Time to update Mozilla/Firefox/Thunderbird and Ethereal; also: sightings of infected IIS 6 servers.

Published: 2004-07-08
Last Updated: 2004-07-09 00:30:33 UTC
by Lenny Zeltser (Version: 1)
0 comment(s)
Time to update Mozilla/Firefox/Thunderbird and Ethereal; also: sightings of infected IIS 6 servers.

Mozilla and Firefox Update Fixes Vulnerability

It's time to update your browser, though this time the problem is not with Internet Explorer, but with Mozilla and Firefox running on Windows. As described in the eWeek article at
http://www.eweek.com/article2/0,1759,1621463,00.asp , a flaw in the way Mozilla and Firefox handled links containing the shell: suffix could allow a malicious web site to run arbitrary code on the visitor's system. We advise you to upgrade to Mozilla 1.7.1 or Firefox 0.9.2 to patch this vulnerability. Alternatively, you may install the patch from

For more information about this vulnerability and ways of addressing it, please see
. This URL also points out that Thunderbird, an email client that's part of the Mozilla suite, is vulnerable, and explains how you can address the Thunderbird vulnerability as well.

Ethereal Update Fixes Vulnerabilities

A recent upgrade to Ethereal, a popular network sniffer, resolves several published vulnerabilities. Since we haven't seen this mentioned on the usual forums, we thought we'd let you know about the update in this note. If you're running Ethereal versions 0.8.15 up to and including 0.10.4, you will probably want to upgrade to version 0.10.5. See
http://www.ethereal.com/appnotes/enpa-sa-00015.html for more details.

A Report Regarding Infected IIS 6 Servers

We received a report from Dan Hubbard, from Websense Inc., regarding 100 sites running IIS 6.0 that were compromised as part of a Scob/Download.Ject attack. (We mentioned this attack in the June 24th diary at
http://isc.sans.org/diary.php?date=2004-06-24 .) Although prior reports linked Scob/Download.Ject to a vulnerability in IIS 5, these 100 sites are running IIS 6. Mr. Hubbard's current assessment is that the systems were probably compromised when they ran IIS 5, and were not disinfected prior to an upgrade. We don't presently have any indications that this attack affects IIS 6 servers, but please let us know if you have witnessed IIS 6 server compromises related to Scob/Download.Ject infections.

Lenny Zeltser

Handler on Duty

0 comment(s)


Diary Archives