Outlook Express Weakness / Solaris Apache Bug / Winamp Exploitation / Translations / End of Internet / Social Engineering Story
Outlook Express Weakness
Today we received a report from Juha-Matti Laurio. He reported a flaw in Outlook Express 6, which may disclose email addresses in "BCC:" fields to other recipients when sending multipart messages, which is disabled by default.
This weakness was confirmed by our ISC Handler Lorna, which gave a simple and complete explanation:
"Just like fragmentation...only the first email from the fragmented original
message contains the Bcc list."
Juha-Matti also reported it to Secunia, which published an advisory about it with more details.
Reference: http://secunia.com/advisories/12376/
Solaris Apache Bug
Another interesting advisory from Secunia is about Multiple Vulnerabilities in Apache for Sun Solaris. "These vulnerabilities can be exploited to bypass certain security restrictions, cause a DoS (Denial of Service), or potentially compromise a vulnerable system."
Time to Patch!
Reference: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57628
http://secunia.com/advisories/12377/
Winamp Exploit used in the wild
We received information about Winamp vulnerability being exploited. An exploit is already public available and is reported being used in the wild.
Reference: http://secunia.com/advisories/12381/
Translations
ISC Handler Tom Liston, on his diary on August 23rd, on the 'Follow the Bouncing Malware, Part II' topic,mentioned:
"...And some downright bizarre stuff:
Hara Hara Mahadev !!!
tum agar badshah hai to hum eespeek ka yekka!
(Would anyone care to enlighten me?)"
A reader sent the translation to us:
"This appears to be Hindi, the translation of which is approximately:
Illuminating, Illuminating Eminence!!!
If you are a king then accept a lesson of a bug!"
and
"Hara Hara Mahadev !!!
tum agar badshah hai to hum eespeek ka yekka!"
Green green big king!!!
If you are a king then we are Ace of (what ever eespeek is)
End of Internet
An update about 'The End of Internet' prediction came from VirusList website.
According the VirusList website, some news agencies misinterpreted Kaspersky words.
"...The story stems from brief comments made
yesterday at a press conference which was dedicated to cybercrime and the
problems of spam.
At this press conference, Kaspersky commented that the possibility of
terrorists using the Internet as a tool to attack certain countries was
a reality. As an example, he cited the fact that a number of Arabic and
Hebrew language websites contained an announcement of an 'electronic
jihad' against Israel, to start on 26th August 2004."
Reference: http://www.viruslist.com/eng/index.html?tnews=461517&id=2100900
Social Engineering
This is a little story about social engineering and what you could do to avoid future problems.
Average Joe's wife received a phone call about 7:00pm from an alleged employee of Joe's adsl phone company provider, offering a software called SoS-Phone, to be installed in Joe's computer, to enhance the internal network security, for a cost of only 1 dollar/month. For that, he had to arrange a visit to Joe's house to check the computer environment.
Average Joe's wife ask the guy to call later because she had to talk to his husband first and he wasnt there. Then, she called his brother-in-law asking about that, because Joe's brother works in the security department of the same Phone Company!:) and then discovered that there was no such product!
Possible usage of this attack:
- Install malicious software to steal credit card number, passwords...
- Use this to get into your home and rob your house
- ...
In this example, if she wasn't lucky enough to have someone that she could verify, she could follow some steps to identify such scams:
- Check with the company if such product really exists, using 800 numbers, internet...
- Ask for name and a phone number that you could call back and verify the credentials
- use your common sense
believe...this CAN happen...
I am Joe's brother and this happened yesterday...:)
------------------------------------------------------------------
Olympic Games 2004 Status: Brazil 2 Gold/ 1 Silver/ 2 Bronze
Handler on Duty: Pedro Bueno <bueno/AT/ieee.org>
Today we received a report from Juha-Matti Laurio. He reported a flaw in Outlook Express 6, which may disclose email addresses in "BCC:" fields to other recipients when sending multipart messages, which is disabled by default.
This weakness was confirmed by our ISC Handler Lorna, which gave a simple and complete explanation:
"Just like fragmentation...only the first email from the fragmented original
message contains the Bcc list."
Juha-Matti also reported it to Secunia, which published an advisory about it with more details.
Reference: http://secunia.com/advisories/12376/
Solaris Apache Bug
Another interesting advisory from Secunia is about Multiple Vulnerabilities in Apache for Sun Solaris. "These vulnerabilities can be exploited to bypass certain security restrictions, cause a DoS (Denial of Service), or potentially compromise a vulnerable system."
Time to Patch!
Reference: http://sunsolve.sun.com/pub-cgi/retrieve.pl?doc=fsalert/57628
http://secunia.com/advisories/12377/
Winamp Exploit used in the wild
We received information about Winamp vulnerability being exploited. An exploit is already public available and is reported being used in the wild.
Reference: http://secunia.com/advisories/12381/
Translations
ISC Handler Tom Liston, on his diary on August 23rd, on the 'Follow the Bouncing Malware, Part II' topic,mentioned:
"...And some downright bizarre stuff:
Hara Hara Mahadev !!!
tum agar badshah hai to hum eespeek ka yekka!
(Would anyone care to enlighten me?)"
A reader sent the translation to us:
"This appears to be Hindi, the translation of which is approximately:
Illuminating, Illuminating Eminence!!!
If you are a king then accept a lesson of a bug!"
and
"Hara Hara Mahadev !!!
tum agar badshah hai to hum eespeek ka yekka!"
Green green big king!!!
If you are a king then we are Ace of (what ever eespeek is)
End of Internet
An update about 'The End of Internet' prediction came from VirusList website.
According the VirusList website, some news agencies misinterpreted Kaspersky words.
"...The story stems from brief comments made
yesterday at a press conference which was dedicated to cybercrime and the
problems of spam.
At this press conference, Kaspersky commented that the possibility of
terrorists using the Internet as a tool to attack certain countries was
a reality. As an example, he cited the fact that a number of Arabic and
Hebrew language websites contained an announcement of an 'electronic
jihad' against Israel, to start on 26th August 2004."
Reference: http://www.viruslist.com/eng/index.html?tnews=461517&id=2100900
Social Engineering
This is a little story about social engineering and what you could do to avoid future problems.
Average Joe's wife received a phone call about 7:00pm from an alleged employee of Joe's adsl phone company provider, offering a software called SoS-Phone, to be installed in Joe's computer, to enhance the internal network security, for a cost of only 1 dollar/month. For that, he had to arrange a visit to Joe's house to check the computer environment.
Average Joe's wife ask the guy to call later because she had to talk to his husband first and he wasnt there. Then, she called his brother-in-law asking about that, because Joe's brother works in the security department of the same Phone Company!:) and then discovered that there was no such product!
Possible usage of this attack:
- Install malicious software to steal credit card number, passwords...
- Use this to get into your home and rob your house
- ...
In this example, if she wasn't lucky enough to have someone that she could verify, she could follow some steps to identify such scams:
- Check with the company if such product really exists, using 800 numbers, internet...
- Ask for name and a phone number that you could call back and verify the credentials
- use your common sense
believe...this CAN happen...
I am Joe's brother and this happened yesterday...:)
------------------------------------------------------------------
Olympic Games 2004 Status: Brazil 2 Gold/ 1 Silver/ 2 Bronze
Handler on Duty: Pedro Bueno <bueno/AT/ieee.org>
Keywords:
0 comment(s)
×
Diary Archives
Comments