Re: MS01-058 exploit - W32/Cool.A-mm

From: Steen Larsen (slarsen@MESSAGELABS.COM)
Date: 12/19/01

• Previous message: Russ: "Re: MS01-058 exploit - W32/Cool.A-mm"
• Maybe in reply to: Steen Larsen: "MS01-058 exploit - W32/Cool.A-mm"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Date:         Wed, 19 Dec 2001 14:20:23 -0000
From: Steen Larsen <slarsen@MESSAGELABS.COM>
To: NTBUGTRAQ@LISTSERV.NTBUGTRAQ.COM

First my apologies for not munging that URL in the message I sent
yesterday. I was in a hurry and wanted to warn you all quickly.
Yes, this is NTBugtraq but we should definitely try to use the same
cautious approach on this list as we do with end-user communication.

As Ross said in an earlier mail we now know that the site did not
use the MS01-0058 exploit, in fact it exploited the (old!) MS00-075
vulnerability and also used various java script trojans. More
information can be found here:

        http://vil.mcafee.com/dispVirus.asp?virus_k=99284
        http://www.f-secure.com/v-descs/coolsite.shtml
        http://www.microsoft.com/technet/security/bulletin/MS00-075.asp

Ross wrote "Boy do I feel dumb." Please don't! Working with
security we cannot always afford to do in-depth checks and research
before we act. We must quickly assess the risk of waiting (while we
research) and acting quickly.

Finding out what the "cool website" did was actually quite time
consuming due to the use of frames, pop-ups, scripts and different
domains. Because of this I thought it useful to send the warning
with the note "Please note that this is early information that
has not been properly researched yet."

I hope everybody found the warning useful and that we have all
been reminded how quickly a browser vulnerability can be exploited
when combined with an email that directs a user to a rogue site.

Have you patched your browser today? :-)

Best regards

Steen

_________________________________

Steen Larsen
Director of Security
MessageLabs Ltd.

E - slarsen@messagelabs.com
DD - +44 (0) 1452 627639
F - +44 (0) 1452 627628
W - www.messagelabs.com

Company Registration No - 834506
_________________________________

________________________________________________________________________
This email has been scanned for all viruses by the MessageLabs SkyScan service.
For more information on a higher level of virus protection visit www.messagelabs.com
________________________________________________________________________

======================================
Delivery co-sponsored by VeriSign - The Internet Trust Company
======================================
Protect your servers with 128-bit SSL encryption!
Get VeriSign's FREE guide, "Securing Your Web Site for Business." You will
learn everything you need to know about using SSL to encrypt your e-commerce
transactions for serious online security. Click here!
http://www.verisign.com/cgi-bin/go.cgi?a=n016065650057000
======================================

---

• Previous message: Russ: "Re: MS01-058 exploit - W32/Cool.A-mm"
• Maybe in reply to: Steen Larsen: "MS01-058 exploit - W32/Cool.A-mm"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

---

Relevant Pages Re: Windows Security Center Shows non exisitng Symantec firewall ... After several hours of chatroom discussion with Symantec suport people, I was thinking that this may be an issue with some registry entry not related to Symantec. ... Since Windows Security Center did not exist before SP2, I removed it SP2 and installed it again, hoping this would clean up some entry somewhere. ... The Virus Protection section tells me that Norton AntiVirus reports that it is up to date and virus scanning is on. ... If I know that the standard Windows firewall is working, is it safe to just ignore the message that the system may have more than one firewall on? ... (microsoft.public.windowsxp.security_admin) Re: Turning off virus protection in Security entre ... >I cannot turn off Microsoft Support Centre's Virus Protection. ... because I use Norton Internet Security and Virus Protecion. ... > In the Security Center, under Virus Protection, click Recommendations. ... (microsoft.public.windowsxp.general) Norton SysWrks 2003 and its 2003 antivirus issue after SP2 install ... Is anyone getting the status of Norton AV 2003 Virus Protection in as being ... up-to-date and protecting the PC (green light in Security Center)? ... (microsoft.public.windowsupdate) Re: Disable Warning - Your computer might be at risk ... > or virus protection being out of date on a few machines at this ... The warnings can be killed from the Security Centre in the Control Panel. ... You'll see that Firewall Protection is turned off in the security ... the Security Centre to stop Windows from monitoring your antivirus software, ... (microsoft.public.windowsxp.general) Re: Securing eRIC express ... Looks like the eRIC provides some decent security features, including 256-bit SSL encryption, the ability to create individual security certificates, and even supports LDAP and RADIUS for remote connections. ... However, I would still be concerned with connecting these cards directly to the Internet, as it exposes the device to the general public and this could result in undesired probing and poking. ... Additionally, you could expand on that by implementing a site-to-site VPN, maybe using publicly non-routable IP addresses for the eRIC's, which you incorporate into your internal LAN infrastructure (eg: you at office location 1 on the LAN with IP address 192.168.1.100, connecting to an eRIC at office location 2 with IP address 192.168.2.20). ... (Security-Basics)

---

We are proud to have Web Hosting and Rack Housing from 9 Net Avenue Deutschland.
(14)