lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <FCAD9F541A8E8A44881527A6792F892C29392C@owa.eeye.com>
From: dcopley at eEye.com (Drew Copley)
Subject: Misinformation on Scob/MSJect Corrected

Summary:

Microsoft is very wrong when presenting information
about Download.Ject [also known as: JS.Scob.Trojan, 
Scob, and JS.Toofeer.]

Many media sources have also been presenting infactual
information on these virii.


What Is Happening:

CERT advises people not to use Internet Explorer.

http://www.kb.cert.org/vuls/id/713878

This issue is a vulnerability which was found being
used by a spyware distributor in the wild. Many 
media sources are erroneously reporting this 
vulnerability as being the same one Microsoft speaks
of in the Scob/MS.Ject attack:

(from: "What You Should Know About Download.Ject)
http://www.microsoft.com/security/incident/download_ject.mspx

"The second is a recently discovered issue that 
Microsoft is currently investigating in order to 
provide a solution. Customers who are already 
following our safe browsing guidance significantly 
reduce their risk from this type of attack."

This is patently not true. Jelmer found this issue
some ten months ago. It is not the recently discovered
unknown vulnerability. This is the old adodb stream
issue.

And it is not being used by a spyware distributor,
it is being used to steal credit cards by out right
trojans.

BID: 10514
Previously: BID: 8577 
Published Date: Aug 23, 2003
http://www.securityfocus.com/bid/10514/credit/

http://www.securityfocus.com/bid/8577

The original published paper by Jelmer:
http://seclists.org/lists/fulldisclosure/2003/Aug/1703.html

For this "previously unknown vulnerability". It has been
known for ten months.

To be fair, I think their tech writers and marketers got
confused in transmission from their IE security guys. It
is extremely confusing. 

But, this is a major warning they are giving to all
of their customers. They are a multibillion dollar
company who claims security is their first priority. They
need to be held to that standard.

References on SCob:
http://www.securityfocus.com/archive/1/367120/2004-06-20/2004-06-26/0
http://tms.symantec.com/documents/040617-Analysis-FinancialInstitutionCo
mpromise.pdf
http://tms.symantec.com/documents/040624-Alert-CompromisedIISServerRepor
ts.pdf

The original surfacing of this attack used by the same
criminals in all likelihood (March 2004) -- yes, same
technique as Scob, same end result to steal CC info:
http://groups.google.com/groups?selm=c4a26d%241koc%241%40FreeBSD.csie.NC
TU.edu.tw&output=gplain



End Note:

It might be noted that these attacks are not so wide
spread to merit the kind of media attention they have
received. However, I see this as kind of a "misplaced"
new urgency, this urgency should have been there in
the first place. In its' lateness we also see a lot
of inaccuracy, though it might be noted these issues
are rather complex and can be very confusing because
of the lack of proper naming conventions and such.

In other words: Big money and zero day. The connection
has been made.






Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ