Threat Level: green Handler on Duty: Guy Bruneau

SANS ISC: MSN-Worms exploit MS pif filter vulnerability - SANS Internet Storm Center SANS ISC InfoSec Forums

Watch ISC TV. Great for NOCs, SOCs and Living Rooms:

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MSN-Worms exploit MS pif filter vulnerability
Kaspersky's blog, always a great read, is reporting that there are some "epidemic level" MSN-Worms (see Do you like photos?) that "spread using links to .PIF files.". They go on to say;

"But some of you might remember that Microsoft blocked messages containing ".pif"?

Yes they have, but... the MS block is case sensitive!

So the criminals used capital letters, ".PIF" and the network filters let the message flow right through. Other variations like .Pif, .pIf, and so on also work.".

While you're there also check out their excellent Kaspersky Security Bulletin, January - June 2006: Malware Evolution released 09/22.

Thanks for the heads up Kaspersky!

And readers please remember (sticking tongue firmly in cheek) Microsoft says "Microsoft is aware of third party mitigations that attempt to block exploitation of vulnerabilities in Microsoft software. While Microsoft can appreciate the steps these vendors and independent security researchers are taking to provide our customers with mitigations, as a best practice, customers should obtain security updates and guidance from the original software vendor. Microsoft carefully reviews and tests security updates and workarounds to ensure that they are of high quality and have been evaluated thoroughly for application compatibility. Microsoft cannot provide similar assurance for independent third party security updates or mitigations."

193 Posts
Sep 23rd 2006

Sign Up for Free or Log In to start participating in the conversation!