Microsoft Security Bulletin MS03-040 - 828750

[Papa]

The bottom line, which I am very surprised no one has mentioned - not even
the MVPs - is that the ONLY place a user should go for Windows Updates is
the "Windows Updates" button. Any other source is risky at best. Debating
the finer points as to how large an attachment is, or if such and such a
post contains an attachment, accomplishes nothing. Just don't go there.

 

[Richard G. Harper [MVP Win9x]]

That's not exactly true. Windows Update is the place to go under normal
circumstances but in the case of these rapid security alerts you'll be able
to download them more quickly from the TechNet or Security areas. It
sometimes takes a day or so for updates to be migrated to the Windows Update
site.

 

[Sandi - Microsoft MVP]

The only time I use Windows Update is when I'm testing the beta Windows
Update site ;o)

--
Install the latest IE cumulative patch for protection against QHost:
http://www.microsoft.com/security/security_bulletins/ms03-040.asp
More information about QHosts can be found here:
http://www.mvps.org/inetexplorer/darnit_3.htm#qhost
________________________________________
Sandi - Microsoft MVP since 1999 (IE/OE)
http://www.mvps.org/inetexplorer

 

[Jim Eshelman]

The only time I use Windows Update is when I'm testing the beta
Windows Update site ;o)

I use Windows Update routinely, and for most users it should be set to
automatically alert them to critical updates; but for urgent security items,
I agree with Richard -- get ye to the manual links provided and get these
patches downloaded!

In this case, the patch was up on Windows Update by late yesterday
afternoon. Add that to a Friday night push of the announcement (as Jason
Tsang pointed out, these usually come on Wednesdays), and I think there's a
very good chance that Microsoft considers this one to be unusually critical.

Get ye to the patches!

--
Jim Eshelman, MS-MVP Windows
http://aumha.org/
http://WinSupportCenter.com/


Did you find this newsgroup on the web? A newsreader like Outlook Express
will make your online life a lot easier. Get better help! See:
http://aumha.org/win4/supp1b.htm and
http://support.microsoft.com/support/news/howto/default.asp

 

[Sandi - Microsoft MVP]

The www.microsoft.com/security page
"Technical Virus Alerts" lists a massive 26 entries from Nov 26 2001
(badtrans) through Sep 18 2003 (swen). Does the Trojan.Qhosts warrant a fix
(ms03-040) but not an entry on this list?

Right at the very top of the page at www.microsoft.com/security it says:

Action: Read Security Bulletin MS03-040 and install the Internet Explorer
update immediately.

Is that prominent enough for you?

--
Install the latest IE cumulative patch for protection against QHost:
http://www.microsoft.com/security/security_bulletins/ms03-040.asp
More information about QHosts can be found here:
http://www.mvps.org/inetexplorer/darnit_3.htm#qhost
________________________________________
Sandi - Microsoft MVP since 1999 (IE/OE)
http://www.mvps.org/inetexplorer

 

[Jerry Bryant [MSFT]]

There is some interesting feedback here to my post. FYI, I personally have
been posting our security bulletins and alerts in these newsgroups for over
two years now. In fact, I created these security newsgroups (.security and
..security.virus) mainly for this purpose. My post is completely consistent
with the way I have always posted them. This is the first time anyone had
issues with cross posting. I understand the basis of those concerns though
and will take them in to consideration. So, in light of recent swen issues
in these newsgroups, is it the general feeling of all here that cross
posting should not be used to communicate these bulletin releases?

Microsoft has always maintained that www.microsoft.com/technet/security is
authoritative in regards to security issues with our products. This means
that even if you are subscribed to our security bulletin notification
service, you should verify the validity of that information by going to that
site.

--
Regards,

Jerry Bryant - MCSE, MCDBA
Microsoft IT Communities

Get Secure! www.microsoft.com/security


This posting is provided "AS IS" with no warranties, and confers no rights.

 

[cquirke (MVP Win9x)]

What part of...


...do you not understand?

OK; safety's on, clips out, dudes!

You both have a point. New fixes need to be publicized, but as Swen
has so eloquently demonstrated, it's now impossible to tell what posts
are real and what are malware SE.

As to the link; well - HTML allows any text to have any URL under it,
so WYSINNWYG. I just tested that for myself in Netscape Composer 7.

So the challenge is; how to authenticate genuine MS correspondence in
a way that is both intuitive and reliable. It would help if HTML
didn't allow link spoofing, or if HTML posting was eradicated from
email and news groups, but that's the standard we are stuck with.

Security is either used "for" the user (e.g. to prove correspondence
is genuine), or "against" the user (e.g. to prevent copying of DVDs
etc.). The latter doesn't require user co-operation or acceptance,
but the former does - IOW it's like "justice"; not only does it have
to be done but it has to be *seen* to be done.

That's a tall order - as even the most secure key system fails if the
key is stolen, and there have been precedents for that already.

Meantime, the savvy will seek out and apply patches etc. and the rest
won't know who to believe. Not sure what the answer is :-(

I've left all the ngs in, as they all look equally relevant.

------------ ----- --- -- - - - -

Drugs are usually safe. Inject? (Y/n)

 

[cquirke (MVP Win9x)]

Rhetorical questions: Why doesn't Microsoft post information about current
Trojans/viruses/worms like Trojan.Qhosts??? The www.microsoft.com/security
page "Technical Virus Alerts" lists a massive 26 entries from Nov 26 2001
(badtrans) through Sep 18 2003 (swen).

There are several answers to this, especially if by "post" you mean
"send alerts to news groups or by email" (how would you know an
unsolicited incoming message is genuine MS or malware SE?)

There are several excellent reference sites that detail malware, such
as www.f-secure.com/v-descs, and while MS is out of the
antivirus-update front lines, thiers would not be an authoritative
voice on such details.

What MS *would* be expected to be authoritative on, are the risks and
vulnerabilities that malware exploit.


For every risk (point of entry or escalation), there will be anything
between none and several hundred exploiters. Listing alll the
exploiters would create a "too much wood to see the trees" problem.

Often these risks are fixed and documented while there are still zero
exploiters - as was the case with the RPC hole. This dates at least
as far back as NT 4, was documented and patched in July 2003, and
exploited by Lovesan and several others in August 2003.

Loot at those dates, and you will see one of the problems involved.

On the one hand, you want to be informed about risks as they are
discovered - but before there's an exploiter, it's all theoretical and
many users (myself included) may not bother to chase up the patch.
Once it blows up, it's "why didn't you tell us?"

But it's telling that this hole wasn't widely exploited to anyone's
knowledge through several versions of NT over some years, until
Microsoft documented and fixed it - then all hell broke loose a month
later. Some might say it's better not to publicize holes until they
are known and the risk of exploit becomes high or manifest.


I do agree with your take on risk management, though (tagline refers).
I wall out as many unused functionalities as possible, but it's not
easy when MS merges crucial internal services with external access, as
was the case with RPC, or makes it difficult or impossible to not
install (or uninstall) facilities you don't want.

So far, we are used to the "virus infects computer" model, where the
emphasis is on malware detection and removal - in other words, the
main thrust is to clean infected computers.

But Lovesan et al, and Code Red, Nimda, Slammer and Sapphire before
them, demonstrate a new model; "worm infects infosphere". It's
impossible to clean the entire infosphere, so risk management (closing
the risks, not killing the exploiters) becomes the only defence.


This is the crisis we are facing - a patching model that requires
access to patches from one or few servers after clicking through EULAs
and other links, and that typically goes into effect after a restart.

While you are trying to do that, there are thousands of infected PCs
sending you an exploiter that is a fraction of the size of the patch
you are trying to download, and the attackers go active immediately.

See the problem? Seems to me to be a rigged race that you will lose
every time - if you wait until an exploit war before trying to fix the
hole, as most of us will tend to do. The problem is magnified by
repair strategies that lose all patches and service packs ("just
re-install", "do a repair install, and then..." etc.), as these PCs
then have to pull down *everything* all over again.

My response to this crisis would be as follows:
- leverage the builder/reseller channel to patch before crisis
- use out-of-band distribution methods (CDs)
- integrate patches with (re)installation media somehow
- patch downloads for OSs other than that installed
- multiple and local-region patch servers
- offer premium clients direct (non-Internet) dial-in access
- develop authentication scheme to prove news source
- continue to NOT send patches or code (spoofing risk)
- improve patch self-documentation (aids re-usability)
- maintain uninstallation standards (do NOT rely on System Restore!)
- above and other steps to improve user confidence

The last is important, when users (again, myself included) ask
themselves; how likely is this hole to be exploited? vs. how likely is
this patch going to mess up my system, not be able to be uninstalled,
infringe my privacy, throw my settings away so that I have to reapply
risk management, beat me with an anti-piracy stick, etc.?

Unless MS can convince users that the steady stream of urgent code
changes are safer to use than to stay naked, there will always be a
lot of naked and exploitable PCs out there.

-- Risk Management is the clue that asks:

"Why do I keep open buckets of petrol next to all the
ashtrays in the lounge, when I don't even have a car?"

 

[Stefan Berglund]

On Sat, 4 Oct 2003 17:08:10 +0800, "Sandi - Microsoft MVP"

Realize that millons of fake, infected "Microsoft Security Bulletins" are
being sent out hourly by systems and networks infected by the 'swen' worm.
Some of us are geting a thousand or more each day. That makes it extremely
important to make every effort to insure any legitimate information
purporting to be from Microsoft to distinguish itself from that provided by
the 'swen' worm.

I would expect that after receiving "a thousand or more each day" you would
spot the difference in a heartbeat.

One. There was no attachment - all Swen messages have attachments.

Two. It was plain text. All Swen are html.

Three. All you have to do is look at the message headers to see that it is a
genuine message from Microsoft. It was sent from WITHIN MICROSOFT ITSELF
(NNTP-Posting-Host: tide159.microsoft.com 207.46.225.243)

Four. I have not seen a single Swen posted by somebody using [MSFT] in their
name, or an (e-mail address removed) address.

This latest security bulletin from MS includes IE 5.01. If I'm
running the stock W2K IE version 5.00.3700.1000 (which I don't
use for browsing) am I safe?

There doesn't seem to be a patch available for the above version
or am I missing something?

 

[Papa]

I can wait. The security steps I have taken can protect my system in the
meantime, and I KNOW the source I use (the Windows Update button) is safe.
Multiple sources just leads to mistakes.

 

[Papa]

You like Russian roulette?

 

[Invisible Dance]

..
..
..

This latest security bulletin from MS includes IE 5.01. If I'm
running the stock W2K IE version 5.00.3700.1000 (which I don't
use for browsing) am I safe?

No. You do not have the latest security patches and Service Pack for your
operating system. There are likely a lot of other known vulnerabilites in
your operating system that are not corrected. Even if you don't use a
particular function, that function can still be used by a worm or virus.
For example, if you don't use Internet explorer for browsing, opening the
infected attachement on 'swen' infected e-mail will still infect your system
no matter what Internet browser you use unless you have an antivirus program
with up-to-date virus definitions that blocks the infection. Some worms
will then use your Internet Explorer even If you don't.

There doesn't seem to be a patch available for the above version
or am I missing something?

Internet Explorer 5.01 must be upgraded to a later version, preferably 6.0.
In fact, you can not even install some antivirus programs without upgrading
to IE 6.0 (Norton AntiVirus 2004, for example.)

You do have an antivirus program with up-to-date virus definitions on your
system, right?

 

[Richard G. Harper [MVP Win9x]]

NO!!!

I completely agree with what you're doing, and am most grateful to have seen
the post here since my subscription to the security bulletin service didn't
warn me until the morning after you did.

By all means, keep them coming.

 

[cquirke (MVP Win9x)]

On Sat, 4 Oct 2003 08:58:13 -0700, "Jerry Bryant [MSFT]"

There is some interesting feedback here to my post. FYI, I personally have
been posting our security bulletins and alerts in these newsgroups for over
two years now. In fact, I created these security newsgroups (.security and
.security.virus) mainly for this purpose. My post is completely consistent
with the way I have always posted them.

Unfortunately, so was Swen

Well, not exactly, but YKWIM. You tell your kids to beware of cars on
the highway, but they'll lapse their attention if they've never seen a
car before. Suddenly they see the Indy 500 on TV, and it's "Oooo..."

in these newsgroups, is it the general feeling of all here that cross
posting should not be used to communicate these bulletin releases?

Perhaps yes - not that the post shouldn't go to all the ngs, but
x-posting means all replies from any ng goes to all ngs as well.

A small proportion of responders will have x-posts trimmed, but unless
it's a list like comp.security, alt.pets.fluffy.dogs, alt.philosophy
etc. it's quite hard to decide which ngs to leave out.

It's a bit like not using BCC: for elists, so that when any one
recipient gets malware'd or spam-harvested, everyone gets whacked


You mentioned that your post was in plain text rather than HTML, and I
should have noticed that (as Free Agent doesn't "do" HTML). But that
made me wonder - it may not be obvious to tell the difference between
an HTML message that uses no HTML formatting other than a misleading
text overlay to obscure a URL, and a genuine plain text message.

Perhaps we should use some sort of munging, such that the link doesn't
appear as a clickable link, but is nonetheless easy to fix when
pasting into an address bar as text?

That way you know that the URL you see is the URL you get.

--------------- ----- ---- --- -- - - -

Error Messages Are Your Friends

 

[Gary S. Terhune]

I think it's an issue of mistaking the cloak for the dagger, Jerry. It's been
happening long before now, long before "Swen". It's the nature of malware to be
hidden inside something legitimate, or to be cloaked in legitimacy. More
recently, the cloak of choice is to appear as much as possible to be an MS
Security Patch. Those of us who are familiar with the real McCoy have no
difficulty recognizing the fakes. Those who are not should ask those who are
before doing *anything* on a computer--and I'm not just talking about what to do
with official-sounding emails and posts--the problem of people being screwed by
wolves in sheep's clothing is as old as the species, and idiot-proofing is a
topic of much wider scope than is appropriate to discuss here--at least not
without trimming the X-Post headers.

Back to the topic at hand: Just as the bad guys are depending on knee-jerk
reactions to seemingly legitimate and "critical" Security Bulletins to get
people to run "patches" that aren't, the persons who complained here are
reacting in knee-jerk fashion against anything that bears the characteristics of
the more recent malware attacks. I don't think of cross-posting as being
inherently bad, just as I don't think of HTML formatting or attachments as
inherently bad--I deal with emails and news posts that have all of the above and
don't consider them dangerous--just *potentially* so. A quick inspection of
headers, file names, and other sane practices (plain text reading,
save-to-disk-then-scan-with-AV for attachments, etc.)--such practices have been
automatic to me for years, now. Considering all of the "risky" communications I
have downloaded, all of the *very* risky sites I have gone to, and all of the
less-than-secure systems I've used to do so (because, after all, I am frequently
using a "test" machine, or a build in progress, that's lacking in patches, safe
configuration, or even AV...) Considering all of that, it's worth noting that I
have never had a machine be infected by a virus except when I deliberately chose
to do so.

That said, cross-posting has the unfortunate effect of turning several discreet
newsgroups into one big, incredibly redundant one. That can be a good thing,
that can be a bad thing. I, personally, feel that X-Posting in this case is
precisely proper. But it *might* be more acceptable in the current climate to
use multiple posting to achieve the same effect. It would at least confine the
technology-specific follow-ups to the appropriate groups--not to mention
confining the rants to the contexts from which they emanate, <s>.
--
Gary S. Terhune
MS MVP for Windows 9x

*Recommended Help Sites*
http://www.dts-l.org
http://www.mvps.org
http://www.aumha.org

How to Use the Microsoft Product Support Newsgroups
http://support.microsoft.com/?pr=newswhelp
+++++++++++++++++++++++++++++++++++++++++

 

[Nancie]

There is some interesting feedback here to my post. FYI, I personally have
been posting our security bulletins and alerts in these newsgroups for over
two years now. In fact, I created these security newsgroups (.security and
.security.virus) mainly for this purpose.

Gee, if you're the person who created these NG's, then it seems reasonable
that you use them the way you wish. As a lurker, I appreciate your efforts
to provide your knowledge and time to help those of us who are NOT experts
in computer usage.

So, in light of recent swen issues

in these newsgroups, is it the general feeling of all here that cross
posting should not be used to communicate these bulletin releases?

Crossposting by you shouldn't be an issue, as it shouldn't be an issue for
anyone who is trying to help. Why is it an issue anyway, when so many
hotheads think it's ok to create and continue verbal battles that take up
MUCH more time and space, than any helpful crossposting ever does.

Microsoft has always maintained that www.microsoft.com/technet/security is
authoritative in regards to security issues with our products. This means
that even if you are subscribed to our security bulletin notification
service, you should verify the validity of that information by going to that
site.

I am really disgusted when ridiculous battles over how these forums are used
takes precidence, when simply ignoring the perceived infraction of
netiquette would be easier! I personally delete or bypass any message with
which I disagree. I DO wish there was a bit more monitoring and removal of
offensive messages, whether they be virus' or the snide, sarcastic, hurtful
(or just plain foul) messages. I don't feel that freedom of speech means we
have to offended by idiots while we wade through all these posts to find the
ones that really are helpful.


Please, all you wonderful folks who give so much of your time and knowledge,
continue your efforts. You deserve the respect of your peers and all those
you try and help. Crossposting is NOT bad, when it is used to try and
reach as many people in the shortest amount of time possible.





ps. as for the similarity between the swen posts and the real update
message-I don't see there is any. The "real" posts don't look anything like
the virus posts and I believe it is up to each of us to decide how to handle
what we read. While I haven't received as many as some of you, I do manage
to anywhere from 20 to 200 swen emails a day, thanks to previous posts I
made to these forums. If I'm frustrated with my dosages, I can understand
your frustrations, but don't take it out on those who are trying to help.

 

[Stefan Berglund]

On Sat, 04 Oct 2003 16:57:57 GMT, "Invisible Dance"

.
.
.

No. You do not have the latest security patches and Service Pack for your
operating system. There are likely a lot of other known vulnerabilites in
your operating system that are not corrected. Even if you don't use a
particular function, that function can still be used by a worm or virus.
For example, if you don't use Internet explorer for browsing, opening the
infected attachement on 'swen' infected e-mail will still infect your system
no matter what Internet browser you use unless you have an antivirus program
with up-to-date virus definitions that blocks the infection. Some worms
will then use your Internet Explorer even If you don't.


Internet Explorer 5.01 must be upgraded to a later version, preferably 6.0.
In fact, you can not even install some antivirus programs without upgrading
to IE 6.0 (Norton AntiVirus 2004, for example.)

You do have an antivirus program with up-to-date virus definitions on your
system, right?

Of course, but I don't use MS products for email either as
they're far too vulnerable in light of all the HTML crap floating
around. I'd have to try far too hard to get Agent to render HTML
or to open an attachment for that matter assuming I was ignorant
enough to do so.

I've installed KB823831, KB823559, KB823980, KB824105, and
KB824146 hotfixes. I run my network behind an SPI hardware
firewall and all my boxes including my W2K server run Kerio
personal firewall and AVG anti virus. What known vulnerabilities
in my OS do you suggest are not corrected?

I contend that by upgrading to IE 6.0 that in fact, I'm probably
more vulnerable than at present, much in the same vain that those
souls running NT4 installations are not as vulnerable as those
running W2K, XP, etc.

 

[Invisible Dance]

There are exploit vulnerabilites which security patches and Service Packs
should fix. On the other hand there are the uses that infections make of
parts of the operating system AFTER infection occurs. If you don't use
Internet Explorer 5.01, why don't you take it out of your operating system
B^) Oh, sorry, I guess you can't do that. While it is true that older or
less popular operating systems are less targeted by virus, worms, and other
attacks, that doesn't mean it can't happen. What an updated, patched
verison of IE WOULD do is add protection against the silent use of IE by an
infection.

When you mentioned your still having IE 5.01 you did not mention the
firewall, nor that you used AVG. Those steps, of course, reduce your
vulnerabilites, but you might want to check on the future of AVG, now that
Microsoft has bought their antivirus technology.

 

[Jupiter Jones [MVP]]

Jerry;
Many feel cross-posting should be limited to a maximum of three
newsgroups.
However that is normally in reference to a problem looking for a
relevant solution.
Normally 3 groups is sufficient.
In your case, you have a solution that needs wide immediate
dissemination thus justifying the extra cross-posting etc.

Whatever group I read, I read it I am done and do not see it again.
Please do NOT multi-post, as each message will be opened before it is
identified as old.
I receiver the information about this patch a few hours before I
received the bulletin as Email.
Wide dissemination of important issues is a good thing.

--
Jupiter Jones [MVP]
An easier way to read newsgroup messages:
http://www.microsoft.com/windowsxp/pro/using/newsgroups/setup.asp
http://dts-l.org/index.html

There is some interesting feedback here to my post. FYI, I personally have
been posting our security bulletins and alerts in these newsgroups for over
two years now. In fact, I created these security newsgroups (.security and
.security.virus) mainly for this purpose. My post is completely consistent
with the way I have always posted them. This is the first time anyone had
issues with cross posting. I understand the basis of those concerns though
and will take them in to consideration. So, in light of recent swen issues
in these newsgroups, is it the general feeling of all here that cross
posting should not be used to communicate these bulletin releases?

Microsoft has always maintained that

www.microsoft.com/technet/security is

 

[PCR]

cquirke, congratulations on a well-deserved MVP award. I've certainly
had an opportunity to learn much from you. Now, I'm sure, that
opportunity will continue into the foreseeable future. Even Colorado may
learn something!

Remember-- however-- should you choose to defect to XP, as so many
others have done, including Kelly, Hardmeier (spell check says
"Hardener") & Nutcase, not to mention Harper possibly,-- YOUR particular
award of "MVP Win9x" will be JUST so much CONFETTI, putting you on the
wrong side of a ticker tape parade! So...

Anyway, why not just say, "It's at Windows Update. Go & get it.", or go
over there, and say "Come and get it!".

--
Thanks or Good Luck,
There may be humor in this post, and,
Naturally, you will not sue,
should things get worse after this,
PCR
(e-mail address removed)
message |
| >What part of...
| >
| >> More information is now available at
| >> http://www.microsoft.com/technet/security/bulletin/MS03-040.asp
| >
| >...do you not understand?
|
| OK; safety's on, clips out, dudes!
|
| You both have a point. New fixes need to be publicized, but as Swen
| has so eloquently demonstrated, it's now impossible to tell what posts
| are real and what are malware SE.
|
| As to the link; well - HTML allows any text to have any URL under it,
| so WYSINNWYG. I just tested that for myself in Netscape Composer 7.
|
| So the challenge is; how to authenticate genuine MS correspondence in
| a way that is both intuitive and reliable. It would help if HTML
| didn't allow link spoofing, or if HTML posting was eradicated from
| email and news groups, but that's the standard we are stuck with.
|
| Security is either used "for" the user (e.g. to prove correspondence
| is genuine), or "against" the user (e.g. to prevent copying of DVDs
| etc.). The latter doesn't require user co-operation or acceptance,
| but the former does - IOW it's like "justice"; not only does it have
| to be done but it has to be *seen* to be done.
|
| That's a tall order - as even the most secure key system fails if the
| key is stolen, and there have been precedents for that already.
|
| Meantime, the savvy will seek out and apply patches etc. and the rest
| won't know who to believe. Not sure what the answer is :-(
|
| I've left all the ngs in, as they all look equally relevant.
|
|
|
| >------------ ----- --- -- - - - -
| Drugs are usually safe. Inject? (Y/n)
| >------------ ----- --- -- - - - -