[NATIONAL-ALERTS] (AUSCERT AL-2005.0030) Trojan "Hesive"
Targets Microsoft Access Vulnerability (fwd)
Martin Hepworth
martinh at SOLID-STATE-LOGIC.COM
Thu Oct 6 15:18:58 IST 2005
One more reason why you need to manage the M$ desktop with
LanDesk/SMS/whatever and not let the users handle all this themselves...
--
Martin Hepworth
Snr Systems Administrator
Solid State Logic
Tel: +44 (0)1865 842300
-----Original Message-----
From: MailScanner mailing list [mailto:MAILSCANNER at JISCMAIL.AC.UK] On Behalf
Of Julian Field
Sent: 06 October 2005 15:14
To: MAILSCANNER at JISCMAIL.AC.UK
Subject: Re: [MAILSCANNER] [NATIONAL-ALERTS] (AUSCERT AL-2005.0030) Trojan
"Hesive" Targets Microsoft Access Vulnerability (fwd)
-----BEGIN PGP SIGNED MESSAGE-----
They miss out 2 things:
1) an apology for having to publicly admit that you can't trust their
files
2) going to Windows Update to get a patch for Office (which is
presumably where they will patch it) won't work, as Office patches
are only available from office.microsoft.com and not from
windowsupdate.microsoft.com.
On 6 Oct 2005, at 02:32, Jeff A. Earickson wrote:
> Gang,
>
> FYI below. In the course of attempting to figure out what an mdb file
> is, I stumbled across this website, telling what types of attachments
> Outlook 2003 blocks. Wow, what a list...
>
> http://office.microsoft.com/en-us/assistance/HA011402971033.aspx
>
> Jeff Earickson
> Colby College
>
> ---------- Forwarded message ----------
> Date: Thu, 06 Oct 2005 10:04:05 +1000
> From: AusCERT <auscert at auscert.org.au>
> To: national-alerts at auscert.org.au
> Subject: [NATIONAL-ALERTS] (AUSCERT AL-2005.0030) Trojan "Hesive"
> Targets
> Microsoft Access Vulnerability
>
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: RIPEMD160
>
> ======================================================================
> =====
> A U S C E R T A L
> E R T
>
> AL-2005.0030 -- AUSCERT ALERT
> Trojan "Hesive" Targets Microsoft Access Vulnerability
> 4 October 2005
>
> ======================================================================
> =====
>
> AusCERT Alert Summary
> ---------------------
>
> Product: Microsoft Access
> Operating System: Windows
> Impact: Administrator Compromise
> Access: Remote/Unauthenticated
> Member-only until: Thursday, October 06 2005
>
> OVERVIEW:
>
> A new trojan, Hesive, targets a flaw in Microsoft Access that
> allows a
> remote attacker to execute arbitrary code or commands in the
> context of
> the currently logged in user. The vulnerability exploited by
> this trojan
> is five months old, and no patch is currently available.
>
> The trojan requires a local user to open a specially crafted
> Access .mdb
> file. This file can be received via email. Once activated, it
> opens a
> backdoor onto the system to allow further access to the remote
> attacker.
>
>
> IMPACT:
>
> While the trojan itself performs minimal actions on the
> infected system,
> it allows a remote attacker to access the system. Since many
> home users
> log on to Windows as an Administrator level user, this is
> effectively an
> Administrator Compromise.
>
> The trojan itself is simple to remove using an antivirus
> product, however
> actions taken by a remote attacker through the back door the
> trojan sets
> up are unpredictable and may not be reversible.
>
>
> MITIGATION:
>
> Treat Microsoft Office files as you would an executable program
> - do not
> open Office files that you have received from an unknown,
> untrusted or
> unexpected source, especially Access '.mdb' files.
>
> Ensure Windows Update is enabled on your systems so that any
> updates to
> fix this problem are installed.
>
>
> REFERENCES:
>
> Symantec Virus Definition:
> http://securityresponse.symantec.com/avcenter/venc/data/
> backdoor.hesive.html
>
> SecurityFocus:
> http://www.securityfocus.com/news/11335
>
> Secunia:
> http://secunia.com/advisories/14896/
>
> AusCERT has made every effort to ensure that the information contained
> in this document is accurate. However, the decision to use the
> information
> described is the responsibility of each user or organisation. The
> decision to
> follow or act on information or advice contained in this security
> bulletin is
> the responsibility of each user or organisation, and should be
> considered in
> accordance with your organisation's site policies and procedures.
> AusCERT
> takes no responsibility for consequences which may arise from
> following or
> acting on information or advice contained in this security bulletin.
>
> If you believe that your computer system has been compromised or
> attacked in
> any way, we encourage you to let us know by completing the secure
> National IT
> Incident Reporting Form at:
>
> http://www.auscert.org.au/render.html?it=3192
>
> ======================================================================
> =====
> Australian Computer Emergency Response Team
> The University of Queensland
> Brisbane
> Qld 4072
>
> Internet Email: auscert at auscert.org.au
> Facsimile: (07) 3365 7031
> Telephone: (07) 3365 4417 (International: +61 7 3365 4417)
> AusCERT personnel answer during Queensland business
> hours
> which are GMT+10:00 (AEST).
> On call after hours for member emergencies only.
> ======================================================================
> =====
>
>
> -----BEGIN PGP SIGNATURE-----
> Comment: http://www.auscert.org.au/render.html?it=1967
> Comment: http://www.auscert.org.au/render.html?it=1967
>
> iQCVAwUBQ0Rp9Ch9+71yA2DNAQMxyQP/czgdZNIbzc3mK5xk6kSV9agUWPqe6lxq
> cguUcWHRLPQI437an3urcpepZXTozrhrBDW2h1+C+sxaMxe4os9Cy1B12TeJrR8j
> TUNYZGBbKKL5b/MK0nTdWZlHTIQGKBPYrZcR8QLBoMYVKnR41/GXXR1TANc3WqfC
> UFZ1gGTUntk=
> =sEsT
> -----END PGP SIGNATURE-----
>
> AusCERT is the national computer emergency response team for
> Australia. We
> monitor various sources around the globe and provide reliable and
> independent
> information about serious computer network threats and
> vulnerabilities.
> AusCERT, which is a not-for-profit organisation, operates a cost-
> recovery
> service for its members and a smaller free security bulletin
> service to
> subscribers of the National Alerts Service.
>
> In the interests of protecting your information systems and keeping
> up to date
> with relevant information to protect your information systems, you
> should be
> aware that not all security bulletins published or distributed by
> AusCERT are
> included in the National Alert Service. AusCERT may publish and
> distribute
> bulletins to its members which contain information about serious
> computer
> network threats and vulnerabilities that could affect your information
> systems. Many of these security bulletins are publicly accessible
> from our web
> site.
>
> AusCERT maintains the mailing list for access to National Alerts
> Service
> security bulletins. If you are subscribed to the National Alerts
> Service and
> wish to cancel your subscription to this service, please follow the
> instructions at:
>
> http://www.auscert.org.au/msubmit.html?it=3058
>
> Previous security bulletins published or distributed as part of the
> National
> Alerts Service can be retrieved from:
>
> http://national.auscert.org.au/render.html?cid=2998
>
> Previous security bulletins published or distributed by AusCERT can be
> retrieved from:
>
> http://www.auscert.org.au/render.html?cid=1
>
> If you believe that your computer system has been compromised or
> attacked in
> any way, we encourage you to let us know by completing the secure
> National IT
> Incident Reporting Form at:
>
> http://national.auscert.org.au/render.html?it=3192
>
> ------------------------ MailScanner list ------------------------
> To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
> 'leave mailscanner' in the body of the email.
> Before posting, read the Wiki (http://wiki.mailscanner.info/) and
> the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
>
> Support MailScanner development - buy the book off the website!
>
- --
Julian Field
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
-----BEGIN PGP SIGNATURE-----
Version: PGP Desktop 9.0.2 (Build 2425)
iQEVAwUBQ0UxGPw32o+k+q+hAQELQgf/VT1kj4Ovfkn9cU5JeC2dsdkdE/romu4p
16R5Xo0V7m+BPDEc01CkEowD3AnKUodw96Oezkf8HVMtlPlWc5pVHXC7noXCnjyS
i/9m6NVdiAuyvkdICrmSWfcAevF9cXQJH1+9tK4a22qihUmGmVifQeqVUCnhxoTA
fzFsFL98PXKJmLzboYgA/43Iq3AQWW8r4Dzs9p+hMvDAPHTUSAWyAvPYMBqteTGE
Uv+uozfK5M9CHzzKRU2k5NjVqn166QZ3SyiKMH/1GQSJfOYchRywfUrANPAaVymh
OWyJO9liS1hM2jLmu/e9vLWocqzGGf7CfBL/BULBMheYWItf9xh/yg==
=P04s
-----END PGP SIGNATURE-----
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
**********************************************************************
This email and any files transmitted with it are confidential and
intended solely for the use of the individual or entity to whom they
are addressed. If you have received this email in error please notify
the system manager.
This footnote confirms that this email message has been swept
for the presence of computer viruses and is believed to be clean.
**********************************************************************
------------------------ MailScanner list ------------------------
To unsubscribe, email jiscmail at jiscmail.ac.uk with the words:
'leave mailscanner' in the body of the email.
Before posting, read the Wiki (http://wiki.mailscanner.info/) and
the archives (http://www.jiscmail.ac.uk/lists/mailscanner.html).
Support MailScanner development - buy the book off the website!
More information about the MailScanner
mailing list