secure Instant Messaging Client using the Tor network. Go take a look for yourself : ScatterChat.

We have the answer!

| No Comments

I don't know how many of you, dear readers, are aware of the recent commotion about a vulnerability in powerpoint that is being actively exploited. I guess none of you knew about it, to be honest. Anyway, Microsoft released a Security Advisory about the problem, which you can find here : Vulnerability in PowerPoint Could Allow Remote Code Execution. A patch is expected in August - in the mean time, you can follow the suggested Microsoft workaround :

Do not open or save Microsoft Office files that you receive from un-trusted sources or that you received unexpectedly from trusted sources.


I just mailed Zeta Computers because after ordering online on July 4th and calling them on July 11th, my order for 2 Maxtor 80GB harddrives still seems to be out in the open. They promised to keep me up to date, but it remains awfully quiet on their side and I'm getting (more than a little) annoyed with them.

A goldfish would do

| No Comments

Hm... so I'm browsing the area and notice an unsecured access point. My wifi card connects to it and gets an IP address. I browse to and drop right into the configuration screen for the router. Interesting, but very very foolish if you ask me. I can change settings, even password protect the device if I wanted to. Logging, routing, DHCP server, MAC filtering, I've got everything at the touch of my fingers. Instead, I just log out again...

Why do people want technically advanced toys, yet refuse to learn how to use them, or at least get them set up correctly from the start?

Oh, ethereal is no more. WireShark is the successor.

Update : I was always under the impression that 5 to 6 wireless access points were active in the immediate vincity of my place. When I fire up netstumbler today, and walked around a bit (inside and on the terrace) with the laptop while I had it on scan, it picked up 24 networks. At least 40% of those were unprotected. I think I'll have to get myself a PDA and run ministumbler with an attached GPS module, that would make a nice geek toy :)

Anyone have a spare PDA they don't use anymore?

Patching sunday


What does one do on a sunny sunday afternoon when there's nothing but football on TV, and you dislike that? You get on the internet and update loads of things! Maybe you should do the same?

- Sharpreader ( - more feeds accepted)
- Linksys router : new firmware (fixing amongst others a UPnP vulnerability)
- Wireless network card (Ralink RT2500) : new driver (fixing hidden SSID roaming issue)
- ethereal (0.99.0 - loads of fixes)

I know most people install hard and software once - often with assistance - and then never look back, but come on... that ain't the way it works. Well, I'm not going to aim too high here, and be glad if you patched your windows version in the last week (MS Security Bulletin for June 2006 : 8 critical, 3 important, 1 moderate). Have you?

If you think all these patches and updates and fixes are pointless, they are not, according to the BSI : Recommendations for the Protection against DDoS Attacks in the Internet. You, small fish in the immense internet sea, count as well!

Winamp 0-day exploit patched

| No Comments

Yesterday Winamp 5.13 was released, containing a critical security fix for a bug that's being exploited actively. Opening playlists (.pls or .m3u files) could lead to arbitrary code being executed, so watch out before you go clicking on random links online. The smart thing would be to update right now :)

Totally unrelated but still somehow interesting : a couple of days ago, I checked the nesting cabin outside for early activity, but it was still empty. I had heard quite some bird sounds on the balcony earlier though and today I heard it again. No less than three Great Tits are checking out the nest as a new home! I guess those are the kids that were raised in it last year, now returning to raise their own offspring.

Patch, Patchouli, Patch!

| No Comments

If you've been thinking about visiting windowsupdate and getting the newest patches and updates installed, now is a good time to do it. Actually, I hope you already installed the critical patch (MS06-001) for the WMF vulnerablilties which was released last week. Today - patching tuesday - two new patches have appeared on the MS site, one aiming to close a hole in how Microsoft Windows processes embedded web fonts (MS06-002) and one should stitch up a Transport Neutral Encapsulation Format (TNEF) decoding vulnerability (MS06-003). Both vulnerabilities create new means for malicious people to breach security on your system(s), by as simple means as having you visit a website or opening a specially crafted e-mail. This alows mass infection as well as targetting very specific users, systems or organisations. Don't think it won't happen to you, patch now!

I've been in a "get rid of mess" mood today, as I removed all junk from the volvo, and got rid of some crap in the home too. I suppose the new set of wheels are bringing out the best in me, lol.

Sober up

| No Comments

It's been a while since I dropped virus related news on this blog, but here is something you'll see appear sooner rather than later - in fact, I already received three copies of the nasty myself.

Sober.Y becoming huge - Info at F-Secure.

I've been talking about security and encryption quite a lot over the past couple of weeks, and I know not too many people are actually interested in those things, but allow me to give you two very real world examples as why it could be important to you as well.

The Car Whisperer by trifinite The first article and tool I'd like to link to is the Car Whisperer project by a group called trifinite. They manage to inject audio into a car using a directional antenna and a laptop running linux. How do they do it? They use the fact that most car or handsfree bluetooth set manufacturers use "standard" codes such as "0000" or "1234". Once the pairing with the device is done - without the person carrying the bluetooth appliance noticing anything, the Car Whisperer tools allows audio to be sent through the speakers, but eavesdropping is possible as well. They just turn on the microphone and can hear anything that's being said in the car driving by! How does this affect you, you may ask? Do you own a mobile phone, a bluetooth headset or a car equipped with it? Stop reading this post, step out and verify what pincode is required to access those devices. Change it to something less standard. Turn off bluetooth if you don't use or need it.

The second article deals with hotel TV systems broadcasting data in the open and unsecured over infrared. While most people won't notice or consider that a risk at all - you can't see it, so it ain't there, right? - the technical director of The Bunker, Adam Laurie, demonstrated the exploits last week to Wired. He was able to access pay-content for free (free porn!!), but was also able to see the bills of other people, even read mails that were sent using the system and finally got into the back-end system as well.

I think these examples are proof that no matter how trivial some technologies seem, unless they are developed, installed and set up correctly with security in mind, they can and will be (ab)used. It's not because something hasn't happened yet the systems are secure. In fact, your system may have been penetrated and abused for quite a long time, you just don't know yet.

The fox jumps over the VPN crypto

| No Comments

I don't know how I managed to miss security update 1.0.4 for firefox, but I did. It was released on the 11th, and fixes the following issues :

MFSA 2005-44 Privilege escalation via non-DOM property overrides
MFSA 2005-43 "Wrapped" javascript: urls bypass security checks
MFSA 2005-42 Code execution via javascript: IconURL

It also fixes some DHTML errors, although those are not security related. The other three though, are classified as critical, so if you haven't updated yet, this would be a good time to do so!

Unrelated to firefox, but still security news : If you happen to use VPN to connect remotely to the office, it may be a good idea to to point out to your administrator that some setups are vulnerable and much less secure as they appear. I don't have any real VPN experience, but it has got something to do with cryptographic weaknesses used in sub-keys. A technical explenation along with proposed solutions can be found at the NISCC website, or you could read the article at The Register for a less technical overview of the problem.

A couple of hours ago, a new security release of Mozilla Firefox has become available. This 1.0.3 version fixes the following issues :

MFSA 2005-33 Javascript "lambda" replace exposes memory contents (moderate)
MFSA 2005-34 javascript: PLUGINSPAGE code execution (high)
MFSA 2005-35 Showing blocked javascript: popup uses wrong privilege context (moderate)
MFSA 2005-36 Cross-site scripting through global scope pollution (high)
MFSA 2005-37 Code execution through javascript: favicons (criticial)
MFSA 2005-38 Search plugin cross-site scripting (moderate)
MFSA 2005-39 Arbitrary code execution from Firefox sidebar panel II (critical)
MFSA 2005-40 Missing Install object instance checks (moderate)
MFSA 2005-41 Privilege escalation via DOM property overrides (critical)

As proof-of-concept code becomes available much quicker these days, you can bet on it that in a matter of days, new spyware, adware and trojans will be exploiting these issues, so patching them asap has become even more essential. In other words : upgrade to Firefox 1.0.3 right now. Update 17/04/2005 : POC exploit code is already available for the "Arbitrary code execution from Firefox sidebar panel II" as well as the "Code execution through javascript: favicons" bugs in pré 1.0.3 versions of Firefox. More in on the F-Secure weblog.

Oh, I hope you didn't miss the Microsoft security patches that were released on thursday? (8 patches, of which 5 were rated critical, 3 important and affected the following programs : MSN Messenger, Office, Internet Explorer, Windows 98/Me/2000/XP/2003 - something for everyone!)

Has anyone seen the article in The Register, titling "Virus writers have girlfriends - official"? I tell you, one day Geeks will rule the world!

I've been busy so far : I've got a second load of laundry in the machine, the tumbledryer is drying the first load - it's too wet outside to air-dry today - and I've handwashed two neckties, they are airdrying in the bathroom. The dishwasher is ready too, and only needs to be unloaded now. Which leaves the following tasks at hand : shower, shave, unload dishwasher, tumbledry second load when done washing, fold and put away the first batch of laundry, entertain ferrets, feed ferrets, quick-clean ferret cage, have something to eat, get dressed, write some CD's.

And all of that before 16h00, because I'll be leaving for Joco's place then.

Press those buttons, baby!

| No Comments

It seems as if a gazillion patches (MS05-007, MS05-008, MS05-011, MS05-013, MS05-014, MS05-015, MS05-012, and more...) have been released for Windows and Office XP. Some are rated important, others critical, so better go update your windows-based computers right now - and for those wondering where to turn to.

Exploits, updates and (a lack of) patches.

An exploit has been found in the Sun Java plugin, a java virtual machine used by various browsers, not only IE or Firefox. Java Runtime version 1.4.2_05 and older are vulnerable to this exploit where a specially crafted malicious applet can escape the built-in sandbox and do whatever it wants on the system. Solution : Upgrade to 1.4.2_06.

Secondly - and possibly more important - the still unpatched iframe vulnerability (aka Bofra) in Internet Explorer 6 was aggressively exploited over the weekend. One online advertising delivery service (ran by Falk eSolutions AG) was compromised and one in every 30 ads served by them were redirected to a website containing malicious code, exploiting the iframe vulnerablity.

XP users that have the SP2 installed are not affected, all other windows users are vulnerable unless they use a different browser, or MS comes up with a patch. More info can be found here and here.

To make this entry slightly interesting, here's a funny (in a juvenile way) flash animation for you to enjoy : Winky Winky Bum Bum Poo Poo Titty Titty

Gone Phishing

Just received a phishing mail, trying to obtain my citibank credit card number, user ID, password and ATM PIN code. While this scam was above average, I immediately spotted the fact that it was fraudulent. I'm not a citibank customer after all.

Let's take a look at the site the scammers set up - follow the link only if you know what you are doing! it is a FAKE/FRAUDULENT SITE.

The scammers did quite a nice job impersonating the real citibank site, but a bunch of things really don't match up : Your information is transmitted using 128bit SSL encryption. but I don't see any https protocol being used, nor is there a security certificate. They have cleverly "borrowed" some images from the real citibank site though, in an attempt to make it all look more legit.

Now let's take a look at the ip address used. It belongs to the IP pool of a company called China Network Communications Group Corporation, located in Beijing, China. Do you really think citibank uses a chinese host to serve pages to their customers? Let us verify and see if the IP address is known from previous spam or scam operations. It does show up when querying because it's listed in their SBL.

In fact, the range has been used before by Robert Soloway - Newport Internet Marketing, but I'm not saying that he is behind this phishing mail. It is a strange coincidence though to have a known ROKSO spam gang and a phishing group, use the same address range, without them being related, wouldn't you say?

Now that we know all this, let's take a closer look at the host for the site : China Network Communications Group Corporation. Spamhaus has 10 entries in relation to CNC, and of those ten entries, 3 are related to ROKSO activity. What this means in everyday language is that this host has been involved in spam related activities at least ten times and in three cases they were (ab)used by professional spam gangs.

It's not that hard to look up some info if you have doubts about something and while I don't expect you to do so, the one thing you have to keep in mind is very simple : no one should ask for your password, account number, Pin code or things like that. Not by mail, not by phone and not on some website you are pointed to.

Yes, I did report the mail to the abuse center of the real city bank corporation, even though it doesn't affect me.

The game is on...

I just got notice that the JPEG/GDI+ exploit that I talked about a few posts back has appeared on usenet, more specifically on some adult newsgroups such as alt.binaries.multimedia.erotica.transsexuals, a*.b*.pictures.erotica.transexual, a*.b*.p*.e*.transexual.action, a*.b*.p*.e*.transsexual, a.b.erotica.beanie-babies, a*.b*.e*.breasts, a*.b*.e*.christy-canyon, a*.b*.e*.fetish, a*.b*.e*.original.sin and alt.binaries.erotica.pornstar.

No need to believe the attempted exploit use will remain limited to these newsgroups. Apart from that, the exploited JPEG file can (and probably will) be renamed to for instance .bmp or .gif without affecting the usability. In other words, when you receive or download a exploited JPG that has been renamed to .bmp, windows (and the vulnerable GDI+ DLL) will still treat the file as JPG, with the potentially devastating results.

Please make sure your virusscanner is up-to-date and includes images in its scans, install SP2 if you're running Windows XP and haven't done so yet, as well as patch all Office programs through Office Update. Putting Outlook and Outlook Express in plain text mode won't hurt either, as it'll prevent (infected?) images to be loaded from the internet without your interference.

More info on the current events can be found here : JPEG/GDI+ Exploit appears on Easynews (plain text file).

The day JPEG images stopped being secure


Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)

I am NOT joking here people. Against popular belief that receiving and displaying images on a windows OS is safe, it is no longer. To make things worse, POC has been released so we can expect quite some worms and virusses using this exploit in the next days/weeks.

A full list of products affected can be found amongst others in the Secunia bulletin.

If you run windows XP, and haven't updated to SP2, this might be a good time to do it. If you can't/won't, at least check the affected software list, and install those patches.

Update 2004-09-24 : According to an article in The Register, an exploit toolkit for this vulnerability has been spotted in the wild!

Kryptonite for your precious bike

Do you remember that Superman was vulnerable to Kryptonite? It rendered him weak and powerless, but today it seems Kryptonite has met it's own Kryptonite and it's simply called "bic".

Of course, now we are no longer talking about Superman or the Kryptonite material used in the movies and comics, but about the Kryptonite brand of U-locks, often used to "protect" your bike.

Take a look at the video (windows media format, 605KB) and see how a simple bic unlocks a quite expensive Kryptonite lock, no doubt also resulting in your expensive bike being stolen.

More info and videos over at

Zero-day exploits


Over the past years we've heard tons of stories, seen about a zillion patches and updates for all kinds of programs and there have always been exploits around. However, there usually was quite some time in between the date the problem became known and they date exploits (other than POC) were found and used.

In the last year we've seen this timeframe diminish to sometimes as little as a couple of days, and more and more "zero-day" exploits are being reported. If you ask me, it's due to the fact that in order to keep their lucrative business running, malware authors need to exploit everything they can. While each day new and unprotected computers become available for infection and abuse, an ever growing number gets fixed, secured and patched as well. This leaves the abusers a smaller number of "easy targets" and in order to compete and deliver what they are paid for, they revert to more aggressive tactics.

Now... how does that affect you? It's very simple : if you're not part of the solution, you're part of the problem. This means that it's gonna be a neccesity - it even is one today - to be aware of exploits, patches and available updates, even if you're just a user, Joe Average.

How? By signing up (for free) for some low volume security related newsletters, by browsing specialized sites and becoming aware of the fact that security is no longer a matter for specialists alone. You can find some links below, those are a good start I'd say.

Oh, if you wonder why I post this right now, here's the answer : 0-day exploit for winamp.

Note : While windows XP SP2 hasn't been giving me any trouble so far, tuning the new firewall I installed (not the one included in SP2) seems to be a pain in the ass. Well, better a pain in the ass than a firewall with holes in it by default. I'm punching holes right now, to get everything allowed that needs access.

Update 2004-08-27 : according to discussions in the winamp forums, there should be a release of winamp 5.05 (or 5.04x depending on whether or not other functionality/fixes are included or not) should be released soon. Another noteworthy point is that not only IE might be a mitigating factor for infection, nor is it necessary to have winamp running to possibly be infected.

Since SP2 is expected

to be available from windowsupdate really soon now, one can expect at least some things to go wrong sooner or later. If you are going to install SP2 - which I think you should - please read the following knowledge base articles first :

- Programs that may behave differently in Windows XP SP2
- "Data Execution Prevention" error message in Windows XP SP2
- Troubleshooting Windows Firewall settings in Windows XP SP2
- Some programs seem to stop working after you install Windows XP SP2

Feel free to read Smeg's point of view on SP2 as well. He did a better job of explaining what I couldn't :)

Patching time for various packages

Let's see what has been released/patched recently :

Firefox 0.9.3 - fixes a couple of bugs, including a highly critical exploit that could lead to DoS, and remote system access. Relies on a libpng library exploit.
Windows Update has an out-of-cycle patch that fixes 3 highly critical exploits for Internet Explorer 5.01, 5.5 and 6.0. possibly leading to DoS, remote system access.

Firefox gets patched

After the much discussed - and still unpatched - IE security vulnerabilities, Firefox got its share of the troubles as well. Earlier this month, 0.9.1 was released to patch some security holes, and today 0.9.2 was released to patch a "moderately critical" exploit, as it is rated by Secunia.

Those of you that shifted away from IE, and are now running Firefox prior to version 0.9.2, a Mozilla version prior to 1.7.1 or Thunderbird version prior to 0.7.2 on windows XP or 2000, visit Mozilla and download the updated versions, or the patches.

The original advisory can be found here : Mozilla Application Suite/Firefox/Thunderbird security advisory

The day HTTPS stopped being secure

Well, actually there is nothing wrong with the HTTPS protocol itself, but on the other hand, using a secured HTTP connection to the site of your financial institution doesn't mean you're safe either.

There is a - rather technical - PDF file available that explains all the nitty gritty details, but let me give you a quick rundown of what some scammers are doing.

You surf the web with IE and happen to end up on a compromised webserver. Mind you, this could be a very well known site that would be above all suspicion, as recent reports have shown that exploits exist and have been used to compromise webservers. Without realizing it, your browser downloads and installs a BHO, which is automatically loaded when you start IE.

This BHO watches for HTTPS access to URL's, and then captures the data before it is encrypted, resulting in your password, login ID and such being made available in clear text to a third party server. However, to hide their tracks, the BHO encrypts the captured data before they pass it on, to prevent intrusion detection software from detecting certain account information being passed on.

Sounds confusing? Here's a little scheme to make it more understandable :

1. Webserver is compromised
2. You surf to a compromised site, using IE
3. BHO is installed on your computer, without your interaction or knowledge
4. You connect to your online banking site
5. BHO grabs data before it's encrypted
6. BHO encrypts data and passes it on to someone else

This could lead to others accessing your bank accounts online, withdraw money, change account details, identity theft, ...

If you've read this far, you're probably wondering what you can do to prevent all this? Well, honestly I don't know. I'd suggest not using IE as your favorite browser for the time being - at least not until a number of very serious security holes are patched - and you could also see if you can block access to using your (personal) firewall. The latter however is only a temporary solution as I suspect the scammers will release newer versions of their exploit that use connections to other sites to receive the captured data.

Finally, keep your systems patched (Windows Update) and scan your systems regulary using Ad-Aware and/or Spybot S&D. Please be aware that none of these scanners or patches provide protection against this exploit at the time of this writing, but the less vulnerabilities exist on your system, the harder it'll be for scammers to abuse and infect your machine(s).

MT-Blacklist Emergency Upgrade

I get home to find - buried between over 350 spam mails - a mail stating there has been an emergency bug fix of Jay Allen's MT-Blacklist. It seems there has been quite a serious bug in the last versions, which results in MT-Blacklist not being able to decode encoded URL's.

Jay's warning about upgrading to the new version NOW is not a second too early, because after I upgraded the MT-Blacklist 1.64 I already found 11 spam comments on my blog, all posted today! It seems the spammers keep a very close watch on people that maintain tools to get rid of their crap.

Here's the list of IP's I've banned as a result of todays spam run :

Feel free to use the information as you like, either add them to your blog's ban list too, or just discard the IP's given.

Eudora 6.1.1 released - bugfixes

Several vulnerabilities concerning Eudora were reported a while ago, some of them being rather serious. Qualcomm has released Eudora 6.1.1 on May 14th to patch those holes. Go download it if you are a Eudora user!

Certainly not the end

Several German news sites are reporting that an 18 year old individual who is suspected to be connected to the Sasser, Agobot and NetSky viruses has been arrested.

Will this stop the constant release of new variants and viruses, I doubt it. It might slow down the hobbyists for a couple of weeks though, but the professionals will be far from deterred by things like this.

Remember Blaster?

| 1 Comment | 1 TrackBack

Does anyone recall the Blaster virus that hit millions of PC's last year? If not, go to a doctor and let them check your memory. Sophos just released an urgent warning about Sasser, a virus that exploits a vulnerability that was categorized as critical by Microsoft when they released a patch for it on April 13th 2004 (updated April 28th). For all of you that have not yet patched your systems, please do so now.

If you decide not to stay up to date, don't come whining to me later on.

Patch Time


There are once again, a couple of patches you, as a windows user should install asap. Read more here : Microsoft Windows Security Bulletin Summary for April, 2004.

Affected systems :

Microsoft Windows NT� Workstation 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Service Pack 6a
Microsoft Windows NT Server 4.0 Terminal Server Edition Service Pack 6
Microsoft Windows 2000 Service Pack 2, Microsoft Windows 2000 Service Pack 3, Microsoft Windows 2000 Service Pack 4
Microsoft Windows XP and Microsoft Windows XP Service Pack 1
Microsoft Windows XP 64-Bit Edition Service Pack 1
Microsoft Windows XP 64-Bit Edition Version 2003
Microsoft Windows Server™ 2003
Microsoft Windows Server 2003 64-Bit Edition
Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) - Review the FAQ section of bulletin MS04-014 for details about these operating systems.

Rating : Critical & Important.


| 1 Comment

but not much you can do about it right now. What the hell am I talking about?

The most recent Vulnerability in Internet Explorer ITS Protocol Handler, that's what. If you want to know the details, please read the link I provided above. Now, what is the problem?

  1. it's not IE (or Outlook, OE etc) only
  2. Non MS products and browsers might also invoke the ITS protocol, since it's embedded in windows
  3. there is no patch available for the moment (apart from manual registry edits - see the provided link)
  4. according to some sources, proof of concept exploits have been published in the wild (for everyone to see, that is)
  5. virus creators and spammers are very likely to exploit this vulnerability in the next few days (maybe even hours)

What can you do?

Be careful, very careful. And - of course - keep on reading, because I'll let you all know asap when a patch is released and available.

When music becomes dangerous


No, I'm not talking about the idiots over at RIAA that sue everyone who dares download an .mp3 or unlicensed piece of music.

I'm talking about the very popular WinAmp player, that seems to have a bug that could allow people with less than good intentions run code on your machine. Is it a dangerous exploit?

If you know that both NGSSoftware (the people that discovered the bug) as well as NullSoft (the creators of WinAmp) classify it as Highly Critical/High Risk, combined with the fact that there have been tens of millions of downloads of WinAmp, yes... you could say it could be a problem.

A new version is up for download : WinAmp 5.03 (Download here)

If you don't feel like upgrading to the patched 5.03 version, follow the NGSSoftware instructions on how to disable the plugin that contains the exploit.

MT script abuse

| 3 Comments | 1 TrackBack

Over the past couple of days, the hosting company that I use has been forced to disable access to two MT scrips, effective immediately. Since I know there people don't take this kind of serious measurements unless absolutely necessary, I suggest you take a look whether or not you've got these scripts installed as well.

1. MT Plugin Manager (mt-pm.cgi - 3rd party plugin, not included in MT core files) - Reason : high server load
2. mt-send-entry.cgi (Part of a standard MT install) - Reason : spamming possible through certain versions of the script.

On all MT powered domains under my control, the MT plugin manager has never been installed, and the mt-send-entry.cgi script has now been disabled manually, in addition to the host based filtering.

Patching time again

Critical advisory for IE : Cumulative Security Update for Internet Explorer (832894) aka MS04-004 - Issued: February 2, 2004

Systems affected :

* Microsoft Windows NT� Workstation 4.0 Service Pack 6a
* Microsoft Windows NT Server 4.0 Service Pack 6a
* Microsoft Windows NT Server 4.0 Terminal Server Edition, Service Pack 6
* Microsoft Windows 2000 Service Pack 2, Service Pack 3, Service Pack 4
* Microsoft Windows XP, Microsoft Windows XP Service Pack 1
* Microsoft Windows XP 64-Bit Edition, Microsoft Windows XP 64-Bit Edition SP 1
* Microsoft Windows XP 64-Bit Edition Version 2003
* Microsoft Windows Server� 2003
* Microsoft Windows Server 2003, 64-Bit Edition

Components affected :

* Internet Explorer 6 Service Pack 1
* Internet Explorer 6 Service Pack 1 (64-Bit Edition)
* Internet Explorer 6 for Windows Server 2003
* Internet Explorer 6 for Windows Server 2003 (64-Bit Edition)
* Internet Explorer 6
* Internet Explorer 5.5 Service Pack 2
* Internet Explorer 5.01 Service Pack 4
* Internet Explorer 5.01 Service Pack 3
* Internet Explorer 5.01 Service Pack 2

Their Doom, not mine

| 1 Comment

It's funny... the Novarg/MyDoom virus that is apparently doing the rounds hasn't hit me yet. I recall the SoBig worm/virus that struck last year : within minutes after I learned about it's existence, I was hammered with copies of it in my mailboxes. MyDoom seems to try to avoid me though, as I've not yet received any notice from my ISP's AV solution either which leads me to believe that no copy of it yet has even tried to reach me - bizarre.

When I checked the site today, they finally picked up on the new virus and had an advisory up. It took them about 11 hours to do so, which if you ask me, is way too long for a site that claims to deliver emergency warnings about computer virusses.

Sure, it's better than nothing and I suppose it serves it's purpose for those that are slower than a turtle to know about these things, but if you know that the Novarg/MyDoom virus can send out several infected mails per minute using it's own smtp engine, it doesn't take a scientist to do the math : 11 hours = 660 minutes. Even at only 1 mail per minute - although this virus might be able to send out a tenfold every 30 seconds - this allows 1 infected machine to potentially infect 660 others.

When I write this, desinfection tools are already available, in addition to signature updates that I mentioned before. Before you read your mail, update your virusscanner.

Virus/Worm Outbreak

| 1 Comment

I've gotten this info independently from two people that work for an international anti-virus company, and if they yell fire, you better be certain something is going on. Right now the new virus is not yet picked up by virusscanner - I've checked various AV sites - although it is out there and spreading. For the moment it's being referred to as MyDoom, My.Doom or someting like that. As I said, info is pretty scarce.

Keep you scanners up to date and in the mean time, don't open or run attachments you didn't ask for!

Some details (as posted on

It seems to travel as a file called documents.exe.scr or something similar, also in a ZIP file sometimes.

This actually arrived at my home machine before I even knew it was spreading. My file name was, and inside is documents.htm.scr

Be smart people, and beware!

Update : a virus signature is now available for most virusscanners, and the virus is referred to as W32/MyDoom-A, with aliases Mimail.R, Novarg.A, Shimg, [email protected], W32/[email protected]

Story also on ZDNet : New virus hitting inboxes


Went over to Joco & Eef's place to celebrate Alex 2nd birthday - that kid is growing so damn fast! I bet he'll be dating his first girl before I have a date myself.

Warning : it seems some fuckers managed to get themself infected with W32/Sober-C (aka Sober.C), a worm that spreads via KaZaa and other peer-to-peer networks, as well as by e-mail. According to the flood of virus infected messages ending up in my mailbox this moment, it seems Germany has been hit hard - most of the received mails originate there. So far the Skynet Anti-Virus Protection tool has been catching them, but it seems some people you never learn.

So far I couldn't find any details about a possible payload on this baby, but it wouldn't suprise me that infected machines will turn out to be zombies (infected computers that are later on used to DDoS sites and relay spam). The future of e-mail and internet seems very bright, don't you think?

Update those damn virusscanners people, don't piss me off even more!

I give up on IE users.


Jay blogged about the "Powerful IE bug" that was discovered a few days ago. I picked it up before, tried it out - yes, the bug is out there and is easily exploitable - and laughed.

I didn't feel like bringing out the news here because all most IE users are too dumb to understand the consequences of it anyway.

A harsh statement? Maybe so, but don't come whining when you were tricked into divulging your creditcard information on a site that seemed very "legit" but in fact was an unknown page served from somewhere in the former USSR.

The information is out there for those who want to read up on it : Jay Allen about an IE Security flaw - Secunia advisory 10395 - IE URL spoofing test.

Update December 18th : It seems Mozilla 1.x can be spoofed in a similar way by encoding a "%00" code in the URL, which would lead to the statusbar not showing the full (correct) URL. Check Secunia advisory 10419 for more info.

IE users to bite the dust - again.


A recent post at The Register warns for 5 critical problems with scripting and how it's handled in IE6, 5.5 and 5.01.

Apparently it is possible to bypass all security zone settings and install trojans, viruses and porn dialers with the user ever noticing. A full report can be found on the website of Secunia Proof of concept has already been written and published by chinese security researcher Liu Die Yu who also discovered the vulnerabilities.

Since Microsoft is quite unlikely to change their approach of patching holes only once a month, IE users are advised to disable all scripting in their browers, or switch to an alternative brower.

What have I been saying all this time? IE sucks!

Some critical updates

for various MS based Operating Systems today :

MS03-48 : Cumulative Security Update for Internet Explorer (824145) - Severity : Critical - Issued: November 11, 2003

MS03-49 : Buffer Overrun in the Workstation Service Could Allow Code Execution (828749) - Severity : Critical - Issued: November 11, 2003

MS03-51 : Buffer Overrun in Microsoft FrontPage Server Extensions Could Allow Code Execution (813360) - Severity : Critical - Issued: November 11, 2003

If you've been following and updating your systems as suggested here on, and you're running windows XP (SP1), you don't need to run the MS03-49 patch, since those files were already included in the MS03-043 patch that was released last month. Windows 2000 users should apply this new one nonetheless, as some files have changed for them.

With those critical OS patches out of the way, we head on and have some important application patches to install as well :

MS03-50 : Vulnerability in Microsoft Word and Microsoft Excel Could Allow Arbitrary Code to Run (831527) - Severity : Important - Issued: November 11, 2003

If you don't feel like downloading and applying seperate patches - or are not interested in searching for the correct version of the patch, point your browser to Windows Update for Microsoft Windows based operating systems and to Office Update for Microsoft Office application patches and updates.

Eudora 5.x

Today a security alert was given by Secunia in regard to Eudora 5.x. Full details can be found in the Eudora From and Reply-To Buffer Overflow Vulnerability advisory. Eudora 6.x (English) and Eudora 5.1-Jr3 (Japanese) are not vulnerable.

Critical Updates

MS03-41 : Vulnerability in Authenticode Verification Could Allow Remote Code Execution (823182) - Severity : Critical - Issued: October 15, 2003

MS03-43 : Buffer Overrun in Messenger Service Could Allow Code Execution (828035) - Severity : Critical - Issued: October 15, 2003

MS03-44 : Buffer Overrun in Windows Help and Support Center Could Lead to System Compromise (825119) - Severity : Critical - Issued: October 15, 2003

MS03-45 : Buffer Overrun in the ListBox and in the ComboBox Control Could Allow Code Execution (824141) - Severity : Important - Issued: October 15, 2003

(Systems affected/vulnerable : windows ME, NT4, 2000, XP, 2003 Server)

In addition, critical patches for Exchange Server were also released, time to connect to windowsupdate, people!

Be alert


When I opened my mailbox this morning I spotted a mail from Microsoft - or at least that's what it appeared to be. A quick glance around told me that I had gotten that mail 4 times, which immediately raised all virus/spam triggers that I possess. I must admit that the author has done a wonderful job and the mail was rather believable, but there are a few things everyone should keep in mind :

1. Microsoft NEVER sends out patches by mail. Only announcements are done by mail.
2. Getting the same mail a couple of times means trouble in 99.5% of the cases.
3. Typo's and errors usually give spam/virus mails away (although this one didn't)

A little digging pointed me right to the article in The Register : Nasty worm poses as MS security update, and more technical info can be found at Sophos as well : Gibe-F (aka Swen).

And people... it uses a vulnerability in IE (MS01-020) that was patched in March 29, 2001 and updated on June 23, 2003. So keep those boxes up to date on those patches, and those virusscanners checking for new updates regulary. And above all : think before you click!

Patching time


Here we go again one could say, but I'd rather get notified of updates and patches, especially if you look at the other option : sooner or later these flaws will be abused.

September 3rd 2003

Critical :
MS03-037 - Visual Basic for Applications Arbitrary Code Execution [822715]

Important :
MS03-035 - Microsoft Word Run Macros Automatically [827653]
MS03-036 - WordPerfect Converter Code Execution [827103]

Moderate :
MS03-038 - Microsoft Access Snapshot Viewer Code Execution [827104]

Low :
MS03-034 - NetBIOS Information Disclosure [824105]

Switch to webmail...


Another tip to prevent downloading virus infected attachements - even if you are protected - is to switch to a webmail interface so you can do quick visual check on the mails waiting to be downloaded. Most - if not all - major ISP's offer webmail to their customers. It would save on network traffic and downstream volume, and thus be much faster.

I just noticed that Belgacom Skynet has implemented a "temporary" antivirus measure on their mailservers to prevent users downloading infected mails. If only Scarlet/Planet Internet would do the same. I just received 266 infect messages and it's been less than 2 hours since I last checked mail. I've reverted to webmail for all accounts for the time being.

Microsoft patches/updates for august 20th : 817778 (Advanced Networking Pack for XP SP1 - IPv6), MS03-33 (MDAC, rating : Important).

Have you been loved today?


In other words : have you noticed unusual behaviour on your Windows NT, 2000 or XP machine? Has RPC been giving you a hard time, rebooting your machine?


Sorry, I had to get that out of my system. Let me explain :

- July 18th : MS issues critical patch for RPC vulnerablity (Win NT, 2000, XP and 2003)
- August 11th : Various antivirus institutions warn for W32/Blaster aka LoveSan
- August 12th : Lots of machines get infected and mainstream media broadcast warnings
- August 13th : even more dumb computer owners run into problems.

My advice? If you don't know how to operate a computer, or stay up to date, don't use it. However, not all is lost.

Step 1 : Download a little tool from the Sophos website (here)
Step 2 : Run the tool according to the instructions
Step 3 : Go to and install all critical patches
Step 4 : Sign up for free for the Microsoft Security Bulleting (here)
Step 5 : Sign up for CERT advisories (Intended for professional IT admins)
Step 6 : If you run a *nix OS, laugh your ass off
Step 7 : If you patched your MS system on July 18th, laugh your ass off as well.

Now excuse me, I'm gonna continue to laugh my ass off. Yes, I can truely not feel sorry for victims right now. However, if you're stuck with it and I know you personally : gimme a call. I'll gladly help you out at my regular rates :)

Bugbear strikes again - Part B


Apparently a new version of the 2001 W32/Bugbear-A has struck under the name W32/Bugbear-B (creative naming?). Bugbear-A was reported to be responsable for 17.5% of all infections in 2002, so don't get any funny thoughts about this new (and improved) version.

Update your Anti virus software now, log on to the Microsoft Update website now and install those hundreds of patches that you didn't know where there, or didn't think were important.

This bear is sneaking into your system by exploiting a flaw that has been patched on March 29, 2001 - which according to me means that if you still haven't patched your system, it's entirely your mistake. Yes, IT and computers is just a tad bit more than games and surfing porn - although those are two major parts of IT, I agree.

Want to add another layer of protection before that nasty virus can hit your mailbox? Install the trial of MailWasher Pro - download right here and testdrive it for 30 days. Afterwards you can do whatever you want with it, but it could give you that extra line of defence you do need right now.

Unless of course you want to remain an uneducated fool that actually doesn't care if his machine sends out viruses to hundreds, if not thousands of other people. In that case, you should be shot on sight. And yes, I'm being serious.

[email protected]

Wow! In the midst of all spam for online viagra, adding inches to my penis or tips on how to 'do' the hottest babes and the complete barnyard stock, I finally got the W32/Palyh-A virus.

Is that a noteworthy fact? Yes it is, as the rest of the world has been suffering from it for almost 24 to 36 hours while I didn't receive it at all. It seems the infection has now spread enough to finally reach me. Oh, what would I have to do without that nice [email protected]? I would have been lost without those important files!

Friends, family, readers, people and assorted dumbasses : the MS support division does NOT send out mails with attachments. They do NOT send you viruses (they created Windows though, so they're evil enough to do it). You do NOT have to accept them. You do NOT have to open the files attached. You do HAVE to know better than that. You DO have to DELETE those messages without ever looking at them again.

It's a virus, and the info can be read at the Sophos support page. If you'd like to have an extra filter before messages/viruses like this one enter your mailbox - and in the mean time get rid of all the spam - I suggest you install MailWasher Pro 30 day trial, or get the full install right away. Believe me, it'll save you a lot of problems.

Note : MailWasher Pro is only an extra line of defense, not a replacement for your personal firewall and virusscanner!

Monthly Archives


OpenID accepted here Learn more about OpenID
Powered by Movable Type 5.051

About this Archive

This page is an archive of recent entries in the Security Alert category.

Reviews is the previous category.

Sponsored Post is the next category.

Find recent content on the main index or look in the archives to find all content.