*** HEADS UP *** Its IE again :rolleyes:

[morganlefay]

Hey guys...dont be killing all the stupid lusers....they pay my bills...and keep me in wine

MLF

[gore]

Well it would even out, they are probably the reason you drink in the first place.

[morganlefay]

Well it would even out, they are probably the reason you drink in the first place.

Youve got that right.....

MLF

[mmkhan]

hi all,
i went through an article at security focus (http://www.securityfocus.com/news/11384) they mention that,

Marc Maiffret, chief hacking officer for eEye said in a statement announcing that company's fix. "Again, this is just another mitigation option until Microsoft releases their patch, which last was scheduled for April 11th, or 16 days from now."

why is this constantly happening that microsoft donot offer patch at the instant the exploit is released? I think this is the second time a third party is offering a limited solution for the problem.

another intersting info

Hi gang, Stepto here again.

The MSRC in combination with our internal and external partner teams have been working through the weekend looking at the recent attacks involving the IE vulnerability I mentioned previously. So far we’re still seeing only limited attacks. But our anti-malware team, as always, is on the case and has uploaded removal information for the attacks to date to Windows Live Safety Center. I want to reiterate that the IE team has the update in process right now and if warranted we’ll release that as soon as it’s ready to protect customers (right now our testing plan has it ready in time for the April update release cycle). But if you’re concerned you may be impacted, now you can visit http://safety.live.com to scan your machine and remove current attacks using this vulnerability.

As always we will keep you up to date with the latest information as we get it.

source: http://blogs.technet.com/msrc/archiv...27/423176.aspx

Thanks

[HTRegz]

Hey Hey,

why is this constantly happening that microsoft donot offer patch at the instant the exploit is released? I think this is the second time a third party is offering a limited solution for the problem.

There's a number of reasons for this..

1. They have a monthly patch cycle
2. Many enterprises won't just roll out the patch anyways... They have resources set aside for Patch Tuesday to do the testing and ensure it won't blow up their production environment... They don't have the extra resources for out-of-band releases
3. A lot of users don't run automatic updates because they don't like having stuff downloaded to their computer without their knowledge... Those people won't just randomly check for updates.
4. They want everything to be extensively tested... updates are quite often larger than they appear

Let's give you an example... a big office update comes out.. The update involves the Multilingual User Interface (MUI). The MUI allows you to add additional languages to various language packs that already exist.. So you have Spanish Office 2003... You could add French and Italian with a MUI pack. Now think of the possible combinations.. Any language... with any combination of other languages... You want to be sure that your update isn't going to break any of these variations... and the variations are all different.. just check out the Reg Keys that each set gives you.. the reg. keys can very...

Third parties may release their patches ahead of Microsoft... however are they as extensively tested? Very doubtful... that's why they generally have disclaimers attached to them... They aren't necessarily reliable. They may only work on certain installs under certain configurations... They may break other functions (We've seen patches and workarounds that have done that in the past)... Microsoft doesn't have to just fix the problem.. they have to fix the problem and not create any others... that's a very different ball game.

Don't let the MS bashers convince you that Out of Cycle/Out of Band patches are a good idea... There was a recent thread on full disclosure from the n3td3v group... It's kinda a joke on FD... and they were saying that MS should make patches available immediately... the public response was the same thing.. it'd hell on enterprises, doesn't have enough benefits and doesn't ensure that proper patch testing is performed.... I'd rather wait 30 days at risk for Microsoft to fully test the patch and know that it won't break anything, than have it corrupt an OS or worse incorrectly interact with my hardware... or create an even bigger security hole...

Check out the FD thread @ http://seclists.org/lists/fulldisclo.../Mar/1581.html

Peace,
HT

[ByTeWrangler]

Greeting's

What SANS says about the temp patch :

At this point, we do not recommend applying this temporary patch for a number of reasons:

The workaround, to turn off Active Scripting AND to use an alternative browser is sufficient at this point.

We have not been able to vet the patch. However, source code is available for the eEye and the Detmina patch (for Determina: the source is part of the MSI file. for eEye: The source code is available as a seperate file)

Exploit attempts are so far limited. But this could change at any time.

It also says :

Some specific cases may require you to apply the third party patch. For example, if you are required to use several third party web sites which only function with Internet Explorer and Active Scripting turned on. In this case, we ask you to test the patch first in your environment. You may also want to consider contacting Microsoft.

And finally

We do suspect that Microsoft will still release an early patch given the imminent danger to its customers from this flaw. As stated by the company about two years ago, patches can be released within 2 days if needed. Microsoft has honed its patching skills from numerous prior patches. At this point, Microsoft suggested that the patch will be release no later then the second Tuesday in April. Based on prior public commitments, we do suspect that Microsoft will issue the patch early once they are convinced that customers require the use of Internet Explorer in production environments.

There is a link in the article :

1.http://www.securityfocus.com/news/9004


Link to the article itself

http://www.isc.sans.org/diary.php?storyid=1226


Anyway HTRegz has give enough information about why the company cannot release the patch on the very next day or even within few day's

Its just like some anti-viruses, for e.g Symantec releases Def's through liveupdate every week and only if needed in case of a level 3 or above outbreak ASAP. But you can always download daily def file from the site (although its 10Mb)

[HTRegz]

Originally posted here by ByTeWrangler

Its just like some anti-viruses, for e.g Symantec releases Def's through liveupdate every week and only if needed in case of a level 3 or above outbreak ASAP. But you can always download daily def file from the site (although its 10Mb)

This is a great example of improper patch testing... Remember what happened a few weeks ago when McAfee released their update that wasn't properly tested... It was suddenly removing excel and many other programs from the users computer..

Peace
HT

[ShippMA]

Hi Guys,

I haven't read back through this thread recently, so i apologise if this has been posted

It looks like the scammers have now got a grip on these problems and are exploiting them:

http://news.bbc.co.uk/1/hi/technology/4864072.stm

Basically they are creating an e-mail that has current excerpts from the BBC News website with a more link underneath. When you go to that link it takes you to a fake BBC News site that installs a Keylogger or Trojan. The point is to get your financial info. Its always driven by money