todays AUSCERT alert, filename.rules.conf tweak
Jeff A. Earickson
jaearick at COLBY.EDU
Tue Jan 4 14:08:55 GMT 2005
Gang,
See the AUSCERT bulletin below, if you haven't already. In light of this,
I added the following to my filename.rules.conf file:
#---added per AUSCERT bulletin AL-2005.001, Jan 4, 2005
deny|\.bmp$|Windows bitmap file|Possible buffer overflow in Explorer/Outlook
deny|\.ico$|Windows icon file|Possible buffer overflow in Explorer/Outlook
deny|\.ani$|Windows animated cursor file|Possible buffer overflow in Explorer/Outlook
deny|\.cur$|Windows cursor file|Possible buffer overflow in Explorer/Outlook
deny|\.hlp$|Windows Help file|Possible buffer overflow in Explorer/Outlook
I replaced tabs with the pipe symbol (|) for this email. Maybe this
should be rolled into the next edition of MailScanner?
Jeff Earickson
Colby College
---------- Forwarded message ----------
Date: Tue, 4 Jan 2005 05:34:25 UT
From: auscert at auscert.org.au
Reply-To: national-alerts at auscert.org.au
To: national-alerts at auscert.org.au
Subject: [NATIONAL-ALERTS] (AUSCERT AL-2005.001) Three vulnerabilities in
Microsoft Windows and Internet Explorer
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
===========================================================================
A U S C E R T A L E R T
AL-2005.001 -- AUSCERT ALERT
Three vulnerabilities in Microsoft Windows and Internet Explorer
4 January 2005
===========================================================================
AusCERT Alert Summary
---------------------
Product: Microsoft Internet Explorer
Microsoft Outlook
Microsoft Outlook Express
Microsoft Windows
Operating System: Windows
Impact: Execute Arbitrary Code/Commands
Denial of Service
Access: Remote/Unauthenticated
CVE Names: CAN-2004-1305 CAN-2004-1306
SUMMARY:
This alert describes three vulnerabilities in Microsoft Internet
Explorer and other Windows components that may allow the remote
execution of arbitrary code and denial of service.
PROBLEMS:
1. A heap buffer overflow in the LoadImage code that handles .bmp, .ico,
.ani and .cur files in Microsoft Internet Explorer, Outlook and
Outlook Express allows an attacker to remotely compromise Windows
systems.
A vulnerable computer may be compromised if Internet Explorer is
used to view a malicious web page, or if Outlook is used to view or
preview a malicious email. This compromise can occur without any
additional user interaction.
Windows XP with Service Pack 2 installed is not vulnerable.
All other Windows versions are vulnerable.
2. winhlp32.exe, the component of Windows that displays .hlp help files,
contains a buffer overflow vulnerability allowing an attacker to
execute arbitrary code if a malicious .hlp file is opened.
All known Windows versions are vulnerable.
3. The Windows kernel incorrectly parses .ani files, allowing an
attacker to cause a denial of service by referencing a malformed
.ani file in a web page or email.
A vulnerable computer can be crashed causing a denial of service if
Internet Explorer or Outlook are used to view a malicious web page
or email. This can occur without any additional user interaction.
Windows XP with Service Pack 2 installed is not vulnerable.
All other Windows versions are vulnerable.
AusCERT advises that working proof of concept exploits for these
vulnerabilities have been made public that allow remote compromise of
systems running Windows.
MITIGATION:
There are currently no patches available to fix these vulnerabilities.
AusCERT advises users and sites running Windows to evaluate their
exposure to the vulnerabilities and to apply the following mitigation
to reduce the risk of exploitation:
For Windows XP:
o Ensure that Service Pack 2 is installed.
o Disable Active Scripting and ActiveX in the "Internet" and
"My Computer" domains, as detailed below.
Note that disabling scripting will stop the current proof of concept
exploit code, but the LoadImage vulnerability may still be exploitable
even if all scripting has been disabled.
o Use a different web browser.
For Windows 2000:
o Disable Active Scripting and ActiveX in the "Internet" and
"My Computer" domains, as detailed below.
Note that disabling scripting will stop the current proof of concept
exploit code, but the LoadImage vulnerability may still be exploitable
even if all scripting has been disabled.
o Use a different web browser.
Instructions for disabling active content in Internet Explorer can be
obtained from Microsoft's website. [1]
The "My Computer" zone is usually not visible in the Internet Options
dialog. To enable it, refer to the instructions on Microsoft's
website. [2]
It is advisable not to click on any links provided in email messages.
If a user wishes to follow a link in an email it is best to type the
address into the web browser by hand.
Additional useful information may also be found in the AusCERT paper
entitled "Protecting your computer from malicious code". [3]
AusCERT will continue to monitor this vulnerability and any changes in
exploit activity. AusCERT members will be updated as information becomes
available.
REFERENCES:
[1] How to Disable Active Content in Internet Explorer
http://support.microsoft.com/?kbid=154036
[2] How to Enable the My Computer Security Zone in Internet Options
http://support.microsoft.com/?kbid=315933
[3] Protecting your computer from malicious code
http://www.auscert.org.au/3352
AusCERT has made every effort to ensure that the information contained
in this document is accurate. However, the decision to use the information
described is the responsibility of each user or organisation. The decision to
follow or act on information or advice contained in this security bulletin is
the responsibility of each user or organisation, and should be considered in
accordance with your organisation's site policies and procedures. AusCERT
takes no responsibility for consequences which may arise from following or
acting on information or advice contained in this security bulletin.
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://www.auscert.org.au/render.html?it=3192
===========================================================================
Australian Computer Emergency Response Team
The University of Queensland
Brisbane
Qld 4072
Internet Email: auscert at auscert.org.au
Facsimile: (07) 3365 7031
Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
AusCERT personnel answer during Queensland business hours
which are GMT+10:00 (AEST).
On call after hours for member emergencies only.
===========================================================================
-----BEGIN PGP SIGNATURE-----
Comment: http://www.auscert.org.au/render.html?it=1967
iQCVAwUBQdoq1ih9+71yA2DNAQKCmQP/eCOWetjLRnpQk8tiZIEe8KHzS43ZDWsh
k8XYbi11ZJqkHtHohXNvjAw08oi1sP83xOPyBAVvhpKG3oZmronmQTvIp345B57U
u7nmynXY17PN+NBRZuu4qEjY6pR0t1cJU38G51GwyFuoR0lB3CSspjP4XggX6mla
w/NU/RR72AU=
=Ih7m
-----END PGP SIGNATURE-----
AusCERT is the national computer emergency response team for Australia. We
monitor various sources around the globe and provide reliable and independent
information about serious computer network threats and vulnerabilities.
AusCERT, which is a not-for-profit organisation, operates a cost-recovery
service for its members and a smaller free security bulletin service to
subscribers of the National Alerts Service.
In the interests of protecting your information systems and keeping up to date
with relevant information to protect your information systems, you should be
aware that not all security bulletins published or distributed by AusCERT are
included in the National Alert Service. AusCERT may publish and distribute
bulletins to its members which contain information about serious computer
network threats and vulnerabilities that could affect your information
systems. Many of these security bulletins are publicly accessible from our web
site.
AusCERT maintains the mailing list for access to National Alerts Service
security bulletins. If you are subscribed to the National Alerts Service and
wish to cancel your subscription to this service, please follow the
instructions at:
http://www.auscert.org.au/msubmit.html?it=3058
Previous security bulletins published or distributed as part of the National
Alerts Service can be retrieved from:
http://national.auscert.org.au/render.html?cid=2998
Previous security bulletins published or distributed by AusCERT can be
retrieved from:
http://www.auscert.org.au/render.html?cid=1
If you believe that your computer system has been compromised or attacked in
any way, we encourage you to let us know by completing the secure National IT
Incident Reporting Form at:
http://national.auscert.org.au/render.html?it=3192
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the MAQ (http://www.mailscanner.biz/maq/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list