Friday, June 29, 2007
MS07-0056 and Chutzpah
For those of you that know what chutzpah is...scroll down a bit.
For those of you that don't know this beautiful Yiddish term, it is broadly defined as "insolence," "audacity," and "impertinence". But as with all Yiddish terms, the meaning is deeper than just that. It is someone who does something so bad and with so much courage that you hate him for what his done but admire the fact he had the guts to do it.
My best version of chutzpah is the thief that stole a whole bunch of clothes from a department store and the next day tried to exchange the ones that didn't fit.
If you are a security expert or just someone that patches regularly (which you SHOULD be doing!) you may recognise that MS07-0056 looks very similar to a Microsoft Advisory number. Almost, but not quite. Microsoft advisory numbers ar MS, the two digit year , dash and a three digit number.
Ms07-0056 is a fake version of an email advisory from Microsoft, complete with their logo and formal looking, no-nonsense, go-patch-now look. The email is very cleverly crafted and has a link at the bottom to fake patch which is really malware.
While phishing is not new and fake emails telling one to download stuff is not new, the fact that patch notifications are being used to distribute malware is just way over the line of what is bad and what is total chutzpah.
While we are on the topic.. you are still reading right.. I want to throw in some other examples of chutzpah: fake antivirus and spyware checkers, or even real ones that are themselves spyware.
We, as security professionals, drone on and on and on about people patching, installing spyware and antivirus tools and using them and keeping them up to date. And along come the enemy and attack us and at the same time sow doubt in our defenses.
The rule is still the same though....treat every link in every email as suspect.
And keep your antivirus up-to-date!