[NATIONAL-ALERTS] (AUSCERT AL-2005.0030) Trojan "Hesive"
Targets Microsoft Access Vulnerability (fwd)
Julian Field
MailScanner at ecs.soton.ac.uk
Thu Oct 6 15:13:42 IST 2005
-----BEGIN PGP SIGNED MESSAGE-----
They miss out 2 things:
1) an apology for having to publicly admit that you can't trust their
files
2) going to Windows Update to get a patch for Office (which is
presumably where they will patch it) won't work, as Office patches
are only available from office.microsoft.com and not from
windowsupdate.microsoft.com.
On 6 Oct 2005, at 02:32, Jeff A. Earickson wrote:
> Gang,
>
> FYI below. In the course of attempting to figure out what an mdb file
> is, I stumbled across this website, telling what types of attachments
> Outlook 2003 blocks. Wow, what a list...
>
> http://office.microsoft.com/en-us/assistance/HA011402971033.aspx
>
> Jeff Earickson
> Colby College
>
> ---------- Forwarded message ----------
> Date: Thu, 06 Oct 2005 10:04:05 +1000
> From: AusCERT <auscert at auscert.org.au>
> To: national-alerts at auscert.org.au
> Subject: [NATIONAL-ALERTS] (AUSCERT AL-2005.0030) Trojan "Hesive"
> Targets
> Microsoft Access Vulnerability
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> ======================================================================
> =====
> A U S C E R T A L
> E R T
>
> AL-2005.0030 -- AUSCERT ALERT
> Trojan "Hesive" Targets Microsoft Access Vulnerability
> 4 October 2005
>
> ======================================================================
> =====
>
> AusCERT Alert Summary
> ---------------------
>
> Product: Microsoft Access
> Operating System: Windows
> Impact: Administrator Compromise
> Access: Remote/Unauthenticated
> Member-only until: Thursday, October 06 2005
>
> OVERVIEW:
>
> A new trojan, Hesive, targets a flaw in Microsoft Access that
> allows a
> remote attacker to execute arbitrary code or commands in the
> context of
> the currently logged in user. The vulnerability exploited by
> this trojan
> is five months old, and no patch is currently available.
>
> The trojan requires a local user to open a specially crafted
> Access .mdb
> file. This file can be received via email. Once activated, it
> opens a
> backdoor onto the system to allow further access to the remote
> attacker.
>
>
> IMPACT:
>
> While the trojan itself performs minimal actions on the
> infected system,
> it allows a remote attacker to access the system. Since many
> home users
> log on to Windows as an Administrator level user, this is
> effectively an
> Administrator Compromise.
>
> The trojan itself is simple to remove using an antivirus
> product, however
> actions taken by a remote attacker through the back door the
> trojan sets
> up are unpredictable and may not be reversible.
>
>
> MITIGATION:
>
> Treat Microsoft Office files as you would an executable program
> - do not
> open Office files that you have received from an unknown,
> untrusted or
> unexpected source, especially Access '.mdb' files.
>
> Ensure Windows Update is enabled on your systems so that any
> updates to
> fix this problem are installed.
>
>
> REFERENCES:
>
> Symantec Virus Definition:
> http://securityresponse.symantec.com/avcenter/venc/data/
> backdoor.hesive.html
>
> SecurityFocus:
> http://www.securityfocus.com/news/11335
>
> Secunia:
> http://secunia.com/advisories/14896/
>
> AusCERT has made every effort to ensure that the information contained
> in this document is accurate. However, the decision to use the
> information
> described is the responsibility of each user or organisation. The
> decision to
> follow or act on information or advice contained in this security
> bulletin is
> the responsibility of each user or organisation, and should be
> considered in
> accordance with your organisation's site policies and procedures.
> AusCERT
> takes no responsibility for consequences which may arise from
> following or
> acting on information or advice contained in this security bulletin.
>
> If you believe that your computer system has been compromised or
> attacked in
> any way, we encourage you to let us know by completing the secure
> National IT
> Incident Reporting Form at:
>
> http://www.auscert.org.au/render.html?it=3192
>
> ======================================================================
> =====
> Australian Computer Emergency Response Team
> The University of Queensland
> Brisbane
> Qld 4072
>
> Internet Email: auscert at auscert.org.au
> Facsimile: (07) 3365 7031
> Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
> AusCERT personnel answer during Queensland business
> hours
> which are GMT+10:00 (AEST).
> On call after hours for member emergencies only.
> ======================================================================
> =====
>
>
> -----BEGIN PGP SIGNATURE-----
> Comment: http://www.auscert.org.au/render.html?it=1967
> Comment: http://www.auscert.org.au/render.html?it=1967
>
> iQCVAwUBQ0Rp9Ch9+71yA2DNAQMxyQP/czgdZNIbzc3mK5xk6kSV9agUWPqe6lxq
> cguUcWHRLPQI437an3urcpepZXTozrhrBDW2h1+C+sxaMxe4os9Cy1B12TeJrR8j
> TUNYZGBbKKL5b/MK0nTdWZlHTIQGKBPYrZcR8QLBoMYVKnR41/GXXR1TANc3WqfC
> UFZ1gGTUntk=
> =sEsT
> -----END PGP SIGNATURE-----
>
> AusCERT is the national computer emergency response team for
> Australia. We
> monitor various sources around the globe and provide reliable and
> independent
> information about serious computer network threats and
> vulnerabilities.
> AusCERT, which is a not-for-profit organisation, operates a cost-
> recovery
> service for its members and a smaller free security bulletin
> service to
> subscribers of the National Alerts Service.
>
> In the interests of protecting your information systems and keeping
> up to date
> with relevant information to protect your information systems, you
> should be
> aware that not all security bulletins published or distributed by
> AusCERT are
> included in the National Alert Service. AusCERT may publish and
> distribute
> bulletins to its members which contain information about serious
> computer
> network threats and vulnerabilities that could affect your information
> systems. Many of these security bulletins are publicly accessible
> from our web
> site.
>
> AusCERT maintains the mailing list for access to National Alerts
> Service
> security bulletins. If you are subscribed to the National Alerts
> Service and
> wish to cancel your subscription to this service, please follow the
> instructions at:
>
> http://www.auscert.org.au/msubmit.html?it=3058
>
> Previous security bulletins published or distributed as part of the
> National
> Alerts Service can be retrieved from:
>
> http://national.auscert.org.au/render.html?cid=2998
>
> Previous security bulletins published or distributed by AusCERT can be
> retrieved from:
>
> http://www.auscert.org.au/render.html?cid=1
>
> If you believe that your computer system has been compromised or
> attacked in
> any way, we encourage you to let us know by completing the secure
> National IT
> Incident Reporting Form at:
>
> http://national.auscert.org.au/render.html?it=3192
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
- --
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.2 (Build 2425)
iQEVAwUBQ0UxGPw32o+k+q+hAQELQgf/VT1kj4Ovfkn9cU5JeC2dsdkdE/romu4p
16R5Xo0V7m+BPDEc01CkEowD3AnKUodw96Oezkf8HVMtlPlWc5pVHXC7noXCnjyS
i/9m6NVdiAuyvkdICrmSWfcAevF9cXQJH1+9tK4a22qihUmGmVifQeqVUCnhxoTA
fzFsFL98PXKJmLzboYgA/43Iq3AQWW8r4Dzs9p+hMvDAPHTUSAWyAvPYMBqteTGE
Uv+uozfK5M9CHzzKRU2k5NjVqn166QZ3SyiKMH/1GQSJfOYchRywfUrANPAaVymh
OWyJO9liS1hM2jLmu/e9vLWocqzGGf7CfBL/BULBMheYWItf9xh/yg==
=P04s
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list