Microsoft Security Bulletin July 30, 2004

Today Microsoft released the following Security Bulletin(s).

Note: and are authoritative in all matters concerning Microsoft Security Bulletins! ANY e-mail, web board or newsgroup posting (including this one) should be verified by visiting these sites for official information. Microsoft never sends security or other updates as attachments. These updates must be downloaded from the download center or Windows Update. See the individual bulletins for details.

Because some malicious messages attempt to masquerade as official Microsoft security notices, it is recommended that you physically type the URLs into your web browser and not click on the hyperlinks provided.

Bulletin Summaries:

Windows :
Critical Bulletins:

MS04-025- Cumulative Security Update for Internet Explorer (867801)

This DOES NOT represent our regularly scheduled monthly bulletin release (second Tuesday of each month). Please note that Microsoft may release bulletins out side of this schedule if we determine the need to do so.

If you have any questions regarding the patch or its implementation after reading the above listed bulletin you should contact Product Support Services in the United States at 1-866-PCSafety (1-866-727-2338). International customers should contact their local subsidiary.

PDA Viruses Could Get Nasty

Pests could easily run undetected on handhelds and spread quickly online, security expert warns.

Viruses that target handhelds can be even more dangerous than their cousins that attack PCs, spawning self-replicating programs that hide easily, a security researcher told an audience of security professionals at the Black Hat Briefings conference here this week.

The first virus aimed at Pocket PC handhelds, revealed last week, could be far worse if it were modified slightly to carry a harmful payload, said Seth Fogie, a vice president of Airscanner, which develops security software for the Window Mobile platform.,aid,117164,00.asp

Is Google the hacker’s best friend?

Google, the world’s most popular search engine, is one of the handiest tools for hackers, according to one security expert.

Google’s ability to record Internet sites’ content can be used to pinpoint those with weak security, Johnny Long, a security researcher and computer scientist for Computer Security Corp. told attendees at the Black Hat Security Briefings. Though the technique is not new, well-crafted searches turned up so many sites with vulnerabilities that even jaded researchers laughed during the session.

“It is an old dog with new tricks,” Long said. “It never ceases to amaze people, all the vulnerabilities out there.”

By searching for default server page titles, for example, an attacker can find easily exploitable servers. Applications left in default modes can also be found by searching for error pages generated by the software. And searching for specific file names can pinpoint vulnerable servers connected to the Internet.

“It is the first step to finding vulnerable targets,” Long said.

A simple search for the log-in page of Microsoft’s Web server software, the Internet Information Server, turned up 11,300 sites on the Internet that exposed the page to the public. Gathering log-in information for poorly configured databases is also easy, he said.

The exploitation of Google’s in-depth searching capabilities underscores how software with no malicious motive can be used to help online intruders. The recent MyDoom-O virus hammered Google and other search engines with searches from infected PCs for additional e-mail addresses to which the program could send itself. Security researchers have also theorised that Google and other search engines could be used as a carrier of malicious code.


Panda Software Releases Early Version of Its New TruPREVENT Technology in an Effort to Aid Computer Users Against New Types of Computer Threats

Panda Software has been busy designing its new solutions for 2005 that will protect computer users against the new types of computer threats that seem to spread almost instantly.  Panda Software answers these threats with its TruPREVENT technologies which will be a key feature for all Panda solutions in the coming year. Panda’s new technology will help detect and stop threats even without virus signatures so that new and unknown threats can be stopped before causing damage to the user.

Anti-Phishing:eBay-Update Your Billing Information

Another ‘social engineering’ phish attempt, targeting eBay customers. The message has an eBay header and footer, a convincing sender and nice (at a first glance) URL. They are all spoofed:

Email subject: ‘Update Your Billing Informations’ 
Scam target: eBay customers  
Distribution medium: a HTML email (click here for the HTML code of the message itself)  
Sender spoofed? Yes 
Scam call to action: ‘During our regularly scheduled account maintenance and verification procedures, we have detected a slight error in your billing information. … Please update and verify your information by clicking the link below…’ 
Scam goal: Getting victim’s ebay and paypal usernames/passwords, credit/debit card information, bank account information, SSN, contact (name, address, phone, etc.) information  
Call to action format: URL link 
Visible link:  h++ps://
Called link:  h++p:// 
Phish site on :  www.


Email Spoofing and Phishing Finally Has a Solution, the leader in email authentication technology, today announced the availability of the Message Level Email Authentication Protocol.  This patent-pending technology enables full protection against email spoofing, electronic messaging fraud, and email Phishing attacks.

Using components of the email messages themselves, the Message Level Protocol creates origination records for each outgoing message, which enables Receiving Systems to query back automatically as to the authenticity of
received email based upon whether or not the messages actually originated from the purported sender.  As such, the Message Level Protocol creates an impenetrable solution against email fraud, guarantees 100% detection of
spoofed emails, and generates absolutely no false positives.  The Message Level Protocol provides companies with a secure, reliable, and easily accessible solution to prevent spoofed email and Phishing attacks, which has previously been seen as impossible.


Microsoft alpha-tests anti-virus product

Microsoft is currently alpha-testing its upcoming anti-virus product, according to industry sources.

The sources claim that the anti-virus software works as a behaviour blocker that monitors different events and actions on computers. If the event or action is typical of a virus or is harmful, it will be prevented.

Behaviour blockers do not use code signatures like traditional scanner-based anti-virus programs, so they may be able to protect against new types of viruses without being updated.

The anti-virus product was also referred to as an Intrusion Detection and Protection System by sources, indicating that it may work in conjunction with the Windows firewall.

An interesting feature of Microsoft’s anti-virus software is that it is distributed, according to the sources. It communicates with other machines over a secure channel and learns from these.

Mozilla / Mozilla Firefox User Interface Spoofing Vulnerability

Release Date: 2004-07-30 

Critical: Moderately critical 
Impact: Spoofing
Where: From remote
Software: Mozilla 0.x
Mozilla 1.0
Mozilla 1.1
Mozilla 1.2
Mozilla 1.3
Mozilla 1.4
Mozilla 1.5
Mozilla 1.6
Mozilla 1.7.x
Mozilla Firefox 0.x

A vulnerability has been reported in Mozilla and Mozilla Firefox, allowing malicious websites to spoof the user interface.

The problem is that Mozilla and Mozilla Firefox don’t restrict websites from including arbitrary, remote XUL (XML User Interface Language) files. This can be exploited to “hijack” most of the user interface (including tool bars, SSL certificate dialogs, address bar and more), thereby controlling almost anything the user sees.

The Mozilla user interface is built using XUL files.

A PoC (Proof of Concept) exploit for Mozilla Firefox has been published. The PoC spoofs a SSL secured PayPal website.

This has been confirmed using Mozilla 1.7 for Linux, Mozilla Firefox 0.9.1 for Linux, Mozilla 1.7.1 for Windows and Mozilla Firefox 0.9.2 for Windows. Prior versions may also be affected.

NOTE: This issue appears to be the same as Mozilla Bug 244965.

Do not follow links from untrusted sites.

Provided and/or discovered by:
Reported in Mozilla Firefox by:
Jérôme ATHIAS (also created a PoC)

Reported in Mozilla by:
James Ross