MSBlaster Worm Fails
by Arie Slob
Hello Windows users,
You have (or should have) heard about the MSBlaster worm by now. This worm took advantage of a buffer overrun in the RPC interface, which was fixed by Microsoft on July 16th, nearly a month before the worm first struck on August 11th.
I hope that this worm did not infect most Windows-Help.NET Newsletter subscribers. I have been trying to get people to realize that it takes more than just keeping your anti-virus tools up-to-date to stay safe on the Internet. Your first line of defense is to stay current on all Microsoft updates for your operating system!
It amazes me every time that worms taking advantages of Microsoft vulnerabilities can spread so quickly. According to Symantec, well over 350,000 computers where infected within a few days. This means that the people who got infected are the people who are online (nearly) every day, and I would have expected these people to be more savvy and aware of the dangers of the Internet by now. Lets face it, it's not really the first time something like this has happened now, is it?
I would expect some less experienced users to get infected on an ongoing basis, but I would have thought that regular Internet users were more educated by now... guess I was proven wrong again.
Despite the fact that Microsoft makes it easier then ever to get Windows updates to your system using AutoUpdate, Windows Update, and their email service alerts you to vulnerabilities and their respective fixes, many users are still not paying attention, it seems.
Many of these users are those who are religious in getting their new anti-virus software definitions on a daily basis. But they are unfortunately forgetting that a virus first has to be discovered & analyzed before your AV software can implement detection for it.
If you check out the more "nasty" viruses listed on Symantec's Security Response Web site, you will see that (under "top virus threads" listed) from 6 listed viruses, 5 use a vulnerability patched by Microsoft in the past.
So why did I gave this article the title "MSBlaster Worm Fails?" Well, the main function of MSBlaster was a denial of service (DoS) attack on Microsoft's Windows Update Web site. But the worm was hard-wired to look for the address windowsupdate.com, which is an obsolete address Microsoft hasn't used in a long time. All current Microsoft operating systems are wired to use windowsupdate.microsoft.com as their Windows Update address. So Microsoft just removed windowsupdate.com from its DNS systems. Now when the worm asks for that address, it will just receive a "domain not found" message, and will not generate any further network traffic.
If you did get infected, I suggest you get your system cleaned out using Symantec's instructions, and let this be an eye-opener! The function of this worm was quite benign, it could have had much more serious repercussions. So get educated, and stay updated! Hackers and virus writers are writing new variations of the MSBlaster worm than will likely do more damage than the original version. You've been warned (again).
August 2003 Cumulative Patch for Internet Explorer
Microsoft issued a cumulative patch for Internet Explorer 5.01, 5.5, 6.0 that, when installed, eliminates all previously discussed security vulnerabilities. In addition, it eliminates two new vulnerabilities, the most serious of which could enable an attacker to run arbitrary code on a user's system.
Severity Rating: Critical
Affected Software Versions
- Microsoft Internet Explorer 5.01, 5.5, and 6.0
- Microsoft Internet Explorer 6.0 for Windows Server 2003
Unchecked Buffer in MDAC Function Could Enable System Compromise
A flaw exists in MDAC that could include creating, modifying, or deleting data on the system, or reconfiguring the system. This could also include reformatting the hard disk or running programs of the attacker's choice.
Severity Rating: Important
Affected Software Versions
- Microsoft Data Access Components 2.5, 2.6, and 2.7
Unchecked Buffer in DirectX Could Enable System Compromise
On August 20th, Microsoft answered calls from customers who requested that they support additional versions of DirectX that were not covered by the original (July 2003) patches.
Severity Rating: Critical
Recent Support BBS Postings
Can I download XP Updates to CD? - Windows XP
Adding Music To OE6 Outgoing Mail - IE/Outlook Express
Case Fan Recommendations? - Hardware
Denied Access to files, no Security Tab - Windows XP
Is SP1 Necessary? - Windows XP
Web Site Updates
These pages were added/updated in the past two weeks. Information on previously updated/added pages is available on the What's New? page for 1 month.
Added: Microsoft Releases Office 2003 To Manufacturing, Sets Pricing and Launch Date
Added: Microsoft Security: August 2003 Cumulative Patch for Internet Explorer
Added: Microsoft Security: Unchecked Buffer in MDAC Function Could Enable System Compromise
Added: MSBlaster Worm Fails To Bring Down Microsoft Windows Update Site
Updated: Internet Explorer 5: Security Patches
Latest Version of Sobig Worm Creating Havoc
The latest version of the Sobig worm (Sobig.F) appears to be one of the most largest mass-mailing virus to date, with E-mail filtering companies seeing millions of infected emails a day.
Sobig F has now been seen in 60 countries and currently seems to be most prevalent in the US.
The Sobig F virus has a built-in timer that will stop it working on 10 September 2003, at which time we most likely will see the arrival of Sobig G.
Unless clueless Internet users stop opening every email attachment they receive, there's little chance we will see the end of the Sobig worm any time soon.
Microsoft Releases Office 2003 To Manufacturing, Sets Pricing and Launch Date
This week Microsoft announced the completion of the core products in the new Microsoft® Office System and has released all products to manufacturing.
Read Full Article
Windows Server 2003 Security Guide
The Windows Server 2003 Security Guide focuses on providing a set of easy to understand guidance, tools, and templates to help secure Windows Server 2003 in many environments. While the product is extremely secure from the default installation, there are a number of security options that can be further configured based on specific requirements. The guidance not only provides recommendations, but also the background information on the risk that the setting is used to mitigate as well as the impact to an environment when the option is configured.
Download [2.38 MB]
REMINDER: Windows-Help.NET Newsletter Summer Schedule
Currently running a summer schedule, I will publish the next newsletter on the 6th of September. I had planned a return to a weekly schedule after that issue, but a business trip will mean that I will extend the bi-weekly cycle. So after the September 6th issue, there will be a Newsletter on September 20th, with a return to the weekly schedule after the October 4th issue.
Windows 2000/XP: 100 Percent CPU Usage Occurs When You Print on an LPT Printer Port
When you print on an LPT printer port, 100 percent CPU usage occurs until the print job is completed. This slows down other programs until the print job is completed. In some case, other programs may slow down enough that they seem completely unresponsive.
Microsoft Knowledge Base
MS03-026 Scanning Tool for Network Administrators
Microsoft has released a tool, KB 823980scan.exe, that can be used to scan networks to identify host computers that do not have the 823980 Security Patch (MS03-026) installed.
Download [220 KB]
Tell a friend about this Newsletter!
Need Help with Windows? Ask your questions here!
Our Web Sites
Rose City Software