Microsoft Security Bulletin Re-Releases, August 2005

* MS05-023

– http://www.microsoft.com/technet/security/bulletin/MS05-023.mspx
– Reason for revision: Bulletin updated to reflect an additional affected product- Microsoft Word 2003 Viewer
– Originally posted: June 14, 2005
– Updated: August 9, 2005
– Bulletin Severity Rating: Critical
– Version: 2.0


* MS05-032

– http://www.microsoft.com/technet/security/bulletin/MS05-032.mspx
– Reason for revision: Bulletin updated to advise customers that a revised version of the security update is available for x64-based systems, Microsoft Windows Server 2003 for Itanium-based Systems, and Microsoft Windows Server 2003 with SP1 for Itanium-based Systems.
– Originally posted: June 14, 2005
– Updated: August 9, 2005
– Bulletin Severity Rating: Moderate
– Version: 2.0<!–

–>

CoolWebSearch found in massive spyware ring

Sunbelt Software recently reported to the FBI evidence that shows CoolWebSearch is in a massive spyware ring where private information such as user names, passwords, chat sessions, bank information are stored and uploaded to servers. The FBI responded and are working on the case.

Note that there is a LOT of bank information in here, including one company bank account with over US$350,000 and another small company in California with over $11,000 readily accessible. This list goes on and on and on. Of course, there’s also eBay accounts and much more.


http://castlecops.com/a6172-CoolWebSearch_found_in_massive_spyware_ring.html

Sober Revolutions

Zombie PCs infected with the Sober-P worm are set to reactivate on
Monday, 23 May. Sober-P posed as offers of a free ticket for next
year’s World Cup and set up backdoor access on compromised PCs,
claiming thousands of victims since its first appearance earlier this
month.

These infected machines were later used to generate a German hate-mail
spam outbreak this week. The sheer volume of this deluge illustrated
the potential for further mischief.

Excerpt from The Register and [ISN].

Which is the best anti-spyware cleaner?

That is just what I was wondering — from a community perspective. We’ve
been running a survey and after 5,414 unique votes, the tally is in:


Source:


http://castlecops.com/modules.php?name=Surveys&op=results&pollID=30


1) Lavasoft Ad-Aware SE Personal 25.36%
2) Spybot Search & Destroy 22.42%
3) Microsoft AntiSpyware 14.79%


This is from a list of 19 choices:


Continued at the source: http://castlecops.com/article5987.html

Microsoft Security Bulletin Summary for May 2005

********************************************************************
Title: Microsoft Security Bulletin Summary for May 2005
Issued: May 10, 2005
Version Number: 1.0
Bulletin: http://go.microsoft.com/fwlink/?LinkId=47292
********************************************************************

Summary:
========
This advisory contains information about all security updates
released this month. It is broken down by security bulletin severity.



Important Security Bulletins
============================

MS05-024 – Vulnerability in Web View Could Allow Remote Code
Execution (894320)

– Affected Software:
– Windows 2000 Service Pack 3
– Windows 2000 Service Pack 4

– Review the FAQ section of bulletin MS05-O24 for
information about these operating systems:
– Microsoft Windows 98
– Microsoft Windows 98 Second Edition (SE)
– Microsoft Windows Millennium Edition (ME)

– Impact: Remote Code Execution
– Version Number: 1.0

Update Availability:
===================
An update is available to address these issues.
For additional information, including Technical Details,
Workarounds, answers to Frequently Asked Questions,
and Update Deployment Information please read
the Microsoft Security Bulletin Summary for this
month at: http://go.microsoft.com/fwlink/?LinkId=47292

Support:
========
Technical support is available from Microsoft Product Support
Services at 1-866-PC SAFETY (1-866-727-2338). There is no
charge for support calls associated with security updates.
International customers can get support from their local Microsoft
subsidiaries. Phone numbers for international support can be found
at: http://support.microsoft.com/common/international.aspx

Additional Resources:
=====================
* Microsoft has created a free monthly e-mail newsletter containing
valuable information to help you protect your network. This
newsletter provides practical security tips, topical security
guidance, useful resources and links, pointers to helpful
community resources, and a forum for you to provide feedback
and ask security-related questions.
You can sign up for the newsletter at:

http://www.microsoft.com/technet/security/secnews/default.mspx

* Microsoft has created a free e-mail notification service that
serves as a supplement to the Security Notification Service
(this e-mail). It provides timely notification of any minor
changes or revisions to previously released Microsoft Security
Bulletins. This new service provides notifications that are
written for IT professionals and contain technical information
about the revisions to security bulletins.
Visit http://www.microsoft.com to subscribe to this service:

– Click on Subscribe at the top of the page.
– This will direct you via Passport to the Subscription center.
– Under Newsletter Subscriptions you can sign up for the
“Microsoft Security Notification Service: Comprehensive Version”.

* Join Microsoft’s webcast for a live discussion of the technical
details of these security bulletins and steps you can take
to protect your environment. Details about the live webcast
can be found at:

www.microsoft.com/technet/security/bulletin/summary.mspx

The on-demand version of the webcast will be available 24 hours
after the live webcast at:

www.microsoft.com/technet/security/bulletin/summary.mspx

* Protect your PC: Microsoft has provided information on how you
can help protect your PC at the following locations:

http://www.microsoft.com/security/protect/

If you receive an e-mail that claims to be distributing a
Microsoft security update, it is a hoax that may be distributing a
virus. Microsoft does not distribute security updates through
e-mail. You can learn more about Microsoft’s software distribution
policies here:
http://www.microsoft.com/technet/security/topics/policy/swdist.mspx

********************************************************************
THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS
PROVIDED “AS IS” WITHOUT WARRANTY OF ANY KIND. MICROSOFT
DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING
THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
PURPOSE.
IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE
LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT,
INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL
DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN
ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY
FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING
LIMITATION MAY NOT APPLY.
********************************************************************

You’ll take your full disclosure pill, and like it.

Just a month ago now, legal threats by Sybase directed at NGS Software were used to cease the full disclosure of eight holes in its product.  NGS Software disclosed their findings to Sybase and advised them its public disclosure would occur three months after that.  Sybase didn’t like that, but it all worked out in the end after they reached a settlement.  Could it be that Sybase didn’t have enough time to warn their customers about the upgrade?






Responsible disclosure of software flaws by vulnerability researchers has “significantly improved” the security of products, Powers said.




I concur. 


So what is responsible disclosure?  Talk to the security mailing lists and there is a difference of opinion.  Even Wikipedia references “full disclosure” as controversial.  I’d like to see the world take on the stance of “responsible disclosure”:






Some believe that in the absence of any public exploits for the problem, full and public disclosure should be preceded by disclosure of the vulnerability to the vendors or authors of the system. This private advance disclosure allows the vendor time to produce a fix or workaround. This philosophy is sometimes called “responsible disclosure“.




I’d like to take that a step further, and break it down:



  1. Report the vulnerability to the vendor with a suggested patch,
  2. Obtain a response from the vendor and establish a patch release and public disclosure timeline in that order,
  3. Vendor releases tested patch,
  4. Full public disclosure is made with credits.

If the vendor does not respond, make a couple more attempts and then release the disclosure.  Mark it as “vendor MIA” or similar.  Note, the suggested patch is still included in the release.


If a suggested patch is unavailable, find someone who can help you.  If you cannot produce any of the above, list that in your disclosure timeline.  Show proof you have been responsible in trying to contact the vendor and/or produce a patch.  If the above fails, and there is nothing left except for the vulnerability report, then by all means have at it.  Release the report and let the chips fall where they may.  At least you’ve shown due diligence.


Timeframe?  Is three months too long?  Is eight hours too short?  Personally, I’ve always kept mine to below a month.  The idea is to get a patch out there quickly.  The less holes available for poking, the better.

.Text Blog System

Yes this is the first time I have the honor to use .Text, an ASP based web blog system here at MS MVPS.  I’ve been trialing the various templates, and most of them are pretty cool.  Some follow the MovableType styles.  One big difference between .Text and MovableType immediately noticed is that of when changes are implemented.  .Text puts them into action right away, whereas with MovableType (forget the PHP side of it), pages must be re-generated.  A bit of an annoyance as .Text seems more GUI friendly.  However, I haven’t seen the backend so I cannot compare the two.  Hence, I’m still getting adjusted to the different blogging infrastructure.

Greetings fellow netizens

Much to my surprise and excitement I was recently nominated and awarded the Microsoft MVP for Windows-Security in April 2005.  Because I did not expect to ever receive such a recognition, I’ve taken it seriously and with much joy.  Thank you to everyone for the award.  Along with this my wife Robin Laudanski also received the same award, and then a couple days later our first born child arrived.  Ergo, April 2005 is quite the experience!


I’d also like to thank Susan for creating this blog for me at msmvps.com.  I hope I can continue to bring justice to the MVP title as all the other MVP giants do today.


To that end, I plan on using this blog for discussion of news and writing papers about security and privacy and all that is found within those huge melting pots.  So being that this is my first article, I just wanted to again express my sincerest thank you to all.  Security and privacy on the Net wouldn’t be as exciting if it were not for all the wonderful folks I’ve come to know through out the years.  You all have shown me the best of ways in communicating with others and generating positive healthy family environments.