MS04-028 Public Exploit Attempts, VENDORS TAKE NOTE, Contacting ISC
MS04-028 Public Exploit Attempts
A post on the BUGTRAQ mailing list led us to a MS04-028 exploit attempt that was posted to adult-oriented newsgroups. The malicious image appears to have been created with one of the more recent MS04-028 exploit kits. Most popular anti-virus scanners are able to detect these exploitative JPG's including BitDefender, Kaspersky, McAfee, Symantec and TrendMicro, identifying them as "Exploit-MS04-028" or "Bloodhound.Exploit.13" (Symantec).
Testing this exploit image on vulnerable Windows 2000 and Windows XP SP1 machines with Internet Explorer only caused the application to crash. However, we suspect that a working exploit is very close to widespread availability. Thanks to Johannes Ullrich and Bob Hutzley for offering up assistance in testing.
Vendors Take Note
Many people have written in indicating that they are detecting vulnerable non-Microsoft applications with the ISC GDIScan tool. Reader Neal L. Lester writes in:
"Your GDI scanner found a vulnerable copy of gdiplus.dll in my "HP CD-DVD" directory. I contacted HP and they had me install an old patch. Well, I've learned enough to know that asking why a two year old patch will cure a recent vulnerability isn't going to get me anywhere so I did as I was asked: Still There."
Vendors - If your software redistributes Microsoft DLL's that are vulnerable to the MS04-028 flaw, your software may be vulnerable to attack as well. Please work toward offering a solution for resolving this issue for your customers!
Contacting ISC
All of the Internet Storm Center Incident Handlers value the anonymity of the individuals who submit information to us. Anyone who wishes to anonymously share information or confidentially ask a question is welcome to do so by using the form at http://isc.sans.org/contact.php . However, if you ask us a question and do not supply your email address, it is very difficult for us to respond to your request. In some cases, Tom Liston will use his psychic ability to "IM" you back, but that is quite rare.
-Joshua Wright/Handler-on-Duty
A post on the BUGTRAQ mailing list led us to a MS04-028 exploit attempt that was posted to adult-oriented newsgroups. The malicious image appears to have been created with one of the more recent MS04-028 exploit kits. Most popular anti-virus scanners are able to detect these exploitative JPG's including BitDefender, Kaspersky, McAfee, Symantec and TrendMicro, identifying them as "Exploit-MS04-028" or "Bloodhound.Exploit.13" (Symantec).
Testing this exploit image on vulnerable Windows 2000 and Windows XP SP1 machines with Internet Explorer only caused the application to crash. However, we suspect that a working exploit is very close to widespread availability. Thanks to Johannes Ullrich and Bob Hutzley for offering up assistance in testing.
Vendors Take Note
Many people have written in indicating that they are detecting vulnerable non-Microsoft applications with the ISC GDIScan tool. Reader Neal L. Lester writes in:
"Your GDI scanner found a vulnerable copy of gdiplus.dll in my "HP CD-DVD" directory. I contacted HP and they had me install an old patch. Well, I've learned enough to know that asking why a two year old patch will cure a recent vulnerability isn't going to get me anywhere so I did as I was asked: Still There."
Vendors - If your software redistributes Microsoft DLL's that are vulnerable to the MS04-028 flaw, your software may be vulnerable to attack as well. Please work toward offering a solution for resolving this issue for your customers!
Contacting ISC
All of the Internet Storm Center Incident Handlers value the anonymity of the individuals who submit information to us. Anyone who wishes to anonymously share information or confidentially ask a question is welcome to do so by using the form at http://isc.sans.org/contact.php . However, if you ask us a question and do not supply your email address, it is very difficult for us to respond to your request. In some cases, Tom Liston will use his psychic ability to "IM" you back, but that is quite rare.
-Joshua Wright/Handler-on-Duty
Keywords:
0 comment(s)
×
![modal content]()
Diary Archives
Comments
www
Nov 17th 2022
4 months ago
EEW
Nov 17th 2022
4 months ago
qwq
Nov 17th 2022
4 months ago
mashood
Nov 17th 2022
4 months ago
isc.sans.edu
Nov 23rd 2022
4 months ago
isc.sans.edu
Nov 23rd 2022
4 months ago
isc.sans.edu
Dec 3rd 2022
3 months ago
isc.sans.edu
Dec 3rd 2022
3 months ago
<a hreaf="https://technolytical.com/">the social network</a> is described as follows because they respect your privacy and keep your data secure. The social networks are not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go.
<a hreaf="https://technolytical.com/">the social network</a> is not interested in collecting data about you. They don't care about what you're doing, or what you like. They don't want to know who you talk to, or where you go. The social networks only collect the minimum amount of information required for the service that they provide. Your personal information is kept private, and is never shared with other companies without your permission
isc.sans.edu
Dec 26th 2022
3 months ago
isc.sans.edu
Dec 26th 2022
3 months ago