[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Message-ID: <FCAD9F541A8E8A44881527A6792F892C29392C@owa.eeye.com>
From: dcopley at eEye.com (Drew Copley)
Subject: Misinformation on Scob/MSJect Corrected
Summary:
Microsoft is very wrong when presenting information
about Download.Ject [also known as: JS.Scob.Trojan,
Scob, and JS.Toofeer.]
Many media sources have also been presenting infactual
information on these virii.
What Is Happening:
CERT advises people not to use Internet Explorer.
http://www.kb.cert.org/vuls/id/713878
This issue is a vulnerability which was found being
used by a spyware distributor in the wild. Many
media sources are erroneously reporting this
vulnerability as being the same one Microsoft speaks
of in the Scob/MS.Ject attack:
(from: "What You Should Know About Download.Ject)
http://www.microsoft.com/security/incident/download_ject.mspx
"The second is a recently discovered issue that
Microsoft is currently investigating in order to
provide a solution. Customers who are already
following our safe browsing guidance significantly
reduce their risk from this type of attack."
This is patently not true. Jelmer found this issue
some ten months ago. It is not the recently discovered
unknown vulnerability. This is the old adodb stream
issue.
And it is not being used by a spyware distributor,
it is being used to steal credit cards by out right
trojans.
BID: 10514
Previously: BID: 8577
Published Date: Aug 23, 2003
http://www.securityfocus.com/bid/10514/credit/
http://www.securityfocus.com/bid/8577
The original published paper by Jelmer:
http://seclists.org/lists/fulldisclosure/2003/Aug/1703.html
For this "previously unknown vulnerability". It has been
known for ten months.
To be fair, I think their tech writers and marketers got
confused in transmission from their IE security guys. It
is extremely confusing.
But, this is a major warning they are giving to all
of their customers. They are a multibillion dollar
company who claims security is their first priority. They
need to be held to that standard.
References on SCob:
http://www.securityfocus.com/archive/1/367120/2004-06-20/2004-06-26/0
http://tms.symantec.com/documents/040617-Analysis-FinancialInstitutionCo
mpromise.pdf
http://tms.symantec.com/documents/040624-Alert-CompromisedIISServerRepor
ts.pdf
The original surfacing of this attack used by the same
criminals in all likelihood (March 2004) -- yes, same
technique as Scob, same end result to steal CC info:
http://groups.google.com/groups?selm=c4a26d%241koc%241%40FreeBSD.csie.NC
TU.edu.tw&output=gplain
End Note:
It might be noted that these attacks are not so wide
spread to merit the kind of media attention they have
received. However, I see this as kind of a "misplaced"
new urgency, this urgency should have been there in
the first place. In its' lateness we also see a lot
of inaccuracy, though it might be noted these issues
are rather complex and can be very confusing because
of the lack of proper naming conventions and such.
In other words: Big money and zero day. The connection
has been made.
Powered by blists - more mailing lists