Re:Virus W32.Badtrans

Scusate il cross posting, ma mi pare sia pertinente... leggete, leggete...

<SNIP>
"Jouko Pynnonen" <jouko@solutions.fi> wrote in message >

> The flaw has been successfully exploited with Internet Explorer 5.5 and
> 6. An IE5 with the latest updates shows the spoofed file name and
> extension without a sign of EXE, and issue no Security Warning dialog
> after the file download dialog.
>
>
> VENDOR STATUS
>
> Microsoft was contacted on November 19th. The company doesn't currently
> consider this is a vulnerability; they say that the trust decision should
> be based on the file source and not type. The origin of the file, ie. the
> web server's hostname can't be spoofed with this flaw. It's not known
> whether a patch is going to be produced. Microsoft is currently
> investigating the issue.

This is interesting, but not surprising. Couple hours ago, we received two
copies of the new: W32/BadTrans.B-mm and taking a closer look we found the
following:

1. A lot of noise is being made about how the vulnerability that this uses
is old, and that many patches, service packs, warnings, other i-worms
utilising the vulnerability have come and gone, yet there is wide-scale
spreading of this variant today.

2. The two copies we received were from Outlook Express 6.00 mail clients.
How can that be? They are not vulnerable to the so-called: audio/x-wav MIME
IFRAME Outlook Express vulnerability.

3. What we found was precisely as you describe above, as what was discussed
and demonstrated over 12 months ago, and as recent as 3 months ago:
http://www.securityfocus.com/bid/3271, and as the vendor continuously claims
as above.
</SNIP>


E ancora:

<SAGGIO_CONSIGLIO>
simple solution: SWITCH OF HTML IN THE EMAIL CLIENT !
</SAGGIO_CONSIGLIO>



Kalugen

-- 
Failure is more frequently from want of energy than want of capital.

________________________________________________________
http://www.sikurezza.org - Italian Security Mailing List