If you have ever visited ThinkGeek.com you know that they have quality products with geeks in mind.  Here is a good example of some of the products that are new on their website.

RFID Blocking Kit T-shirt

Zoom

Free! Only While Supplies last!

Yes, you read it right, but don't be fooled, this is a special deal for a limited time only! Be part of the exclusive club of geeks who own this one-of-a-kind t-shirt with our patented embedded RFID-blocking technology! Hurry up though, this offer is only good through Monday April 3, 2006 or while supplies last.

Why would you want your very own RFID-blocking t-shirt? Well to protect yourself from prying scanners of course. In the event of a privacy emergency, simply cut out the RFID "blocking" device and place on top of the RFID chip being scanned. The result is peace of mind in an instant, for only the cost of a gaping hole in your shirt.

So hurry up and get our limited edition RFID Blocking Kit T-shirt. Here's how you score one:

iZilla Media Monster

Zoom

Two Terrabyes Of Digital Media Euphoria

Tromping through the streets of downtown Tokyo... crunching tiny white audio players underfoot comes the iZilla. If you've been looking to step-up to a hungry man sized portable media player with incredible tech powers... this is it. First start with a whopping two terabytes of storage delivered by four 500 gig internal hard drives. Up the ante with a sweet 7" TFT-LCD touch screen... then crush your opponents with high-speed ripping capability for CD, DVD, and vinyl. A handy iPod dock allows you to transfer songs to and from the iZilla.

Listen to the iZilla roar through the internal six speaker surround system offering 5.1 channel surround sound with up to 120 watts per channel. Or enjoy your music privately with the included DJ-Style wireless bluetooth headphones up to 15 feet away. Built in wi-fi (802.11g), Gigabit Ethernet, Firewire and USB 2.0 ports ensure the maximum capability to transfer your tunes and video to external hard drives and computers.

Take the iZilla with you anywhere. It's like having an entire home entertainment system in a handy 30 pound white briefcase. The iZilla can be powered by a standard 120VAC wall outlet, or runs off 16 D size batteries (not included).

USB Desktop Tanning Center

Zoom

Zoom

New Bagle, new trick	Posted by Mikko @ 19:27 GMT

First things first: admins, block http access from your network to endoliteindia.com.

We saw a new Bagle run start tonight. As usual, it was started by posting a new, undetected downloader to one of the dozens of URLs the already-infected Bagle machines are constantly polling.

The difference this time is that every four minutes the link returns a different binary. Different size, different MD5. This is accomplished by repacking the same file with ASProtect again and again.

We are now detecting these as "W32/Bagle.GI". However, the contents keep changing.

To make a long story short: block access to this download site. It's at endoliteindia.com - a hacked web server in India. Abuse messages to the site and the upstream ISP have been sent.

Updated to add: At around 19:45 GMT, the download link died. Now it just returns 403 Forbidden, which is great. We never got replies to our abuse reports, but perhaps somebody took action. Or perhaps the Bagle gang did this themselves.

  Resolving endoliteindia.com... 64.38.19.50
  Connecting to endoliteindia.com[64.38.19.50]:80... connected.
  HTTP request sent, awaiting response... 403 Forbidden
  22:16:51 ERROR 403: Forbidden.

F-Secure : News from the Lab - March of 2006.

Thursday, March 30, 2006

Hey, TYPE-YOUR-CREDIT-CARD-NUMBER-HERE.COM is available for registration!	Posted by Mikko @ 14:00 GMT

Being curious about phishing, we decided to look into the number of domains
that mimic banks. Just how many are out there? Well, lots.

We did a simple search across com/net/org/us/biz/info top-level domains for common bank names.

Keyword	Number of domains
citibank*	497
bankofamerica*	407
lloyds*	994
bnpparibas*	41
egold*	691
hsbc*	1258
chase*	6470
paypal*	1634
ebay*	8057

Some examples of existing, active registrations, using citibank as an example:

  citibank-america.com
  citibank-credicard.com
  citibank-credit-card.com
  citibank-credit-cards.com
  citibank-account-updating.com
  citibank-creditcard.com
  citibank-loans.com
  citibank-login.com
  citibank-online-security.com
  citibank-secure.com
  citibank-site.com
  citibank-sucks.com
  citibank-update.com
  citibank-updateinfo.com
  citibank-updating.com
  citibankaccount.com
  citibankaccountonline.com
  citibankaccounts.com
  citibankaccountsonline.com
  citibankbank.com

Some of these probably perfectly legitimate. Others probably are not...like citibank-account-updating.com, registered last Friday to Ms. Evelyn Musa in Arlington, VA?

F-Secure : News from the Lab - March of 2006.

Microsoft Altering ActiveX in Next Set of Patches (NEW)

Published: 2006-03-30,
Last Updated: 2006-03-30 10:43:03 UTC by Ed Skoudis (Version: 1)

We've gotten several e-mails from diligent readers (Thank you, Juha-Matti, Richard, and others) about Microsoft's plans to alter the way ActiveX controls work in a non-security related update associated with some legal imbroglio.  According to Microsoft:

"So [On April 11] when we release the next cumulative IE security update [which will also include the non-security update associated with ActiveX], customers will only be able to interact with Microsoft ActiveX controls loaded in certain web pages after manually activating their user interfaces by clicking on it or using the TAB key and ENTER key."

That's not the end of the world, but it is worth noting.

What does this mean to you?  On April 11, some of your ActiveX controls may stop working.  You can test this new IE voodoo by downloading an optional patch for IE from Windows Update.  Microsoft will have a tool (a retro-patch?) for making IE behave like it does now, but that tool will only be supported through the June updates.

For more information, check out this advisory for the details, or the newly added section to the FAQ (as of yesterday) to this advisory, and read this blog posting from a Microsoft employee working this issue.  The blog posting includes specific advice for enterprise users (in summary... test!) and for consumers (in summary... use Windows Update and be happy!)

--Ed Skoudis.
Intelguardians

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

There are some publicly available 3rd party patches available for the createTextRange() bug. However, we recommend waiting for the official fix from Microsoft. Before the patch is available, one workaround is to disable the Active scripting from Internet Explorer.

Detailed instructions on how to do this can be read from the Microsoft advisory under Suggested Actions / Workarounds. Here's a screenshot of the procedure:

When the Active scripting is set to "Prompt", the prompting might look like this:

F-Secure : News from the Lab - March of 2006.

Am I the only one that finds this just a little bit funny??  

NASCAR.COM - Gordon fined $10K for incident with Kenseth - Mar 28, 2006.

Gordon fined $10K for incident with Kenseth

Veteran says he's through worrying about what people think of him

By David Newton, NASCAR.COM
March 28, 2006
05:08 PM EST (22:08 GMT)

Posted Wednesday, March 29, 2006 10:56 AM by cmosby | with no comments

Filed under: NASCAR

Microsoft Security Advisory Notification - March 28, 2006

Security Advisories Updated Today

==============================================

* Microsoft Security Advisory (917077)

- Title: Vulnerability in the way HTML Objects Handle

Unexpected Method Calls Could Allow Remote Code Execution

- http://www.microsoft.com/technet/security/advisory/917077.mspx

- Revision Note: Advisory updated with information regarding additional security software protections, current limited

scope of attacks, and the status of the Internet Explorer security update.

********************************************************************

Posted Tuesday, March 28, 2006 6:25 PM by cmosby | with no comments

Filed under: Security and Anti-Virus, Patch Management, Browser Wars, Internet Explorer

SANS - Internet Storm Center - Temporary Patches for createTextRange Vulnerability

 

Temporary Patches for createTextRange Vulnerability (NEW)

Published: 2006-03-28,
Last Updated: 2006-03-28 12:24:34 UTC by Johannes Ullrich (Version: 1)

Eeye released a temporary patch for the current createTextRange vulnerability. The patch can be found here:
  http://www.eeye.com/html/research/alerts/AL20060324.html. A second patch has been made available by Determina.

At this point, we do not recommend applying this temporary patch for a number of reasons:

• The workaround, to turn off Active Scripting AND to use an alternative browser is sufficient at this point.
  
• We have not been able to vet the patch. However, source code is available for the Eeye patch, so you can do so yourself. Determina has not released source code at this point.
  
• Exploit attempts are so far limited. But this could change at any time.

Some specific cases may require you to apply the third party patch. For example, if you are required to use several third party web sites which only function with Internet Explorer and Active Scripting turned on. In this case, we ask you to test the patch first in your environment. You may also want to consider contacting Microsoft. Microsoft may not be aware of the importance of security to its customers.

We do suspect that Microsoft will still release an early patch given the imminent danger to its customers from this flaw. As stated by the company about two years ago, patches can be released within 2 days if needed. Microsoft has honed its patching skills from numerous prior patches. At this point, Microsoft suggested that the patch will be release no later then the second Tuesday in April. Based on prior public commitments, we do suspect that Microsoft will issue the patch early once they are convinced that customers require the use of Internet Explorer in production environments.

Please let us know about issues (or successful installs) of either patch. We will summarize issues here.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Posted Tuesday, March 28, 2006 11:13 AM by cmosby | with no comments

SANS - Internet Storm Center - Updates on IE vulnerability

Updates on IE vulnerability (NEW)

Published: 2006-03-27,
Last Updated: 2006-03-27 14:14:29 UTC by Pedro Bueno (Version: 1)

Our reader Juha-Matti pointed that MS updated its blog with informations about the patch and some advices for users:
"I want to reiterate that the IE team has the update in process right now and if warranted we'll release that as soon as it's ready to protect customers (right now our testing plan has it ready in time for the April update release cycle).  But if you're concerned you may be impacted, now you can visit http://safety.live.com to scan your machine and remove current attacks using this vulnerability."

Altough they say that are seeing only limited attacks, we have some reports of more than 100 sites (Saturday data) exploring this vulnerability, to install bots, keyloggers...

Update:
Btw, just to be clear about the safety live com thing, it offers some protection, but it can only protect you in known malware with signatures...It is not protecting you against the IE vulnerability...

Update2:
The number of sites are now over 200...

-------------------------------------------------------------------------------------------
Handler on Duty: Pedro Bueno ( pbueno //&&// isc. sans. org)

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Posted Monday, March 27, 2006 12:04 PM by cmosby | with no comments

Filed under: Security and Anti-Virus, Patch Management, Browser Wars, Internet Explorer

F-Secure : News from the Lab - Internet Explorer exploits in the wild

Jeff Gordon says the person that NASCAR fined $10,000 on Tuesday for shoving Matt Kenseth after Sunday's race at Bristol Motor Speedway is closer to who he is than what fans have seen. Gordon, also placed on probation until Aug. 30, 2006, took a two-handed jab at Kenseth on pit road when Kenseth approached him to explain the bump that sent the four-time Nextel Cup champion from third place to 21st on the final lap.

Internet Explorer exploits in the wild	Posted by Jarkko @ 14:10 GMT

We've received some reports about the recent unpatched Internet Explorer vulnerability being exploited in the wild. The exploits are based on publicly available proof-of-concept code which exploits the processing of createTextRange() function.

At the moment, there's no patch for the vulnerabilities. Please read the following links for more detailed information about the vulnerability and possible workarounds:

http://www.securityfocus.com/bid/17196/info
http://www.microsoft.com/technet/security/advisory/917077.mspx
http://secunia.com/advisories/18680/

F-Secure Anti-virus detects HTML pages containing the exploit code as variants of Exploit.JS.CVE-2006-1359.

F-Secure : News from the Lab - March of 2006.

 

Email attachment vector for IE createTextRange() Remote Command Execution (NEW)

Published: 2006-03-26,
Last Updated: 2006-03-27 00:43:05 UTC by Patrick Nolan (Version: 1)

Just for the sake of clarity, there is an email attachment vector for this exploit that's not widely reported. I have not seen any reports of it being used at this time. MS's bulletin, in the FAQ's, in "Could this vulnerability be exploited through e-mail?", says it can be exploited if one "open(s) an attachment that could exploit the vulnerability." ISS obliquely says attacks may occur by "...simply embedding the required logic in specially crafted HTML emails.".

Note - My Outlook Web Access runs in the Local intranet Zone, and MS's suggested workaround for this IE Zone is change the Local intranet setting to prompt or disable for Active Script, or just crank the zone security setting to high for prompting.

HTML attachments, the IE Local Machine Zone Lockdown

According to MS, "Web pages accessed from the local computer are placed in the Local Machine zone" and "The Local Machine zone is an Internet Explorer security zone, but is not displayed in the settings for Internet Explorer.". "In Windows XP Service Pack 2, all local files and content that is processed by Internet Explorer has additional security applied to it in the Local Machine zone.".

"Specifically, these settings are:

URLACTION_ACTIVEX_ RUN resolves to Disallow.
URLACTION_ACTIVEX_OVERRIDE_OBJECT_SAFETY resolves to Disallow.
URLACTION_SCRIPT_ RUN resolves to Prompt.
URLACTION_CROSS_DOMAIN_ DATA resolves to Prompt.
URLACTION_BINARY_BEHAVIORS_BLOCK resolves to Disallow.
URLACTION_JAVA_PERMISSIONS resolves to Disallow.".

Since "script in local HTML pages viewed inside of Internet Explorer prompts the user for permission to run", disallowing HTML attachments might be worth considering.

In addition, keeping gateway email AV sigs up to date is advisable. Drop us a note if you notice attacks coming at you via email. Thanks!

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Modified Malware for the IE Expoit

Published: 2006-03-26,
Last Updated: 2006-03-26 02:35:18 UTC by Lorna Hutcheson (Version: 1)

Its always interesting around the ISC and you'll never know what you'll be handed on any given day.  Its even more interesting when there is an unpatched IE vulnerability and an exploit available for it.  That is where we find ourselves now.  There are several sites that have been compromised and now contain the exploit code.  These sites all run the exploit code and get a file called ca.exe which in turn gets a file called calc.exe and installs it.  It is calc.exe that we want to focus on briefly.

This malware installs a dll that is used as a Browser Helper Object (BHO) and also runscopies itself to directory you see below as nm32.exe and runs as a process.  The malware creates the following on install:

C:\WINNT\fyt\mn32.dll
C:\WINNT\fyt\nm32.exe
C:\WINNT\fyt\~ipcfg636
C:\WINNT\fyt\~start636
C:\WINNT\fyt\~tmp636
C:\WINNT\fyt\~view636

It also creates one called sub.txt when you surf the internet and records everything that it can about where you surf and do and any information it can get from the  Let's look at what is in the files.  The information I'm about to show is from my VM box, so it won't get you anywhere:>)

File: ipcfg636

Windows 2000 IP Configuration
    Host Name . . . . . . . . . . . . : vmwindows2k
    Primary DNS Suffix  . . . . . . . :
    Node Type . . . . . . . . . . . . : Broadcast
    IP Routing Enabled. . . . . . . . : No
    WINS Proxy Enabled. . . . . . . . : No

Ethernet adapter Local Area Connection:
    Connection-specific DNS Suffix  . :
    Description . . . . . . . . . . . : AMD PCNET Family PCI Ethernet Adapter
    Physical Address. . . . . . . . . : 00-0C-29-16-36-AB
    DHCP Enabled. . . . . . . . . . . : No
    IP Address. . . . . . . . . . . . : 192.168.227.128
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :
    DNS Servers . . . . . . . . . . . :

File:  start636

Active Connections

  Proto  Local Address          Foreign Address        State
  TCP    0.0.0.0:135            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:445            0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1025           0.0.0.0:0              LISTENING
  TCP    0.0.0.0:1027           0.0.0.0:0              LISTENING
  TCP    192.168.227.128:139    0.0.0.0:0       LISTENING
  UDP    0.0.0.0:135            *:*                   
  UDP    0.0.0.0:445            *:*                   
  UDP    0.0.0.0:1026           *:*                   
  UDP    192.168.227.128:137    *:*                   
  UDP    192.168.227.128:138    *:*                   
  UDP    192.168.227.128:500    *:*                   


File:  tmp636

    Protected Storage settings / PWL:
InfoDelivery
IdentityMgr
        IdentitiesPass    ::::€:Ï»b[
    HASH values:
Administrator:500:AF6E956C6F6836C4F3F9505A2D0958A7:0B14980C258F0D7178186CE65030A4A6:Built-in account for administering the computer/domain::
Guest:501:********************************:********************************:Built-in account for guest access to the computer/domain::
    RAS:
Total 0 entries
    Network settings:

File:  view636

Server Name            Remark

-------------------------------------------------------------------------------
\\VMWINDOWS2K                                                                 
The command completed successfully.

File:  Sub.txt

res://C:\WINNT\system32\shdoclc.dll/dnserror.htm#http://www.msn.com/
http://winxphome/index.html
http://winxphome/index.html
http://winxphome/index.html
email=lorna.hutcheson@somewhere.com
pw=password
pw-conf=password


The malware FTP's all the information out to a location.  It also has email capability.  The location given by McAfee in their writeup found here was as follows:  "The trojan attempts to upload harvested information to an FTP server (66.242.129.251)."  However, when I downloaded the malware and looked at it that was not the location I found in the strings.  I found:

0040F530   ASCII "200.182.57.13",0
0040F630   ASCII "21",0

So its seems that the malware has been swamped for a new version with the FTP server portion being changed.  I have not observed it attempting to FTP yet, still waiting with a sniffer running.  The strings also contained the username and password for the new site.  The file on the new IP  is now encrypted and the file wasn't before on the first FTP site.  So the individual seems to realize that folks are on to them.  I'm pretty sure that the malware has just been changed since its easier to modify the malware and where it FTPs to than to go back to all the hacked sites.

Anyway, please keep your eyes and ears open for any new sites exploiting this vulnerability!  As always, be careful its a jungle out there!

Lorna J. Hutcheson
CACI

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

The blogs at myITforum, Inc. have been upgraded and the blog address has changed.  You can find me here: http://myitforum.com/cs2/blogs/cmosby/default.aspx

Come by and check out the new system!!

 

IE exploit on the loose, going to yellow

Published: 2006-03-24,
Last Updated: 2006-03-24 18:29:57 UTC by Jim Clausing (Version: 2(click to highlight changes))

Update: We just received a report that a particular site uses the "createTextRange" vulnerability to install a spybot variant. It is a minor site with insignificant visitor numbers according to Netcraft's "Site rank".

The Bleedingsnort rule has been updated. It has been tested against that particular version of the exploit and works for it. For details, see this set of rules (last one is the 'createTextRange' rule).

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

- Web site: http://go.microsoft.com/fwlink/?LinkId=63915

- Web site: http://go.microsoft.com/fwlink/?LinkId=59550

IE exploit on the loose, going to yellow (NEW)

Published: 2006-03-23,
Last Updated: 2006-03-23 20:18:59 UTC by Jim Clausing (Version: 1)

Folks, as Lorna predicted yesterday, it didn't take long for the exploits to appear for that IE vulnerability.  One has been making the rounds that pops the calculator up (no, I'm not going to point you to the PoC code, it is easy enough to find if you read any of the standard mailing lists), but it is a relatively trivial mod to turn that into something more destructive (in fact, one of our readers has provided us with a version that he created that is more destructive).  For that reason, we're raising Infocon to yellow for the next 24 hours. 

Workarounds/mitigation

Microsoft has posted this and suggests that turning off Active Scripting will prevent this exploit from working.  You could, of course, always use another browser like Firefox or Opera, but remember that IE is so closely tied to other parts of the OS, that you may be running it in places where you don't realize you are.

One of our readers asked whether DropMyRights from Microsoft would provide any protection.  We haven't had an opportunity to test that out.

I understand a snort signature to detect the exploit has been checked in to bleeding-snort, I'll update the story with a URL for the sig as soon as I find it.

References

Original Secunia bulletin: http://secunia.com/advisories/18680/
Microsoft blog: http://blogs.technet.com/msrc/archive/2006/03/22/422849.aspx

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Look like another rootkit Trojan is making the rounds…

Trojan.Abwiz.F is a Trojan horse with rootkit abilities that downloads and executes remote files and sends confidential computer information to a remote attacker. The Trojan also allows a remote attacker to perform various unauthorized actions on the compromised computer.

From Russia with Rootkit	Posted by Kimmo @ 15:18 GMT

Yesterday we received an interesting email-worm sample, detected as Gurong.a, that uses rootkit techniques to hide its file, process and launch point in the registry. It is based on the infamous Mydoom code and it is in the wild but currently spreading very slowly.

Gurong.a modifies the operating system kernel, specifically the system service table and process object structures, so it is a kernel-mode rootkit. What makes it different from other kernel-mode rootkits we have seen is the way it installs the rootkit payload into kernel. Often malware uses a special purpose driver or the physical memory device to modify the kernel from user mode.

Gurong.a uses the physical memory device as its initial injection vector to install a call gate to the Global Descriptor Table (GDT) that resides in system address space. Call gates are things we do not see everyday. Below is a definition from Wikipedia:

“Call gate is a mechanism in intel x86 architecture for changing privilege level of CPU when it executes a predefined function call.”

For more detailed information about call gates you should have a look at the IA-32 Intel Architecture Software Developer’s Manual, Volume 3A.

What this means is that through the call gate Gurong.a can execute parts of its code in privilege level 0 (kernel mode) without adding any additional code to the system address space. This code has full access to the system address space and privileged instructions. For example, the code that hides a process by modifying its object structure is actually part of the wmedia16.exe image (the file name used by the worm) and resides in user address space.

As a final note, F-Secure BlackLight is able to find and disable Gurong.a.

F-Secure : News from the Lab - March of 2006.

Version 1.1.2 of the tool can be obtained by visiting http://securityresponse.symantec.com/avcenter/venc/data/w32.antinny.removal.tool.html

This tool is designed to remove infections of the following threats:

• W32.HLLW.Antinny
• W32.HLLW.Antinny.E
• W32.HLLW.Antinny.G
• W32.Antinny.K
• W32.Antinny.Q
• W32.Antinny.AX
• Trojan.Sientok
• Trojan.Exponny

 

RealPlayer (et al) vulnerabilities & Joomla/Mambo Worm (NEW)

Published: 2006-03-23,
Last Updated: 2006-03-23 13:14:13 UTC by John Bambenek (Version: 1)

There are three vulnerabilities in RealPlayer and associated products that allow from remote code execution and patches have been released to remediate the problems.  The vulnerabilities are with boundary errors caused by certain SWF, MBC or specially crafted webpages that can lead to buffer overflows.  The latest version of RealPlayer is not affected and users should upgrade immediately.  The advisory can be read here with iDefense's original report being here. The matrix of vulnerable products can be seen here.  While exploiting these bugs would still require some social engineering to get people to look at a malicious file, it is still recommended users run the latest version because we all know how popular watching clips on the web is (I like the VW "unpimp my ride" commericals, personally).

A reader wrote in reporting a worm spreading through the latest Mambo/Joomla exploits and establishing an IRC connection.  When I looked it appeared the botnet was already down but it is trivial to modify the shellbot code and regenerate the botnet.  Joomla 1.0.8 was released Feb 26th and had 37 (wow) security fixes, so if you aren't running 1.0.8, you have been warned.  It doesn't appear that any new vulnerabilities have been discovered since the release.

--
John Bambenek
bambenek -at- gmail -dot- com

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Veritas pulls (some) patches for Backup Exec (NEW)
Published: 2006-03-22,
Last Updated: 2006-03-22 02:06:04 UTC by Bojan Zdrnja (Version: 1)
Symantec yesterday released two new security advisories about vulnerabilities in Veritas Backup Exec.

The first vulnerability, described in SYM06-004 allows a malicious user crashing of the Backup Exec Remote Agent by sending a specially malformed packet.
This leads to a DoS attack on the service, but considering that this is typically used for backups of critical data, the severity could be pretty high (it's easy to imagine a scenario when you need business critical data that was supposed to be backed up yesterday, but it wasn't due to the Backup Exec crashing).
In normal circumstances we would say to update as soon as possible, but it looks like there are some issues with some of the patches (we got a submission from one of our readers, thanks Charles). Symantec also pulled patches for Backup Exec 10d (10.1) and 10.0 for Windows Servers - the original advisory available at http://seer.support.veritas.com/docs/282255.htm says that the hotfix has temporarily been removed and will be re-released later.

The other advisory (SYM06-005) is related to a low risk vulnerability in the Job Engine service. This vulnerability can be exploited only in certain circumstances ("full details" logging has to be enabled, and a user has to host a specially formatted file on their system). Details about this vulnerability can be found at http://seer.support.veritas.com/docs/282254.htm..

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

I just can't believe this. You would think after 9/11 the FBI would have all the funding it needs. 

Oh, silly me, I forgot we are spreading freedom overseas instead…

Any of you FBI guys out there need free e-mail, I have a bunch of Gmail invites to give away.  Just drop me a line

FBI, you've got mail -- NOT!

FBI official says budget doesn't cover accounts for all agents

NEW YORK (AP) -- Budget constraints are forcing some FBI agents to operate without e-mail accounts, according to the agency's top official in New York.

"As ridiculous as this might sound, we have real money issues right now, and the government is reluctant to give all agents and analysts dot-gov accounts," Mark Mershon said when asked about the gap at a New York Daily News editorial board meeting.

"We just don't have the money, and that is an endless stream of complaints that come from the field," he said. (Watch how running short affects catching terrorists -- 2:00)

FBI officials in Washington denied that cost-cutting was putting agents at a disadvantage.

Spokeswoman Cathy Milhoan said e-mail addresses are still being assigned, adding that the city bureau's 2,000 employees would all have accounts by the end of the year.

Mershon, the assistant director in charge of the agency's New York City office, also said that 100 city agents have been given Internet-ready phones such as BlackBerry devices.

Christine Monaco, a spokeswoman for the FBI in New York, said Monday that all FBI agents can communicate with each other via a secure internal e-mail system, and about 75 percent of the New York office's employees have outside e-mail accounts.

"The outside e-mail accounts have to be separately funded," she said.

Senator Charles Schumer called for better access to technology for agents.

"The FBI should have the tools it needs to fight terrorism and crime in the 21st century, most of all in New York City, and one of the most effective means of communications is e-mail and the Internet," he said.

"FBI agents not having e-mail or Internet access is much too much a pre-9/11 mentality."

CNN.com - FBI, you've got mail -- NOT! - Mar 21, 2006.

No info as of yet:

This CME identifier has just been assigned and we are in the process of collecting information for a description of the threat and any aliases. It will be updated as soon as possible. 2006-03-20

http://cme.mitre.org/data/list.html

 

Malware sample submissions to Microsoft (NEW)

Published: 2006-03-20,
Last Updated: 2006-03-21 02:35:11 UTC by William Salusky (Version: 1)

I wish I could remember the original source, but I was reminded again today that Microsoft is accepting malware samples via two distinct email aliases.  (Since writing this Silverstr's blog at http://silverstr.ufies.org/blog/ was pointed out to me)

If you encounter some nastiness that you'd like to see Microsoft include in their monthly MRT updates send email to the following Microsoft email addresses depending on sample type, *Correction* and please use the AV industry standard password for malware samples of 'infected' to protect a zip or rar file containing your submitted sample.

avsubmit@submit.microsoft.com    with Virus/Worm/Trojan/Bot samples.
windefend@submit.microsoft.com  with Spyware samples.

William Salusky
Handler on duty ;)

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

- http://www.microsoft.com/technet/security/bulletin/ms06-012.mspx

- http://www.microsoft.com/technet/security/bulletin/ms06-011.mspx

- http://www.microsoft.com/technet/security/bulletin/ms06-007.mspx

Symantec update blocks access to AOL

Published: 2006-03-18,
Last Updated: 2006-03-18 07:35:12 UTC by Koon Tan (Version: 1)

A reader has reported to us that he is unable to access AOL and wondered why AOL blames on Symantec after calling up AOL. If you are not able to connect to AOL after running Symantec LiveUpdate, it could be caused by one of Symantec intrusion detection signature that was included in the March 15 LiveUpdate.

Apparently, the update incorrectly detected part of the AOL connection as a potential risk and resulted in blocking access to AOL servers. Symantec has corrected the problem with a new update. If you have this problem, you may want to check out the details at Symantec website.

Thanks to Johannes for checking this out.

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Just about missed this one.

I haven't seen Symantec's description yet, but I have found one for McAfee and Trend Micro.  Be on guard everyone.

 

New IE 0-Day Exploit in Wild

Published: 2006-03-17,
Last Updated: 2006-03-17 22:13:17 UTC by John Bambenek (Version: 1)

There is a new and unpatched vulnerability with exploit code in the wild that affects the latest version of IE.  The exploit works by including an abnormally large (a couple thousand) number of script actions inside a single HTML tag.  This will cause a memory array to write out of bounds and cause an immediate or eventual browser crash.  Both McAfee and Symantec have released signatures to detect this exploit.  While this is only a DoS vulnerability at the moment, there is ongoing attempts to try to use this as a vector for remote code execution.

More as it develops...

SANS - Internet Storm Center - Cooperative Cyber Threat Monitor And Alert System.

Well I am back to blogging about comic books again if anyone is interested, its been quite a while. 

Todays posts can be found here: http://www.mosby.org/longbox/?m=20060317