lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list]
Message-ID: <FCAD9F541A8E8A44881527A6792F892C29394C@owa.eeye.com>
From: dcopley at eEye.com (Drew Copley)
Subject: RE: Misinformation on Scob/MSJect Corrected CORRECTION

Whoops, correction:

I was wrong. 

Their "unknown vulnerability" probably is the 180solutions
issue, not the adodb issue, which they do not even discuss
at all, though Symantec notes it.

That's what I get for quitting caffiene and nicotine at
the same time...

> -----Original Message-----
> From: Drew Copley 
> Sent: Wednesday, June 30, 2004 4:06 PM
> To: '1@...ware.com'
> Subject: FW: Misinformation on Scob/MSJect Corrected
> 
>  
> 
> > -----Original Message-----
> > From: Drew Copley 
> > Sent: Wednesday, June 30, 2004 4:06 PM
> > To: bugtraq@...urityfocus.com; 
> > ntbugtraq@...tserv.ntbugtraq.com; full-disclosure@...ts.netsys.com
> > Subject: Misinformation on Scob/MSJect Corrected
> > 
> > Summary:
> > 
> > Microsoft is very wrong when presenting information
> > about Download.Ject [also known as: JS.Scob.Trojan, 
> > Scob, and JS.Toofeer.]
> > 
> > Many media sources have also been presenting infactual
> > information on these virii.
> > 
> > 
> > What Is Happening:
> > 
> > CERT advises people not to use Internet Explorer.
> > 
> > http://www.kb.cert.org/vuls/id/713878
> > 
> > This issue is a vulnerability which was found being
> > used by a spyware distributor in the wild. Many 
> > media sources are erroneously reporting this 
> > vulnerability as being the same one Microsoft speaks
> > of in the Scob/MS.Ject attack:
> > 
> > (from: "What You Should Know About Download.Ject)
> > http://www.microsoft.com/security/incident/download_ject.mspx
> > 
> > "The second is a recently discovered issue that 
> > Microsoft is currently investigating in order to 
> > provide a solution. Customers who are already 
> > following our safe browsing guidance significantly 
> > reduce their risk from this type of attack."
> > 
> > This is patently not true. Jelmer found this issue
> > some ten months ago. It is not the recently discovered
> > unknown vulnerability. This is the old adodb stream
> > issue.
> > 
> > And it is not being used by a spyware distributor,
> > it is being used to steal credit cards by out right
> > trojans.
> > 
> > BID: 10514
> > Previously: BID: 8577 
> > Published Date: Aug 23, 2003
> > http://www.securityfocus.com/bid/10514/credit/
> > 
> > http://www.securityfocus.com/bid/8577
> > 
> > The original published paper by Jelmer:
> > http://seclists.org/lists/fulldisclosure/2003/Aug/1703.html
> > 
> > For this "previously unknown vulnerability". It has been
> > known for ten months.
> > 
> > To be fair, I think their tech writers and marketers got
> > confused in transmission from their IE security guys. It
> > is extremely confusing. 
> > 
> > But, this is a major warning they are giving to all
> > of their customers. They are a multibillion dollar
> > company who claims security is their first priority. They
> > need to be held to that standard.
> > 
> > References on SCob:
> > 
> http://www.securityfocus.com/archive/1/367120/2004-06-20/2004-06-26/0
> > http://tms.symantec.com/documents/040617-Analysis-FinancialIns
> titutionCompromise.pdf
> > http://tms.symantec.com/documents/040624-Alert-CompromisedIISS
> > erverReports.pdf
> > 
> > The original surfacing of this attack used by the same
> > criminals in all likelihood (March 2004) -- yes, same
> > technique as Scob, same end result to steal CC info:
> > http://groups.google.com/groups?selm=c4a26d%241koc%241%40FreeB
> SD.csie.NCTU.edu.tw&output=gplain
> > 
> > 
> > 
> > End Note:
> > 
> > It might be noted that these attacks are not so wide
> > spread to merit the kind of media attention they have
> > received. However, I see this as kind of a "misplaced"
> > new urgency, this urgency should have been there in
> > the first place. In its' lateness we also see a lot
> > of inaccuracy, though it might be noted these issues
> > are rather complex and can be very confusing because
> > of the lack of proper naming conventions and such.
> > 
> > In other words: Big money and zero day. The connection
> > has been made.
> > 
> > 
> > 
> > 
> > 
> > 


Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ