Threat Level: green Handler on Duty: Jim Clausing

SANS ISC: You never know...; Exploit for MS04-038 - Internet Security | DShield SANS ISC InfoSec Forums


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!
You never know...; Exploit for MS04-038

You never know...




Sometimes you never quite know when something "little" will turn into something "big." We got an email earlier today from George (thanks again, George!) forwarding along a phishing "bait" email, asking customers of a certain online service to update their account info. Following the trail back lead us to a rather nicely done site, complete with the requisite "we need your credit card info" form.



A little research showed that the machine was likely compromised, and a little more research showed that the machine is actually a rather sensitive server. A few emails and a couple of phone calls and we've applied one more whack in the on-going game of whack-a-mole that we like to play with the phisherpholk. While the owners of the server weren't particularly happy that it got doinked, they're mighty happy that they were notified.



Here in ISC-land, we get many an email thanking us for the stuff we do. While we sincerely appreciate the kindness of those messages, we also know that the very first link in the chain that makes this site run is the people who care enough to take the time to not just hit the delete key when they see something like this going on. So, from all of us here, "thank you"... to George and all of the rest of you.



As for the pholks running the phishing scams... what sort of Dante-esqe "punishment-fitting-the-crime"-level-of-hell can we dream up for them?



Exploit for MS04-038 - CSS File Buffer Overflow




We've seen a recently released exploit for a buffer overflow in CSS parsing code under versions of IE (6.0 SP1 and earlier) that was patched in October of '04 in MS04-038. More information on the vulnerability can be found at:



http://cve.mitre.org/cgi-bin/cvename.cgi?name=2004-0842



(Ah... Nate wrote in to point out that the MS04-038 patch has been superceded by other patches, specifically MS05-008 and MS05-014. Thanks Nate!)



Even though we haven't been able to verify that the exploit works (grumble... I'm doing SOMETHING wrong...) we would recommend that if you're aren't currently patched... get patched.



---------------------------------------------------------------------

Handler on Duty: Tom Liston -
Tom

160 Posts
ISC Handler

Sign Up for Free or Log In to start participating in the conversation!