Microsoft Viruses - it's more than attachments, kids...
Posted: Sat Dec 01, 2001 11:36 am
'We are all in agreement that up to date virus scanners and definitions are an
unfortunate but necessary requirement for survival on the internet nowadays.
We also agree that one should not in general open attachments without a great
deal of caution an prior investigation.
What is less appreciated is that there are now worms and viruses capable of
infecting your microsoft system by exploiting vulnerabilities in Explorer and
Outlook that CAN INFECT YOUR COMPUTER WITHOUT THE NEED FOR YOU TO OPEN AN
ATTACHMENT. The infamous Nimda worm used this route of attack. To quote from the
Symantec description of Nimda,
"When the worm arrives by email, the worm uses a MIME exploit allowing the virus
to be executed just by reading or previewing the file. Information and a patch
for this exploit can be found at
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp"
For details on one such approach, see:
http://securityresponse.symantec.com/avcenter/sirc/incorrect.mime.header.vulnerability.html
An even uglier scenario allows an infected web server to serve you a worm thru
your web browser. Just clicking the wrong link on an infected page can infect a
vulnerable browser (ie, Explorer).
There are two defenses against these new generation worms:
1) Avoid the often exploited and notoriously insecure products from Microsoft.
All these worms and viruses are not Internet viruses, they are Microsoft viruses.
Microsoft email and browser clients have so many hooks into the operating system
that a new door to infection seems to be discovered every day. They are also the
favorite target of worm and virus writers. Instead, use an email client such as
Eudora and a web browser such as Netscape, Opera, iCab etc. Or buy a Macintosh.
2) If you must use microsoft clients, obtain the most current version and assure
that they are patched with the latest Microsoft security releases. This means
checking regularly for updates. Note that Microsoft has not committed to patching
older versions of its products. To quote Microsoft security bulletin MS01-055
(11/13/2001)
" Tested Versions: Microsoft tested Internet Explorer 5.5 and 6.0 to assess
whether they are affected by these vulnerabilities. Previous versions are no
longer supported, and may or may not be affected by these vulnerabilities."
see:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-055.asp
Security patches are available from the Microsoft Download Center
http://www.microsoft.com/downloads/searchdl.asp?Search=Keyword&Value='security_patch'&OpSysID=1
and can be most easily found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web site
http://windowsupdate.microsoft.com/R848/v31site/x86/w98/en/thanksstart.htm
Have fun!
-- Dan Casali
MacWizard
Box 1286 Ketchum, ID 83340
208.726.5120
[Non-text portions of this message have been removed]'
unfortunate but necessary requirement for survival on the internet nowadays.
We also agree that one should not in general open attachments without a great
deal of caution an prior investigation.
What is less appreciated is that there are now worms and viruses capable of
infecting your microsoft system by exploiting vulnerabilities in Explorer and
Outlook that CAN INFECT YOUR COMPUTER WITHOUT THE NEED FOR YOU TO OPEN AN
ATTACHMENT. The infamous Nimda worm used this route of attack. To quote from the
Symantec description of Nimda,
"When the worm arrives by email, the worm uses a MIME exploit allowing the virus
to be executed just by reading or previewing the file. Information and a patch
for this exploit can be found at
http://www.microsoft.com/technet/security/bulletin/MS01-020.asp"
For details on one such approach, see:
http://securityresponse.symantec.com/avcenter/sirc/incorrect.mime.header.vulnerability.html
An even uglier scenario allows an infected web server to serve you a worm thru
your web browser. Just clicking the wrong link on an infected page can infect a
vulnerable browser (ie, Explorer).
There are two defenses against these new generation worms:
1) Avoid the often exploited and notoriously insecure products from Microsoft.
All these worms and viruses are not Internet viruses, they are Microsoft viruses.
Microsoft email and browser clients have so many hooks into the operating system
that a new door to infection seems to be discovered every day. They are also the
favorite target of worm and virus writers. Instead, use an email client such as
Eudora and a web browser such as Netscape, Opera, iCab etc. Or buy a Macintosh.
2) If you must use microsoft clients, obtain the most current version and assure
that they are patched with the latest Microsoft security releases. This means
checking regularly for updates. Note that Microsoft has not committed to patching
older versions of its products. To quote Microsoft security bulletin MS01-055
(11/13/2001)
" Tested Versions: Microsoft tested Internet Explorer 5.5 and 6.0 to assess
whether they are affected by these vulnerabilities. Previous versions are no
longer supported, and may or may not be affected by these vulnerabilities."
see:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-055.asp
Security patches are available from the Microsoft Download Center
http://www.microsoft.com/downloads/searchdl.asp?Search=Keyword&Value='security_patch'&OpSysID=1
and can be most easily found by doing a keyword search for "security_patch".
Patches for consumer platforms are available from the WindowsUpdate web site
http://windowsupdate.microsoft.com/R848/v31site/x86/w98/en/thanksstart.htm
Have fun!
-- Dan Casali
MacWizard
Box 1286 Ketchum, ID 83340
208.726.5120
[Non-text portions of this message have been removed]'