Microsoftheaded, hugely stupid
So, I am not really a "security minded person". Those people I usually simply bow to and hope that the patches come out fast enough that I can apply them and protect my system. But I do expect a certain amount of decorum in getting those patches. Usually it means going to some protected site and doing something reasonable. A few minutes ago I get two email messages in rapid succession. One has the subject line "Current Update", the other has a subject line "Current Microsoft Critical Upgrade". Both propose to fix "all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express as well as three newly discovered vulnerabilities." Both letters delivered the patches directly, via email. Neither letter described a way that I could tell if the patch had been tampered with, or even if the patch had actually come from Microsoft. Each letter had a different file attached, with a different name. If they both fix "all known problems", why do I have two with different names, different lengths, etc. Now, I have no real problem in believing that these patches really did come from Microsoft, which actually makes the problem worse instead of better. Why would a major software company really believe that anyone who could say the word "secure" would apply this patch that came through the email this way? And if they believe that no real security person would, then why bother sending it? If they get Mom&Pop installing patches this way, what happens when the very first "spoofer" hits Mom&Pop with what looks like a patch from Microsoft? It just makes Microsoft look even more clueless. The really great part is that I don't have any Microsoft products anymore. I just stay on their mailing lists to see what other incredible things they do. md -- Jon "maddog" Hall Executive Director Linux(R) International email: [EMAIL PROTECTED] 80 Amherst St. Voice: +1.603.672.4557 Amherst, N.H. 03031-3032 U.S.A. WWW: http://www.li.org Board Member: Uniforum Association, USENIX Association (R)Linux is a registered trademark of Linus Torvalds in several countries. UNIX is a registered trademark of The Open Group in the US and other countries. ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Microsoftheaded, hugely stupid
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 That was a Worm. The email looks very legitimate, just like it comes from MSFT, but the attachment is a virus. Fortunately, they do not affect Linux. On Thu, 18 Sep 2003 16:10:53 -0400 Jon maddog Hall <[EMAIL PROTECTED]> wrote: > So, I am not really a "security minded person". Those people I > usually simply bow to and hope that the patches come out fast enough > that I can apply them and protect my system. But I do expect a > certain amount of decorum in getting those patches. Usually it means > going to some protected site and doing something reasonable. > > A few minutes ago I get two email messages in rapid succession. > > One has the subject line "Current Update", the other has a subject > line"Current Microsoft Critical Upgrade". Both propose to fix "all > known security vulnerabilities affecting MS Internet Explorer, MS > Outlook and MS Outlook Express as well as three newly discovered > vulnerabilities." > > Both letters delivered the patches directly, via email. Neither > letter described a way that I could tell if the patch had been > tampered with, or even if the patch had actually come from Microsoft. > > Each letter had a different file attached, with a different name. If > they both fix "all known problems", why do I have two with different > names, different lengths, etc. > > Now, I have no real problem in believing that these patches really did > come from Microsoft, which actually makes the problem worse instead of > better. > > Why would a major software company really believe that anyone who > could say the word "secure" would apply this patch that came through > the email this way? And if they believe that no real security person > would, then why bother sending it? If they get Mom&Pop installing > patches this way, what happens when the very first "spoofer" hits > Mom&Pop with what looks like a patch from Microsoft? > > It just makes Microsoft look even more clueless. > > The really great part is that I don't have any Microsoft products > anymore. I just stay on their mailing lists to see what other > incredible things they do. > > md > -- > Jon "maddog" Hall > Executive Director Linux(R) International > email: [EMAIL PROTECTED] 80 Amherst St. > Voice: +1.603.672.4557 Amherst, N.H. 03031-3032 U.S.A. > WWW: http://www.li.org > > Board Member: Uniforum Association, USENIX Association > > (R)Linux is a registered trademark of Linus Torvalds in several > countries. UNIX is a registered trademark of The Open Group in the US > and other countries. > > ___ > gnhlug-discuss mailing list > [EMAIL PROTECTED] > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss > - -- Jerry Feldman <[EMAIL PROTECTED]> Boston Linux and Unix user group http://www.blu.org PGP key id:C5061EA9 PGP Key fingerprint:053C 73EC 3AC1 5C44 3E14 9245 FB00 3ED5 C506 1EA9 -BEGIN PGP SIGNATURE- Version: GnuPG v1.2.2-rc1-SuSE (GNU/Linux) iD8DBQE/ahPx+wA+1cUGHqkRAjDPAJ0SPLQlrHj9mFZYMMUY7m1kEuLPBgCcDEBf J0w1ZtlQ30NcS3/RojWjSgo= =GkJX -END PGP SIGNATURE- ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Microsoftheaded, hugely stupid
Jon, you've obviously not seen all the warnings that let you know Microsoft does not send out updates via mail. E-mails purportedly coming from Microsoft containing patches are just hoaxes. ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Microsoftheaded, hugely stupid
>Now, I have no real problem in believing that these patches really did come >from Microsoft, which actually makes the problem worse instead of better. Please tell me your whole email was one big cynical joke, since those patches were indubitably fake. A number of viruses are spread this way - by purporting to be security upgrades for the very problems they exploit. -- Morbus Iff ( i put the demon back in codemonkey ) Culture: http://www.disobey.com/ and http://www.gamegrene.com/ Buy My Book! http://amazon.com/exec/obidos/ASIN/0596004605/disobeycom icq: 2927491 / aim: akaMorbus / yahoo: morbus_iff / jabber.org: morbus ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Microsoftheaded, hugely stupid
Jon maddog Hall <[EMAIL PROTECTED]> writes: > Now, I have no real problem in believing that these patches really did come > from Microsoft, which actually makes the problem worse instead of better. Are you *sure* these messages came from Microsoft? I get spam all the time from groups that claim to have patches for Microsoft products. IIRC, some of these even look like they're from Microsoft, but a few moments of investigation reveals that they're not. So long as Microsoft provides a secure method of applying patches, one in which a user can ascertain whether the patch is authentic or not, they're not at fault here (well, except for the fact that there's a need to patch in the first place...). Regards, --kevin -- Kevin D. Clark / Cetacean Networks / Portsmouth, N.H. (USA) cetaceannetworks.com!kclark (GnuPG ID: B280F24E) alumni.unh.edu!kdc ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Microsoftheaded, hugely stupid
Jon: I (along with the rest of the list?) got the same thing. It's a virus. Well, I can't state that with 100% certitude, but certainly with 99.9%, as a) MS -- even in all their stupidity -- NEVER sends out patches. Period. b) The "From:" address is forged. Bottom line: DON'T INSTALL IT! $.02, -Ken > So, I am not really a "security minded person". Those people I usually > simply bow to and hope that the patches come out fast enough that I can > apply them and protect my system. But I do expect a certain amount of > decorum in getting those patches. Usually it means going to some > protected site and doing something reasonable. > > A few minutes ago I get two email messages in rapid succession. > > One has the subject line "Current Update", the other has a subject line > "Current Microsoft Critical Upgrade". Both propose to fix "all known > security vulnerabilities affecting MS Internet Explorer, MS Outlook and > MS Outlook Express as well as three newly discovered vulnerabilities." > > Both letters delivered the patches directly, via email. Neither letter > described a way that I could tell if the patch had been tampered with, > or even if the patch had actually come from Microsoft. > > Each letter had a different file attached, with a different name. If > they both fix "all known problems", why do I have two with different > names, different lengths, etc. > > Now, I have no real problem in believing that these patches really did > come from Microsoft, which actually makes the problem worse instead of > better. > > Why would a major software company really believe that anyone who could > say the word "secure" would apply this patch that came through the email > this way? And if they believe that no real security person would, then > why bother sending it? If they get Mom&Pop installing patches this way, > what happens when the very first "spoofer" hits Mom&Pop with what looks > like a patch from Microsoft? > > It just makes Microsoft look even more clueless. > > The really great part is that I don't have any Microsoft products > anymore. I just stay on their mailing lists to see what other incredible > things they do. > > md > -- > Jon "maddog" Hall > Executive Director Linux(R) International > email: [EMAIL PROTECTED] 80 Amherst St. > Voice: +1.603.672.4557 Amherst, N.H. 03031-3032 U.S.A. > WWW: http://www.li.org > > Board Member: Uniforum Association, USENIX Association > > (R)Linux is a registered trademark of Linus Torvalds in several > countries. UNIX is a registered trademark of The Open Group in the US > and other countries. > > ___ > gnhlug-discuss mailing list > [EMAIL PROTECTED] > http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Microsoftheaded, hugely stupid
--- Jon maddog Hall <[EMAIL PROTECTED]> wrote: > Why would a major software company really believe that anyone who could > say the word "secure" would apply this patch that came through the email this > way? Empirical observations? > If they get Mom&Pop installing patches this way, what happens > when the very first "spoofer" hits Mom&Pop with what looks like a patch > from Microsoft? The same thing that happens with every other MS virus. Microsoft will issue another patch. > It just makes Microsoft look even more clueless. Yes, but to people like my folks, for example, Microsoft is just being nice by sending the patch direct instead of making them have to go download it. Granted, my folks are the type who will call me to tell me their "email is broken." -Mike- = "The power of accurate observation is commonly called cynicism by those who have not got it" -George Bernard Shaw __ Do you Yahoo!? Yahoo! SiteBuilder - Free, easy-to-use web site design software http://sitebuilder.yahoo.com ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Microsoftheaded, hugely stupid
[EMAIL PROTECTED] said: > Please tell me your whole email was one big cynical joke, since those > patches were indubitably fake. A number of viruses are spread this way > - by purporting to be security upgrades for the very problems they > exploit. I am always cynical when it comes to Microsoft. md -- Jon "maddog" Hall Executive Director Linux(R) International email: [EMAIL PROTECTED] 80 Amherst St. Voice: +1.603.672.4557 Amherst, N.H. 03031-3032 U.S.A. WWW: http://www.li.org Board Member: Uniforum Association, USENIX Association (R)Linux is a registered trademark of Linus Torvalds in several countries. UNIX is a registered trademark of The Open Group in the US and other countries. ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Microsoftheaded, hugely stupid
Any chance you can send the headers of these emails to the list for us to take a look at. On Thursday, September 18, 2003, at 04:10 PM, Jon maddog Hall wrote: So, I am not really a "security minded person". Those people I usually simply bow to and hope that the patches come out fast enough that I can apply them and protect my system. But I do expect a certain amount of decorum in getting those patches. Usually it means going to some protected site and doing something reasonable. A few minutes ago I get two email messages in rapid succession. One has the subject line "Current Update", the other has a subject line "Current Microsoft Critical Upgrade". Both propose to fix "all known security vulnerabilities affecting MS Internet Explorer, MS Outlook and MS Outlook Express as well as three newly discovered vulnerabilities." Both letters delivered the patches directly, via email. Neither letter described a way that I could tell if the patch had been tampered with, or even if the patch had actually come from Microsoft. Each letter had a different file attached, with a different name. If they both fix "all known problems", why do I have two with different names, different lengths, etc. Now, I have no real problem in believing that these patches really did come from Microsoft, which actually makes the problem worse instead of better. Why would a major software company really believe that anyone who could say the word "secure" would apply this patch that came through the email this way? And if they believe that no real security person would, then why bother sending it? If they get Mom&Pop installing patches this way, what happens when the very first "spoofer" hits Mom&Pop with what looks like a patch from Microsoft? It just makes Microsoft look even more clueless. The really great part is that I don't have any Microsoft products anymore. I just stay on their mailing lists to see what other incredible things they do. md -- Jon "maddog" Hall Executive Director Linux(R) International email: [EMAIL PROTECTED] 80 Amherst St. Voice: +1.603.672.4557 Amherst, N.H. 03031-3032 U.S.A. WWW: http://www.li.org Board Member: Uniforum Association, USENIX Association (R)Linux is a registered trademark of Linus Torvalds in several countries. UNIX is a registered trademark of The Open Group in the US and other countries. ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Microsoftheaded, hugely stupid
This is a new worm called Swen (similar to an one from a year and a half ago called Gibe). Swen does a more authentic looking announcement. It appeared yesterday. More information can be found at http://www.f-secure.com/v-descs/swen.shtml -- Dan Jenkins ([EMAIL PROTECTED]) Rastech Inc., Bedford, NH, USA --- 1-603-624-7272 *** Technical Support for over a Quarter Century ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Microsoftheaded, hugely stupid
On Thu, 18 Sep 2003, at 4:10pm, [EMAIL PROTECTED] wrote: > One has the subject line "Current Update", the other has a subject line > "Current Microsoft Critical Upgrade". As others have pointed out, Microsoft **NEVER** distributes patches via email. http://www.microsoft.com/technet/security/news/patch_hoax.asp Most likely, you have received a message sent by one of the many self-propagating worms out there. By making the payload appear to be a "security fix", naive users are more likely to run it, especially with all the press worms and viruses are getting today. Classic Trojan-horse gambit. It could also be a non-worm Trojan-horse, but I doubt it. I like the joke that a worm could distribute itself as "NEVER_FUCKING_OPEN_THIS.EXE" and people would still open it up and run it, compromising their systems and spreading the worm. Ha ha. Only serious. It is worth pointing out that Linux and Unix are just as vulnerable to this as MS-Windows. There is absolutely zero reason someone couldn't write a "fix-linux.sh" worm that mailed itself to people, telling them to run the important security update. Indeed, I'm rather surprised we haven't seen anything like this yet. But I'm sure it is only a matter of time until we do. Once enough naive users are running Linux, we will have most of the same security peoples Microsoft does. -- Ben Scott <[EMAIL PROTECTED]> | The opinions expressed in this message are those of the author and do | | not represent the views or policy of any other person or organization. | | All information is provided without warranty of any kind. | ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Microsoftheaded, hugely stupid - procmail recipe
Okay, I don't proclaim to be a procmail expert, so no laughing... I put the following in the procmailrc on one of our mailservers just now: :0: * > 8 * ^Subject:.*(Install this patch immediately|Current Microsoft Critical Upgrade|Current Update) /home/tmp/fakepatch Basically, looking at all messages above 80K in size, and then looking for 1 of 3 subject variants reported so far, and then if it all matches pushing the message into a message file for later review. I'd like to me able to see some of the bodies of the emails, in order to target the filter a little better. Any comments/suggestions/etc welcome. If this rule works (the particular server its on average 1 message every 3 seconds) I'll push it out to the larger/busier servers that handle the customer accounts (above 10K mailboxes total). I'm also working on a perl/cgi-based procmail manager (we have about a dozen email servers to maintain) that allows you to have 1 "master" procmail body that can be edited via html GUI and then sync'd to the remote boxes. -- Brian <[EMAIL PROTECTED]> ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Microsoftheaded, hugely stupid - procmail recipe
On Thu, 18 Sep 2003, Brian wrote: > I'm also working on a perl/cgi-based procmail manager (we have about a > dozen email servers to maintain) that allows you to have 1 "master" > procmail body that can be edited via html GUI and then sync'd to the > remote boxes. If/when you do, do you think you might be able to share it here? I have users on my system who could really use procmail but don't have time to learn the syntax. (Most can't even figure out how to use a bash prompt...) Thanks, Brian --- | [EMAIL PROTECTED]Spam me and DIE! | | http://www.datasquire.net | | Co-Founder & Co-Owner of| | Data Squire Internet Services | --- ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss
Re: Microsoftheaded, hugely stupid - procmail recipe
On Thu, 2003-09-18 at 22:29, Brian Chabot wrote: > On Thu, 18 Sep 2003, Brian wrote: > > > I'm also working on a perl/cgi-based procmail manager (we have about a > > dozen email servers to maintain) that allows you to have 1 "master" > > procmail body that can be edited via html GUI and then sync'd to the > > remote boxes. > > If/when you do, do you think you might be able to share it here? I have > users on my system who could really use procmail but don't have time to > learn the syntax. (Most can't even figure out how to use a bash > prompt...) Sure... In the meantime, check out the procmail module in Webmin, it can write basic procmail rules for you. FWIW, I'm concentrating less on automagic writing, and more on keeping many systems in sync, but maybe I'll add in more "Wizard-like" (or actually, I prefer "Magical Elf" to "Wizard"...) capabilities to write rules. ___ gnhlug-discuss mailing list [EMAIL PROTECTED] http://mail.gnhlug.org/mailman/listinfo/gnhlug-discuss