MS is supposed to include a patch in todays updates cycle, right? In the mean time I've advised everyon here to turn off preview, read mail as plain text if they can and avoid linking to sites found in search results...that is, stick to known reputable sites for a few days.
Also, they mention Outlook 2002 and later....we are all Outlook-2000 (for the moment). I wonder if it is not mentioned because it is no longer supported or if it makes a difference in the way it displays HTML. Any guesses on this?
-Todd C.
-----Original Message-----
From: vantage@yahoogroups.com [mailto:vantage@yahoogroups.com]On Behalf Of Mark Wonsil
Sent: Tuesday, April 03, 2007 11:10 AM
To: vantage@yahoogroups.com
Subject: [Vantage] Since we're on the A/V topic...
...that animated cursor exploit is nasty. Both Eset and TrendMicro claim to
handle the known exploits but warn that variations will surely be created and
that people should remain vigilant.
From: http://blogs. <http://blogs.zdnet.com/security/?p=143> zdnet.com/security/?p=143 (Website contains links)
...
This is a fast-moving story with multiple angles. Here are some important
things to pay attention to:
** eEye Digital Security, a research firm that found an almost identical bug
in 2005 (see MS05-002), is offering a free third-party patch. eEye's interim
patch comes with source code. This patch is buyer-beware so use at your own
risk.
** The only workaround guidance from Microsoft is to read e-mail messages in
plain text format if you are using Outlook 2002 or a later version, or Windows
Mail to help protect yourself from the HTML e-mail preview attack vector.
However, reading e-mail in plain text on Windows Vista Mail does not mitigate
attempts to exploit the vulnerability when Forwarding and Replying to mail
sent by an attacker.
** For Users of Outlook Express, using plain text is not an effective
mitigation and users should be extremely careful when reading mail from
untrusted or malicious sources.
** In addition to IE, e-mail is a nasty attack vector because an attack can be
launched silently if the target simply opens a specially crafted HTML message.
However, users of Outlook 2007 are at not at risk from the HTML or Preview
Pane attack vectors when using Word as their default editor or reading e-mail
in plain text. Users of Outlook 2002 (with Office XP Service Pack 1 or a later
version) and Outlook 2003 can enable the setting to read mail as plain text to
successfully mitigate against attacks using the HTML or Preview Pane attack
vectors.
** Mark Miller, director of the MSRC (Microsoft Security Response Center)
tells me the in-the-wild attacks are still "very limited and targeted" but
this could change quickly because exploit code that gives attackers a roadmap
to exploit the flaw is publicly available. If the attacks escalate, Microsoft
will consider an out-of-band emergency patch.
** This vulnerability does affect Windows Vista. However, Miller believes
there are several mitigations that will reduce the risk for Vista users. These
include Internet Explorer 7 in Protected Mode and UAC (User Account Control)
which gives the user a pop-up warning ahead of an exploit. This is the first
in-the-wild exploit that's available for Windows Vista.
** The SANS Internet Storm Center has published a list of hostile domains
hosting drive-by exploits.
** WebSense and others have found frightening similarities to the Super Bowl
Web site breach earlier this year. This highlights just how widespread this
could become if certain high-traffic sites or advertising networks are
hijacked and seeded with malicious code.
[Non-text portions of this message have been removed]
Also, they mention Outlook 2002 and later....we are all Outlook-2000 (for the moment). I wonder if it is not mentioned because it is no longer supported or if it makes a difference in the way it displays HTML. Any guesses on this?
-Todd C.
-----Original Message-----
From: vantage@yahoogroups.com [mailto:vantage@yahoogroups.com]On Behalf Of Mark Wonsil
Sent: Tuesday, April 03, 2007 11:10 AM
To: vantage@yahoogroups.com
Subject: [Vantage] Since we're on the A/V topic...
...that animated cursor exploit is nasty. Both Eset and TrendMicro claim to
handle the known exploits but warn that variations will surely be created and
that people should remain vigilant.
From: http://blogs. <http://blogs.zdnet.com/security/?p=143> zdnet.com/security/?p=143 (Website contains links)
...
This is a fast-moving story with multiple angles. Here are some important
things to pay attention to:
** eEye Digital Security, a research firm that found an almost identical bug
in 2005 (see MS05-002), is offering a free third-party patch. eEye's interim
patch comes with source code. This patch is buyer-beware so use at your own
risk.
** The only workaround guidance from Microsoft is to read e-mail messages in
plain text format if you are using Outlook 2002 or a later version, or Windows
Mail to help protect yourself from the HTML e-mail preview attack vector.
However, reading e-mail in plain text on Windows Vista Mail does not mitigate
attempts to exploit the vulnerability when Forwarding and Replying to mail
sent by an attacker.
** For Users of Outlook Express, using plain text is not an effective
mitigation and users should be extremely careful when reading mail from
untrusted or malicious sources.
** In addition to IE, e-mail is a nasty attack vector because an attack can be
launched silently if the target simply opens a specially crafted HTML message.
However, users of Outlook 2007 are at not at risk from the HTML or Preview
Pane attack vectors when using Word as their default editor or reading e-mail
in plain text. Users of Outlook 2002 (with Office XP Service Pack 1 or a later
version) and Outlook 2003 can enable the setting to read mail as plain text to
successfully mitigate against attacks using the HTML or Preview Pane attack
vectors.
** Mark Miller, director of the MSRC (Microsoft Security Response Center)
tells me the in-the-wild attacks are still "very limited and targeted" but
this could change quickly because exploit code that gives attackers a roadmap
to exploit the flaw is publicly available. If the attacks escalate, Microsoft
will consider an out-of-band emergency patch.
** This vulnerability does affect Windows Vista. However, Miller believes
there are several mitigations that will reduce the risk for Vista users. These
include Internet Explorer 7 in Protected Mode and UAC (User Account Control)
which gives the user a pop-up warning ahead of an exploit. This is the first
in-the-wild exploit that's available for Windows Vista.
** The SANS Internet Storm Center has published a list of hostile domains
hosting drive-by exploits.
** WebSense and others have found frightening similarities to the Super Bowl
Web site breach earlier this year. This highlights just how widespread this
could become if certain high-traffic sites or advertising networks are
hijacked and seeded with malicious code.
[Non-text portions of this message have been removed]