Erik, Actually, that's not what I said. Technically, I do see that I added some unrelated information that could confuse you. Let me attempt to clarify. These four security bulletins came out this month, detailing vulnerabilities in the MS Office Suite:
http://www.microsoft.com/technet/security/bulletin/MS03-038.asp MS03-038 : Unchecked buffer in Microsoft Access Snapshot Viewer Could Allow Code Execution (827104) http://www.microsoft.com/technet/security/bulletin/MS03-037.asp MS03-037 : Flaw in Visual Basic for Applications Could Allow Arbitrary Code execution (822715) http://www.microsoft.com/technet/security/bulletin/MS03-036.asp MS03-036 : Buffer Overrun in WordPerfect Converter Could Allow Code Execution (827103) http://www.microsoft.com/technet/security/bulletin/MS03-035.asp MS03-035 : Flaw in Microsoft Word Could Enable Macros to Run Automatically (827653) We have been blocking almost the entire "Martin Blackstone Danger List" of attachment types for quite a while. But, because of the four vulnerabilities listed above, we are taking the additional measure of diverting all MS Office document types and testing them, prior to delivery to the end user until such time as we get all our servers and workstations patched. Thankfully, we have an excellent SMS system setup that is doing this for us on an automated basis. Since all this was already going on and on a completely unrelated note, I added the .txt extension type to our external block list, as it is one additional attack vector that the [EMAIL PROTECTED] virus uses to propogate. Since our users were already being slightly inconvenienced and we have the support of everyone involved, why not make sure we were completely covered? The fix provided by the patch below supersedes the one included in Microsoft Security Bulletin MS03-026 and includes the fix for the security vulnerability discussed in MS03-026, as well as 3 newly discovered vulnerabilities (came out yesterday). http://www.microsoft.com/technet/security/bulletin/MS03-039.asp MS03-039 : Buffer Overrun In RPCSS Service Could Allow Code Execution (824146) -----Original Message----- From: Erik L. Vesneski [mailto:[EMAIL PROTECTED] Sent: Thursday, September 11, 2003 9:12 AM To: Exchange Discussions Subject: RE: The New MS Word / VBA vulnerability in Attachments Hi, So, the virus taking advantage of this MS Word/VB vulnerability is [EMAIL PROTECTED] Also, are you simply blocking *.txt extensions in your Exchange AV or some other file formats? We were talking about this in our security meeting yesterday however this is the first I have heard of an exploit.... Thanks in advance, Erik L. Vesneski WCDC Intel Lead/Systems Consultant ISO - Intel Systems Ph#: 925-658-6161 www.pmigroup.com mailto:[EMAIL PROTECTED] -----Original Message----- From: Bendall, Paul [mailto:[EMAIL PROTECTED] Sent: Thursday, September 11, 2003 7:29 AM To: Exchange Discussions Subject: RE: The New MS Word / VBA vulnerability in Attachments Excuse my ignorance what is the vulnerability, do you have a Q article or security update number from MS. When was the vulnerability reported. TIA, Paul -----Original Message----- From: Blunt, James H (Jim) [mailto:[EMAIL PROTECTED] Sent: 11 September 2003 15:24 To: Exchange Discussions Subject: RE: The New MS Word / VBA vulnerability in Attachments We instituted the same policy yesterday. We started diverting all office format documents as well as .txt files (we had seven instances of [EMAIL PROTECTED] make it all the way to the mail server, where the AV picked it, because the attachment was disguised as a .txt file.) for testing. We told the users it may delay the delivery of an e-mail up to an hour...no complaints, and we have the backing of the computer security person, the CIO and the president of the company. -----Original Message----- From: Michael Henry [mailto:[EMAIL PROTECTED] Sent: Wednesday, September 10, 2003 1:54 PM To: Exchange Discussions Subject: The New MS Word / VBA vulnerability in Attachments After reading the announcement concerning the vulnerability in MS Word / VBA, began to think proactively about the impact. I started filtering .doc and checking them myself before forwarding them on. And sent out a notice to that affect. I do about 20 or so of these daily. Well, I was reluctantly supported by my manager. And now I am getting negative feedback because of the impact it's having. No 'real' complaints about delayed delivery. The social engineering is practically perfect on this. The virus on first pass, simply looks up every e-mail with a .doc. Infects it and re-sends it with "UPDATED" added to the subject line. Then e-mails others with "I forgot to send this." So the sender is known by the recipient on this one. Please let me ask you, especially if the VBA is polymorphic/self modifying, what are the chances, that if it got through the AV on your server, that your user would open this e-mail? As time goes by, the caliber and sophistication of viruses are getting better and not worst. Now, I hope that the payload does not turn bad on this one. Like the virus detects that it has sent to everyone that it could, then starts deleting files. Until the first virus hits and it's variants, Am I being cautious? Therefore, should keep the filter on. Or Am I over reacting? An need to turn off the filter. Your opinion is requested. Regards, Michael Henry The one responsible either way it goes. _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=& lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=& lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] ---------------------------------------------------------------------- If you have received this e-mail in error or wish to read our e-mail disclaimer statement and monitoring policy, please refer to http://www.drkw.com/disc/email/ or contact the sender. ---------------------------------------------------------------------- _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=& lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang =english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED] _________________________________________________________________ List posting FAQ: http://www.swinc.com/resource/exch_faq.htm Web Interface: http://intm-dl.sparklist.com/cgi-bin/lyris.pl?enter=exchange&text_mode=&lang=english To unsubscribe: mailto:[EMAIL PROTECTED] Exchange List admin: [EMAIL PROTECTED]