Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Strange Round of EMails

Published: 2007-07-13
Last Updated: 2007-07-19 14:15:44 UTC
by Deborah Hale (Version: 1)
0 comment(s)

We have received a number of reports from our readers indicating that they are receiving a large amount of Pump and Dump spam that contains no subject or body text.  The emails do however contain attachments that have a .dat extension.  Upon further review of the attachments it appears that they are failed attempts at creating and sending a .pdf file. 

The attachments are the typical pharmacy scam spam.  It is recommended that you just delete the emails.  You may want to think about adding the .dat to your banned file extensions in your anti-virus programs at least until this round of spam has ended.

 NOTE:  Just a reminder, there are some applications that use the .dat extension (Blackberry registration, Exchange servers) on files for various reasons.  Be aware that if you block the .dat attachment it may also block valid emails.  At this point the .dat attachment is not malicious so you may just want to inform your users of the emails and tell them to delete them (don't open the attachment).

Thanks to our many readers that have offered insight into the uses for the .dat files.

 

 

 

Keywords:
0 comment(s)

Symantec Backup Exec for Windows Server

Published: 2007-07-13
Last Updated: 2007-07-13 18:33:37 UTC
by Deborah Hale (Version: 1)
0 comment(s)

An advisory has been issued by Symantec for their Backup Exec product.  According to the advisory a vulnerability exists that may result in an  RPC Interface Heap Overflow, Denial of Service on versions 10.x and 11.0 for Windows Servers. 

seer.entsupport.symantec.com/docs/289731.htm

The advisory indicates that hotfixes are available at:  seer.entsupport.symantec.com/docs/289283.htm

Common Vulnerabilities and Exposures (CVE) initiative has assigned CVE Candidate CVE-2007-3509 to this issue. This issue is a candidate for inclusion in the CVE list  cve.mitre.org , which standardizes names for security problems.

In order to fully execute this vulnerability the user must have administrative privileges.  Again another good reason to restrict user access whenever possible.

 

There is also an advisory from Secunia containing information about 2 vulnerabilities that exist in various Symantec products including  Internet Security and Brightmail.  Again to fully execute the user must have administrative privileges.

secunia.com/advisories/26053/

 

 

 

Keywords:
0 comment(s)

Sunbelt Software Releases Patch for Ninja Email

Published: 2007-07-13
Last Updated: 2007-07-13 18:22:07 UTC
by Deborah Hale (Version: 1)
0 comment(s)

Sunbelt Software has announced the availability of a patch to fix the problems that have occurred with the Ninja Email Software after installation of MS07-040 patch for .NET.   For more information about the problems with Ninja and to download the patch see:

sunbeltblog.blogspot.com/2007/07/sunbelt-developers-work-at-speed-of.html

Keywords:
0 comment(s)

Java Run Time Advisory Issued

Published: 2007-07-13
Last Updated: 2007-07-13 16:44:38 UTC
by Deborah Hale (Version: 1)
0 comment(s)

According to an article on line at ZDNet there is yet another potential problem with Java. 

news.zdnet.com/2100-1009_22-6196493.html

 

Australia's Computer Emergency Response Team analyst, Robert Lowe, warned that anyone using the Java Runtime Environment or Java Development Kit is at risk.

www.auscert.org.au/render.html

This flaw may have an impact on PDA's and mobile phones as well as PC's.  Because Java is browser independent it has potential to impact many, many devices.  It is recommended that you patch all java devices as soon as possible.

 

 

Keywords:
0 comment(s)

MS07-036 Revised

Published: 2007-07-13
Last Updated: 2007-07-13 02:40:05 UTC
by Mark Hofman (Version: 1)
0 comment(s)

This patch was initially only for office on windows,  however some MAC users of office may have noticed a patch being pushed down to them as well.   Microsoft has revised the bulletin and detection logic

MS07-036 Vulnerabilities in Microsoft Excel Could Allow Remote Code Execution (936542)

" Summary: The bulletin was updated to include Microsoft Office 2004 for Mac and to indicate that the File Manifest information has been updated for Microsoft Office Compatibility Pack for Word, Excel, and PowerPoint 2007.  The significance here is around the fact that when the bulletin was released there was no mention of Mac being affected despite the fact that bits were published to address the issue for them."

Mark - Shearwater

Keywords:
0 comment(s)
Diary Archives