Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: MSFT Patches / DrudgeReport headline - ...huge computer attack... SANS ISC InfoSec Forums

Participate: Learn more about our honeypot network

Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
MSFT Patches / DrudgeReport headline - ...huge computer attack...
Note: I'm updating the current (2005-5-11) Diary. It'll be back in a bit -TL

MSFT Patches

We are waiting for the release of MSFT Patches to post more details here. As already pointed in the advance bulletin, we should expect 1 patch rated as Important.


MSFT Patches are out.

As described in the previous statement, there is 1 patch in this release.

This one is the MS05-024, and will affect only Windows 2000 with SP3 and SP4.

Windows 98, 98SE or ME? Hummm, MSFT has a surprise for you...:)..."Microsoft Windows 98, Microsoft Windows 98 Second Edition (SE), and Microsoft Windows Millennium Edition (ME) ? Review the FAQ section of this bulletin for details about these operating systems."...Which is: "Are Windows 98, Windows 98 Second Edition, or Windows Millennium Edition critically affected by one or more of the vulnerabilities that are addressed in this security bulletin?

No. Although Windows Millennium Edition does contain the affected component, the vulnerability is not critical." Patches for you, baby...

The MS05-024 bulletin refers to a "Vulnerability in Web View Could Allow Remote Code Execution (894320)".

Although it has an Impact of Remote Code execution, it is rated as Important. In Microsoft severity rating, Critical is "A vulnerability whose exploitation could allow the propagation of an Internet worm without user action.".

According the advisory, there is a problem in the way Windows Explorer "handles certain HTML characters in preview fields.". A typical attack scenario is on the workaround section: "In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to exploit this vulnerability." " attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's Web site. After they click the link, they would be prompted to perform an action. An attack could only occur after they performed these actions."

Our good reader Juha-Matti wrote that this Microsoft patch will fix the flaw, published only five months ago, at , discovered by Grey Magic Software with a Bugtraq ID 13248. Good Work!
#include <sarcasm.h>

The Malicious Software Removal Tool was also updated today. The url to check it is at .

More information about MS05-024:

DrudgeReport Headline - "...huge computer attack..."

We are receiving a lot of questions regarding a headline posted at the . If you didn't read it yet, the headline is: "FEDS INVESTIGATE HUGE COMPUTER ATTACK; WORLDWIDE HUNT FOR 'STAKKATO'". The link actually points to a New York Times report.

Other link to the same history.

We are still trying to get more details to post here, but one thing that must be noticed is that it is not only the Defense Department but also Cisco and a few others that are involved.


Handler on Duty: Pedro Bueno (pbueno/AT/

155 Posts
ISC Handler
May 11th 2005

Sign Up for Free or Log In to start participating in the conversation!