SecurityFocus BUGTRAQ Mailing List: BugTraqLink Number One Link Number One Link Number Two Link Number Two Link Number One Link Number One Link Number Two Link Number Two Entire Site Advisories Calendar Columnists Elsewhere Guest Feature Infocus Library Links Mailing Lists (all) -- BUGTRAQ -- FOCUS-IDS -- FOCUS-IH -- FOCUS-LINUX -- FOCUS-MS -- FOCUS-SUN -- FOCUS-VIRUS -- FORENSICS -- INCIDENTS -- PEN-TEST -- SEC JOBS -- SF NEWS -- VULN-DEV News Products Services Tools Vulns BUGTRAQ ARCHIVE [ Message Index ] [ Thread Index ][ Reply ] [ prev Msg by Date ][ next Msg by Date ] To: BugTraq Subject: Outlook security updates not stopping Swen Date: Sep 24 2003 5:09PM Author: Guy Barnum Message-ID: (posted to dshield also) For all of you who have been flooded with Swen emails. I've gone around a few times over the last few days with a combination of ISA server, outlook and Norton not being able to stop the latest Microsoft-hoax swen virus email. Here is what I came up with: I just tested a win 98 system and a win XP Pro system after installing the latest office service pack and security updates. On the win98 system Outlook would still trigger the swen .exe attachment from just the email preview and doesn't filter any dangerous file extension attachments as its supposed to. Installing the same service packs and security patches on the xp pro machine, running the same version of office, fixed the problem. The default dangerous file extension attachments are stripped out of the email. On the win98 system I had to go in to the registry and add the Level1Add string value (along with a few preceding registry keys) and manually add all of the extensions I want to be filtered. This looks like it took care of the problem as I've sent myself a few .exe and .com files that have been stripped out. See article: http://support.microsoft.com/default.aspx?scid=kb;EN-US;312834 To see the recommended list of file extensions to block if you also need to add these by hand see article: http://support.microsoft.com/?kbid=290497 and scroll down to "Attachment Behavior". It strikes me as surreal that Microsoft releases a security update to fix a bug, which security update itself has a bug and another update web page on how to manually fix it. Couldn't they go back and re-release a working version of their original security update?! Guy gbarnum armscole com Want to link to this message? Use this URL: Disclaimer, Terms & Conditions About this List Featured Lists: ARIS Users bugtraq bugtraq-es bugtraq-french NEW bugtraq-jp firewalls focus-ids focus-ih focus-linux focus-ms focus-sun focus-unix-other focus-virus forensics forensics-es honeypots incidents libnet pen-test secevents secpapers secprog sectools secureshell security-basics security-management NEW securityjobs vpn vuln-dev webappsec Newsletters: sf-news ms-secnews linux-secnews [ more . . . ] Privacy Statement Copyright © 1999-2003 SecurityFocus