Anyone get a security warning email from MS?

[Executioner]

I received an email from Microsoft about security problems with IE. Here is the email:

Microsoft Customer,

this is the latest version of security update, the "3 Mar 2002 Cumulative Patch" update which eliminates all known security vulnerabilities affecting Internet Explorer and MS Outlook/Express as well as six new vulnerabilities, and is discussed in Microsoft Security Bulletin MS02-005. Install now to
protect your computer from these vulnerabilities, the most serious of which could allow an attacker to run code on your computer.

Description of several well-know vulnerabilities:

- "Incorrect MIME Header Can Cause IE to Execute E-mail Attachment" vulnerability. If a malicious user sends an affected HTML e-mail or hosts an affected e-mail on a Web site, and a user opens the e-mail or visits the Web site, Internet Explorer automatically runs the executable on the user's computer.

- A vulnerability that could allow an unauthorized user to learn the location of cached content on your computer. This could enable the unauthorized user to launch compiled HTML Help (.chm) files that contain shortcuts to executables, thereby enabling the unauthorized user to run the executables
on your computer.

- A new variant of the "Frame Domain Verification" vulnerability could enable a malicious Web site operator to open two browser windows, one in the Web site's domain and the other on your local file system, and to pass information from your computer to the Web site.

- CLSID extension vulnerability. Attachments which end with a CLSID file extension do not show the actual full extension of the file when saved and viewed with Windows Explorer. This allows dangerous file types to look as though they are simple, harmless files - such as JPG or WAV files - that do not need to be blocked.


System requirements:
Versions of Windows no earlier than Windows 95.

This update applies to:
Versions of Internet Explorer no earlier than 4.01
Versions of MS Outlook no earlier than 8.00
Versions of MS Outlook Express no earlier than 4.01

How to install
Run attached file q216309.exe

How to use
You don't need to do anything after installing this item.


For more information about these issues, read Microsoft Security Bulletin MS02-005, or visit link below.
http://www.microsoft.com/windows/ie/dow ... efault.asp
If you have some questions about this article contact us at rdquest12@microsoft.com

Thank you for using Microsoft products.

With friendly greetings,
MS Internet Security Center.
----------------------------------------
----------------------------------------
Microsoft is registered trademark of Microsoft Corporation.
Windows and Outlook are trademarks of Microsoft Corporation

My questions is: is this legit? The attachment file is 9216309.exe. Just wondering if anyone else got one and it ran with no problems.

[FlyingPenguin]

They emailed YOU an attachment? Heck no it's not legit. MS would NEVER email you a patch.

Official Windows Updates are ONLY available from their website: http://windowsupdate.microsoft.com/

It's probably a virus. I'd be curious. Email it to me and I'll virus scan it. Might be something new.

Email link icon is below this message.

[Executioner]

Hey FP, I just forwarded you a copy of the email. Thanks

[FlyingPenguin]

The information about tjhe file is true - MS did just release a "Rollforward" security patch that has all the security patches in it up to January this year. That just appeared when you visit the Windows Update site if you haven't yet installed all of them.


No virus detected in the file you sent me (McAfee VScan & NAV 1 week old DAT files). Has all the right file info for an MS packaged installer, but that's easy enough to falsify.

Either it's a new virus that the AV apps can't detect yet, or the installer builds the virus (that would be sneaky) and so there's no code snippets for the VScan to pickup, or a gag. I'll try it on a testbed system.

I also emailed the return address for information.

I just can't imagine MS would email someone a patch.

If it's legit, it would be an ASSINE thing for Microsoft to do. You NEVER want to encourage people to run unsolicited EXE attachments. That's just an invitation for disaster.

It's hard enough to keep my clients from running every damn "HAPPYFACE.EXE" attachment they get from a friend: "But it came from my brother Harry, so it has to be okay right?"

Sheesh...

[FlyingPenguin]

Okay, got this reply:

From: postmaster@microsoft.com <postmaster@microsoft.com>

This is an automatically generated Delivery Status Notification.

Delivery to the following recipients failed.

rdquest12@microsoft.com

That tells me it's bogus. Still, I'm curious what's in there.


-----------------------------
UPDATE:

It's a virus. VERY new (like a few days old). Here's the poop from McAfee's site:

http://vil.mcafee.com/dispVirus.asp?virus_k=99377

[EvilHorace]

...being that MS has indeed released a new security patch for Win2K today. The #s listed look like one that was released last month. I get their security update bulletins via e-mail as I signed up for it but as FP says, they never send patches directly but do link you to the latest bulletins which will then link to to their update page where you can read more and DL the patch if need be.

It's a weird world where there's minds like that who enjoy causing problems w/o even seeing or knowing their victoms.

[DocSilly]

It is a really sneaky approach since the info is legit and the filename Q216309.exe is what M$ uses as a filename.

But we all should know NOT to open any attachement unless we specifically asked for it, right?

[Executioner]

Thanks FP. I NEVER open any attachments unless I know the person sending them, or they tell me in advance they are sending an attachment. I knew this was strange because I have never gotten anything from Microsoft.

[FlyingPenguin]

Hey Doc.... it's EXTREMELY sneaky - the EXE file has the correct icon and info properties for an MS installer package. On casual inspection it does look legit. Had me going for a couple of minutes, skeptic that I am.

Someone went through some extra trouble to carry the fraud a little farther than normal.

Fortunately it's relatively low risk email worm and McAfee already has a beta DAT for it. Full DAT will be out next week.


The giveaway is that MS Installer packages NEVER have the name or version of the update that's archived inside the installer. When you check the properties of a real MS Installer package, you'll get the name of the installer program itself and it's version number.

It'll never say "Security Patch Installer" because MS uses a general purpose installer app. It'll say "Microsoft Installer" or something generic like that.

This is what the virus looks like:

[wvjohn]

nice work, Professor Penguin! :up

[DocSilly]

Wheeee, I just got one of these in one of my mail accounts ... sucka