Spyware Sucks : Internet Explorer, Vulnerabilities, viruses and exploits, Security, safety and privacy on the Internet

ALERT: Out of band security patch to be released tomorrow, 17 December at 10.00am Pacific time

sandi — Tue, 16 Dec 2008 21:14:56 GMT

Announcement here:
http://blogs.technet.com/msrc/archive/2008/12/16/advance-notification-for-december-2008-out-of-band-release.aspx

The patch resolves the actively exploited vulnerability that has been in the press so much in recent days, and which is the subject of this Security Advisory:
http://www.microsoft.com/technet/security/advisory/961051.mspx

MS06-042 has been re-released

sandi — Thu, 24 Aug 2006 22:24:00 GMT

The problematic MS06-042 update has been re-released:

http://www.microsoft.com/technet/security/Bulletin/MS06-042.mspx

Hotfix 923782 has been replaced by the new security update 918899.

Possible fixes for crashes caused by MS06-042 (KB918899)

sandi — Fri, 11 Aug 2006 23:51:00 GMT

Note: An new version of 918899 was planned for release by 22 August for **IE6 SP1** users. Unfortunately, an issue with the new version has forced the delay of the updated patch for a few days, but it has now been released.

I am very grateful for, and indebted to, some pretty amazing people and resources that actively share information about problems with patches and security issues. Its thanks to those resources that I am able to pass on information such as that in this post which has been combined from information in a couple of lists, one security focused, one related to patch management ..... so thanks all

There are reports of MS06-042 causing crashes when PeopleSoft is installed. One noted crash involves 0xC0000005 in NTDLL.DLL

Affected OS listed in the KB are IE6SP1 installations on the following operating systems:

Microsoft Windows XP Professional (SP1 only?)
Microsoft Windows XP Home Edition (SP1 only?)
Microsoft Windows 2000 Professional Edition (???)
Microsoft Windows 2000 Service Pack 4
Microsoft Windows 2000 Advanced Server (???)

The fix for people using PeopleSoft, taken from the windows.update newsgroup, is:

In PIA, navigate to "PeopleTools -> Web Profile -> Web Profile Configurations". Search for your webprofile. In the "General" tab, uncheck the following:

Compress Responses = unchecked

Compress Response References = unchecked

Compress Query = unchecked [If you have PT8.44, please ignore since Compress Query does exist in PT8.44]

Save your webprofile changes and you must bounce your PIA.

Another suggested fix is to disable "Use HTTP 1.1" via IE Tools, Internet Options, Advanced Tab:

Note, a hotfix is available if this fixes your problem. Internet Explorer 6 Service Pack 1 unexpectedly exits after you install the 918899 update
http://support.microsoft.com/kb/923762/en-us

Sage CRM and CA Unicentre users - try the workaround and the hotfix - do not uninstall the patch unless you have no other alternative (SAGE... you need to work out the difference between a PATCH and a SERVICE PACK) (SANS - why are you not suggesting the workaround or hotfix instead of install IE7, uninstall the patch, or use a different browser???)

Another suggested fix is to uninstall MS06-042, edit the registry to ensure the following key exists, reinstall MS06-042, then reboot:

[HKEY_LOCAL_MACHINE\Software\Microsoft\Internet Explorer]
"QFEInstalled"=dword:00000001

The Technet article is here:
http://www.microsoft.com/technet/security/Bulletin/MS06-042.mspx

Good luck all, I hope this helps.

Cumulative update for Internet Explorer released (MS06-042, KB918899)

sandi — Tue, 08 Aug 2006 22:26:00 GMT

Information here:
http://support.microsoft.com/?kbid=918899
http://www.microsoft.com/technet/security/bulletin/ms06-042.mspx

I note that Siebel will finally be releasing an update to address the changes forced to activex by the EOLAS suit during Spring of 2006 (NH spring, not SH)

Fix: Internet Explorer freezes when using the drop-down address bar list when the fix described in KB908531 is installed

sandi — Fri, 14 Apr 2006 05:28:00 GMT

Note, HP and Kerio are NOT the only software affected by the problems described in the KB article 918165. Older NVIDIA software is also implicated, and as the KB article states, there may be other third party COM controls or shell extensions causing a problem. In short, don't assume that just because you don't have NVIDIA, HP or Kerio that you'll be safe or that your problems can't be caused by the MS06-015 update. I have personal experience of people being hit by this problem who have none of that software:
http://support.microsoft.com/kb/918165

(I have no idea why Stephen ***'s surname doesn't appear properly - all I see is three stars instead of a surname...)

Stephen *** of Microsoft has posted to ie6.browser newsgroup regarding a known problem with MS06-15 / KB908531 wherein Internet Explorer may freeze when you attempt to use the drop-down list in the Address Bar. MS have tracked down the cause of the problem, and it is wide spread enough to be deserving of publicity. I am sure Stephen will forgive me for quoting him verbatim rather than sending you off to the newgroup via Outlook Express or the Communities Web Interface.

<quote> We've determined that the majority of the issues people are having with MS06-015 / KB908531 are due to a bad interaction between the security update and a software component included with various HP hardware devices, including but not limited to printers, scanners, and cameras.

Here are two fixes which should fix problems caused by the interaction with the HP software:

Option 1 - Modify the registry
------------------------------

- (If you have multiple user accounts set up) Log onto the computer using an account with Administrator privileges

- Click the Start button, then click Run and type "regedit" at the prompt, without the quotes; this will start Registry Editor

- Locate the

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached key in Registry Editor

- Right click on the key and select New / DWORD Value

- Rename the resulting value "{A4DF5659-0801-4A60-9607-1C48695EFDA9} {000214E6-0000-0000-C000-000000000046} 0x401", without the quotes

- Right click the value, select Modify, and type "1" into the Value Data field

- Close Registry Editor

Option 2 - Kill the HP process
------------------------------

- Wait until Internet Explorer, Windows Explorer, or whichever component is encountering problems is in an unresponsive state

- Click the Start button, then select Run and type "taskmgr" at the prompt, without the quotes; this will start Task Manager

- Locate any instances of hpgs2wnd.exe or hpgs2wnf.exe in Task Manager, then right click on them and select End Process

(Note: Option 2 this may disable some HP device-specific functionality until you restart your computer.)

If your computer is not currently unresponsive, you should only have to do Option 1 or Option 2, not both. If your computer is currently unresponsive, you should be fixed by doing Option 2.

I'm very sorry about the inconvenience this has caused you all; hopefully this will get things back on track. Please note that MS06-015 fixes a critical security vulnerability, so it's very important that you reinstall it as soon as possible if you've uninstalled it. Please also keep in mind that disabling Auto Update will leave your computer unprotected even after we release security updates. I understand that this experience has been very frustrating for many of you, but I really must still strongly recommend that you leave Auto Update enabled for your own safety. </quote>

Addendum: <quote> Actually, it appears that I spoke too soon. Option 2 will correct the problem for the logged-in user, but not for all users on a computer with multiple user accounts. For that reason, Option 1 is the preferred option. </quote>

The eEye hack for the createTextRange vulnerability

sandi — Tue, 28 Mar 2006 23:25:00 GMT

Summary: My advice? Don't install it.

(Please forgive any grammatical or logical flow errors - I'm running real short of time but wanted to get this live before starting my work day).

Two MS security bloggers have mentioned the eEye "patch" that protects against the createTextRange vulnerability.

http://blogs.technet.com/msrc/default.aspx
http://blogs.technet.com/ms_schweiz_security_blog/default.aspx

Both bloggers recommend that the patch not be installed.

Ok, I admit - the vulnerability is being exploited. That's bad. But, at the same time we need to have a realistic look at what is going on and compare risk to reward. On balance, after considering all the information I'm privy to (public and private) I have to say that I agree - do not install the third party patch.

Historically, third party patches and hacks have been problematic. Let's look at a couple of recent examples.

WMF Exploit hack
The WMF exploit patch was messy - to get the file to stick you had to mess around with cached copies of the file (gdi32.dll is protected by Windows File Protection). The changed file was also causing Windows Update to offer old security patches. Deregistering shimgvw.dll stopped Windows Picture and Fax Viewing from working.

The IE6/IE7 side by side hack
The IE6/IE7 side by side hack caused various symptoms, including opening a browser window that promptly hangs IE, opening links that render blank, and multiple windows opening when initiating a browser session.

The eEye hack (I refuse to call it a patch) doesn't fix the CreateTextRange vulnerability... it messes around with how Windows works. We have no way of knowing what may be broken by this change.

"Ah, but at least I'll be safe" I hear you say. "Safe from what?" says I. Let me explain.

First, according to http://www.microsoft.com/technet/security/advisory/917077.mspx "Antivirus companies indicate that attacks that exploit this vulnerability are being effectively mitigated by antivirus software with up-to-date signatures". The antivirus companies that have confirmed they provide protection against known vectors include:

Symantec
Computer Associates
McAfee
F-Secure Corporation
Panda Software International
Aladdin
Sophos
Eset Software
Trend Micro
Windows Live OneCare

Do you have up-to-date antivirus? Does it detect files that attempt to exploit the vulnerability? If so, why take the risk with a third party hack?

Second, sure there are lists going around warning that there are hundreds of sites that are taking advantage of the exploit. But, actually hitting one of those sites is needle-in-a-haystack stuff. Seriously. I've seen real-world, whats-actually-happening statistics that convince me that the risk of being hit by the exploit is not sufficient to risk damage that may be caused to a system's operation by the eEye changes.

On balance, considering the fact that MS and law enforcement have been very proactive in getting exploit sites shut down, considering the fact that there are not "hundreds" of sites out there (the number is far lower than that), considering the list of antivirus programmes that protect against known vectors, considering the fact that you'll have to be *real* unlucky to hit one of the sites that is still live without being taken by the hand and shown how to get there, and considering there are safer ways to protect yourself against the risk of exploit (disable active scripting or set to prompt), I say don't install the patch.

BTW, SANS Internet Storm Centre agrees - not with me per se, but with the risk assessment that the eEye patch shouldn't be installed:
http://www.incidents.org/diary.php?storyid=1226

Confirmed: createTextRange vulnerability is being exploited

sandi — Sat, 25 Mar 2006 11:21:00 GMT

http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=JS%5FDLOADER%2EBXR&VSect=P

I do note on the diagram that it stipulates that only the "January edition" of Internet Explorer 7 Beta 2 Preview is vulnerable.

There has been a lot of confusion about whether the March build (that is, 5335.5) is vulnerable to the createTextRange exploit because, despite the MS Security Blog and the Technet article noting that IE7 Beta 2 Preview Mix06 Build is not affected, other sites stated that the IE7 Beta 2 Preview was affected without stipulating build, and some stated IE7 Beta 2 (not the Preview) was vulnerable ... umm, guys... IE7 Beta 2 hasn't been released to the public yet.

Now, if only MS would update their own advisory (http://www.microsoft.com/technet/security/advisory/917077.mspx) which, although it states that IE7 build released on March 20 is not affected, does not list earlier versions of IE7 in the "Related Software" list.

Patchou - still the bullshit continues...

sandi — Tue, 21 Feb 2006 13:51:00 GMT

Check out this thread:
http://www.msghelp.net/showthread.php?tid=55990&page=1

It contains the most amazing bullshit... is it surprising that malware has such a hold when such justifications.... such bullshit... ok, I'm getting grumpy here.. hands off keyboard.

Look at this:
http://msmvps.com/blogs/spywaresucks/archive/2005/12/05/78084.aspx

Let me tell you something... Patchou's version of lop.com may, according to him, be modified, and "harmless" according to some of the we-love-patchou naivettes in his forum, but I tell you right now that it isn't modified enough to stop underage kids being exposed to the crap exposed in my blog entry above. Patchou has my email address. Those behind lop.com have my email address - I know - I have emails that prove that they know how to get in touch with me - so, *if* they have fixed things there is no excuse for not emailing me to tell me.

Do you think it is ok to hide behind an EULA? I don't.

Honestly, the msgplus thread above is indicative of the ridiculous, inane, uninformed, uneducated commentary that is the norm for msgplus supporters.

I ask you, in all of the crap in that thread.. the insults about how the OP was bored with "Mimesweeper"and all the other inane insults ... how often is the actual issue addressed.... the issue being the *fact* that msplus uses lop.com as a sponsor... forget all the Paris Hilton bullshit..how many concerns have been addressed and how many have been yelled down by http://redwing.hutman.net/~mreed/warriorshtm/howlers.htm or http://redwing.hutman.net/~mreed/warriorshtm/swarm.htm.

Patchou says that "the lop package, in general, is safe to install". All I can say is BWWWWWWWWWWWWHAHAHAHHAHAHAHAHA. Just who are you kidding?"