MobSync is a Microsoft Mobile Synchronization Manager available in Win 2000 & Windows XP

Excerpt from Microsoft KB 314512 Articles (2002)

The Windows XP Synchronization Manager helps ensure that the files and folders on your mobile device and your desktop computer stay synchronized. With Synchronization Manager, you can be sure you are always working with the latest copy of your data, online or offline.

Technically MobSync is part of Windows Memory Management, its prefetch (type of cache) your External Device Contents (Mobile PC, Windows Embed XPE, PDA,database etc .. ) thus helps speed up the Windows booting process by shortening the time external device programs takes to start up.

MobSync Issue

MobSync is registered to run on logon but the process is hidden on others ‘Scans Tools’ like Autoruns.exe & Process.exe (SysInternal).

QuickFact:

• MobSync.exe can record inputs.
• Its hide itself from monitor applications.

Apparently because of its transparencies nature to hide behind windows systems some hackers decide to reverse engineer this programs as a Trojan Rootkit.

Should I disabled Mobsync?

If you used windows for surfing and office works you probably wont need this programs (crapware) most modern mobile device has a build in Synchronization Manager and doesnt relies on microsoft mobsync (dependencies issue). Its recommended to disabled this programs as it can hide itself from being monitored and doesnt showup on running process lists.

Step by step guide to disabled MobSync from your windows.

1. Disabled System Restore

   You will need to disabled Windows System Restore (Temporary).

2. View hidden system files

   Suspicious files is known to hide itself as Windows System files. The following settings will set all hidden files viewable so we could removed it.

   • Click on Windows Start → Control Panel → Folder Options → View Tab
   • Turn on the option to show hidden files

3. Clean Temporary Files and Windows Prefetch Files

   This wont harm your system. Removes all files inside the following directory. Remove the contents only not the folders.

   • C:\temp
   • C:\windows\temp
   • C:\Documents and Settings\<username>\Local Settings\Temp
   • C:\windows\prefetch

4. Boot in SafeMode

   Restart your PC in safe mode. Refer KB 31522 on How To Boot in Safe Mode.

5. Disabled MobSync Process

   1. Click on start → Run → mobsync
   2. Next, Click on Setup buttons
   3. On “Synchronizations Settings” Windows Logon/Logoff tab un-check all the following options:

      Automatically Synchronize the following items:

      • When I log on to my computer
      • When I log off to my computer
   4. While still in “Synchronizations Settings” Windows select the next tab label “on Idle” un-check the following items:
      • Synchronize the selected items while my computer is idle

6. Removed from system registry

   If you arent familiar with registry you may skip this part. Most normal startup programs can be found at the following registry path.

   • HKLM\Software\Microsoft\Windows\CurrentVersion\Run
   • HKLM\Software\Microsoft\Windows\CurrentVersion\RunOnce
   • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServices
   • HKLM\Software\Microsoft\Windows\CurrentVersion\RunServicesOnce
   • HKCU\Software\Microsoft\Windows\CurrentVersion\Run
   • HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce

   In Windows XP all loaded “startup programs” (start menu/startup items) can be found at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Shared Tools\MSConfig\startupreg

   Mobsync registry HKLM\Software\Microsoft\Windows\CurrentVersion\syncmgr

Note on using Rootkit Scanner.

• James A. Eshelman HijackThis
• SysInternal RootkitRevealer
• F-secure Blacklight

Most advance Rootkit has a self mechanism to shutdown the system if any of this programs is identify in the memory. If you had this programs installed its advice to rename the programs first.

• RootKitRevealer.exe → RKV.exe
• HijackThis → hjct.exe

How to validate if the running programs is Tempered

Get Certificate Verification Tool ( WM Software Corp) and verify the programs signature or you could also run Microsoft sigverif.exe (c:\windows\SIGVERIF.TXT) to verify digital signature.

Caveat: Most Rookit is “padded/mugged” with unix controls character so its not readable by Windows (ANSI).

Setupapi.log entries

Setupapi.log can be found inside c:\windows\setupapi.log You need to enabled logging in verbose mode to get proper setup log.
HKLM\Software\Microsoft\Windows\CurrentVersion\SetupLogLevel

Insert DWORD value 0000FFFF to enabled verbose mode logging

Insert DWORD value 0 to disabled it

Tempered MobSync.exe & similar windows networks files.

An unsigned or incorrectly signed file
(c:\windows\msdownld.tmp\as03b1e1.tmp\mobilepk.inf) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\msidle.dll to
C:\WINDOWS\SYSTEM\msidle.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\msidle.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.exe to
C:\WINDOWS\SYSTEM\mobsync.exe.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.exe) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.dll to
C:\WINDOWS\SYSTEM\mobsync.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sens.dll to
C:\WINDOWS\SYSTEM\sens.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sens.dll) was installed. Error 0x800b0003:
The form specified for the subject is not one supported or known by the
specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sensapi.dll to
C:\WINDOWS\SYSTEM\sensapi.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sensapi.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\senscfg.dll to
C:\WINDOWS\SYSTEM\senscfg.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\senscfg.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\es.dll to
C:\WINDOWS\SYSTEM\es.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\es.dll) was installed. Error 0x800b0003:
The form specified for the subject is not one supported or known by the
specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\esshared.dll to
C:\WINDOWS\SYSTEM\esshared.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\esshared.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\estier2.dll to
C:\WINDOWS\SYSTEM\estier2.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\estier2.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sage.vxd to
C:\WINDOWS\SYSTEM\sage.vxd.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\sage.vxd) was installed. Error 0x800b0003:
The form specified for the subject is not one supported or known by the
specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\esenu.dll to
C:\WINDOWS\SYSTEM\esenu.dll.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\esenu.dll) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobilepk.inf to
C:\WINDOWS\INF\mobilepk.inf.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobilepk.inf) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\chnscsvr.hlp to
C:\WINDOWS\help\chnscsvr.hlp.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\chnscsvr.hlp) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobilepk.cat to
C:\WINDOWS\SYSTEM\sfp\ie\mobilepk.cat.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobilepk.cat) was installed. Error
0x800b0003: The form specified for the subject is not one supported or known by
the specified trust provider.
Copying file C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.hlp to
C:\WINDOWS\help\mobsync.hlp.
An unsigned or incorrectly signed file
(C:\WINDOWS\msdownld.tmp\AS03B1E1.tmp\mobsync.hlp) was installed. Error
0xe000022f: The third-party INF does not contain digital signature information.

Summary

What really bother me, is Microsoft Windows Setup API. Any downloaded Microsoft system files has embed sign-in digital signature. Windows installation will validate all setup file and logs out error if the file has a bad signature (third party signature or file being tempered). The flaw is within the Windows Setup API itself. It doesn’t protect you from installing bad programs.

You should thanks Microsoft developer for making good Installation Programs and reporting tools. it remind you of error but installed it nonetheless.

External Links

• MSDN System Event Notification Service (SENS)

Its been few days since the press release, I just found it after reading jeffrey zeldman’s post on his blog. he seem frustrated with andy budd CSS 2.2 (css working group).

External Links

• The “open letter” (Håkon Wium Lie, Chief Technology Officer, Opera Software) Opera files complaint — an open letter to the Web community
• press release Opera files antitrust complaint with the EU

Below is typical phishing email I received on Dec 8, 2007. It was send to one of my active gmail accounts.

The Email Header

From

“Gmail Team” <customercareteamalert4@gmail.com>

Subject

Gmail Warning!!!! Verify Your Gmail Account To Avoid Close.

Part of the message ↓

Dear member,

This message is from gmail message center to all gmail free account owners
and premium account owners. We are currently upgrading our data base and
e-mail account center. We are deleting all unused gmail account to create
more space for new accounts.

*To prevent your account from closing, you will have to verify it below so
that we will know that it’s a present used account.*

* CONFIRM YOUR IDENTITY. VERIFY YOUR FREE GMAIL ACCOUNT NOW !!! [...]

Raw Email Content

This are part of of the raw message on gmail its not download via pop3. Certain meta info is not available as its got filtered by gmail services (spam automatic removal).

Delivered-To random-victims-name@gmail.com
Received: by 10.114.235.19 with SMTP id i19cs230694wah;
 Sat, 8 Dec 2007 04:27:12 -0800 (PST)
Received: by 10.141.20.7 with SMTP id x7mr3231780rvi.1197116792300;
 Sat, 08 Dec 2007 04:26:32 -0800 (PST)
Received: by 10.141.115.15 with HTTP; Sat, 8 Dec 2007 04:26:32 -0800 (PST)
Message-ID: <2f83b9150712080426n4a018c86mc2af4a4ed271f223@mail.gmail.com>
Date: Sat, 8 Dec 2007 13:26:32 +0100
From: "Gmail Team" <customercareteamalert4@gmail.com>
Reply-To: customercareteamalert2@gmail.com
Subject: Gmail Warning!!!! Verify Your Gmail Account To Avoid Close.
MIME-Version: 1.0
Content-Type: multipart/alternative;
	boundary="----=_Part_11145_31274162.1197116792293"

------=_Part_11145_31274162.1197116792293
Content-Type: text/plain; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

 Dear Member*,* **
 * Account Alert*
***
 *
 *VERIFY YOUR GMAIL ACCOUNT NOW TO AVOID CLOSE !!!*
***GMAI L
*Dear Member*,*
 This message is from gmail message center to all gmail free account owners
and premium account owners. We are currently upgrading our data base and
e-mail account center. We are deleting all unused gmail account to create
more space for new accounts.

 *To prevent your account from closing, you will have to verify it below so
that we will know that it's a present used account.*

* CONFIRM YOUR IDENTITY. VERIFY YOUR FREE GMAIL ACCOUNT NOW !!!

 <http://amazon.com/>
 Gmail! ID:.........................

 Password:........................

 Your Birthday:.................

 Your Country or Territory:...........
 Enter the Security
Characters:......... [image: Registration
Verification Code]
*

 *Warning!!! **Account owner that refuses to update his or her account
before two weeks of receiving this warning will lose his or her account
permanently. *
**
*Sincerely,*
*Gmail Team*

------=_Part_11145_31274162.1197116792293
Content-Type: text/html; charset=ISO-8859-1
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

<table style="WIDTH: 595px; HEIGHT: 813px" width="595" border="0">
<tbody>
<tr bgcolor="#cccc99">
<td valign="center" colspan="3"><font face="Arial,Helvetica" color="#333300" size="+0"><span style="FONT-SIZE: 13px; FONT-FAMILY: Arial">Dear&nbsp;<font size="3">Member</font><strong>,</strong></span></font></td></tr>
<tr>
<td colspan="3"><font face="Arial,Helvetica" size="-1">
<div align="center"><font face="Arial Cyr" size="2"><span style="FONT-SIZE: 13px; FONT-FAMILY: Arial"><font face="Arial Cyr" size="2"><font face="Arial Cyr" size="2"><span style="FONT-SIZE: 23px; FONT-FAMILY: Arial"><b><font color="#dd6600">
<img style="WIDTH: 430px; HEIGHT: 99px" height="330" src="http://www.google.com/intl/en/press/images/logos/gmail.jpg" width="418"></font></b></span></font></font></span></font></div>
<div align="center">
<div><font face="Arial Cyr" size="2"><span style="FONT-SIZE: 13px; FONT-FAMILY: Arial"><font face="Arial Cyr" size="2"><font face="Arial Cyr" size="2"><span style="FONT-SIZE: 23px; FONT-FAMILY: Arial"><b><u><font color="#ff0000">
&nbsp;Account Alert</font></u></b></span></font></font></span></font></div></div>
<div align="center"><font face="Arial Cyr" size="2"><span style="FONT-SIZE: 13px; FONT-FAMILY: Arial"><font face="Arial Cyr" size="2"><font face="Arial Cyr" size="2"><span style="FONT-SIZE: 23px; FONT-FAMILY: Arial"><strong>
</strong></span><b><u><font face="Arial" color="#ff0000"></font></u><br>&nbsp; </b></font></font></span></font></div>
<div align="center">
<table cellspacing="0" cellpadding="4" width="585" border="0">
<tbody>
<tr bgcolor="#a0b8c8">
<td colspan="2">
<div align="center"><font face="Arial"><font face="Arial Narrow" size="4"><u><strong>VERIFY YOUR GMAIL ACCOUNT NOW TO AVOID CLOSE&nbsp;!!!</strong></u></font></font></div></td></tr></tbody></table></div>
<div align="center"><font face="Arial Cyr" size="2"><font face="Arial Cyr" size="2"><font face="Arial Cyr" size="2"><strong><font size="5"><font face="arial"></font></font></strong></font></font></font><font face="Arial Cyr" size="2">
<font face="Arial
 Cyr" size="2"><font face="Arial Cyr" size="2"><strong><font face="Arial"><font size="7"><u><font color="#0000bf">G</font><font color="#ff0000">M</font><font color="#ffff00">A</font><font color="#0000bf">I</font><font color="#007f40">
 L</font></u></font></font><br></strong><span style="FONT-SIZE: 21px; FONT-FAMILY: Arial"><font color="#ff0000">Dear</font><font color="#ff0000">&nbsp;Member</font><font color="#ff0000"><strong>,</strong></font></span></font></font>
 </font></div></font></td></tr>
<tr>
<td><font face="Arial Cyr" color="#124282" size="2"><span style="FONT-SIZE: 13px; FONT-FAMILY: Arial">
<div class="MsoNormal"><span style="FONT-SIZE: 10pt; COLOR: rgb(18,66,130); FONT-FAMILY: Arial"><font color="#0000ff"><span style="FONT-SIZE: 10pt; FONT-FAMILY: Arial"><font color="#00007f">This message is from gmail message center to all&nbsp;gmail free account owners and premium account owners. We are currently upgrading our data base and e-mail account center. We are deleting all unused&nbsp;gmail account to create more space for new accounts.
</font></span></font></span></div>
<div class="MsoNormal"><span style="FONT-SIZE: 10pt; COLOR: rgb(18,66,130); FONT-FAMILY: Arial"></span>&nbsp;</div>
<div class="MsoNormal">
<div class="MsoNormal" style="MARGIN: 0in 0in 0pt"><font face="Times

 New

 Roman"><strong>To prevent your account from closing, you will have to&nbsp;verify it&nbsp;below so that we will know that it&#39;s a present used account.</strong></font></div><span style="FONT-SIZE: 10pt; COLOR: rgb(18,66,130)">
</span></div>
<div class="MsoNormal"><span style="FONT-SIZE: 10pt; COLOR: rgb(18,66,130)"></span>&nbsp;</div>
<div class="MsoNormal"><strong><span style="FONT-SIZE: 10pt; COLOR: rgb(18,66,130); FONT-FAMILY: Arial">
<table cellspacing="0" cellpadding="4" width="585" border="0">
<tbody>
<tr bgcolor="#a0b8c8">
<td colspan="2"><font size="4">
<div><strong>
<font size="4">
<div><strong>CONFIRM YOUR IDENTITY. VERIFY YOUR FREE GMAIL ACCOUNT NOW !!!</strong> </div></font></strong></div></font></td></tr></tbody></table>
<div><strong><font size="5"><font face="arial">&nbsp;
<div>
<div><img style="WIDTH: 469px; HEIGHT: 75px" height="75" src="http://pics.ebaystatic.com/aw/pics/securityCenter/hdr1_649x75.gif" width="649"></div>
<div><font size="2"><font face="Verdana"><strong><a href="http://amazon.com/" target="_blank" rel="nofollow"><span id="lw_1190759841_12"><font color="#003399"></font></span></a></strong></font></font>&nbsp;</div></div></font>
</font></strong></div>
<div><strong><font size="5"><font face="arial"><font face="arial narrow" size="4">
<div class="MsoNormal" style="MARGIN: 0in 0in 0pt"><strong><span style="FONT-SIZE: 13.5pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Gmail! ID:.........................</span></strong></div>
<div class="MsoNormal" style="MARGIN: 0in 0in 0pt"><strong><span style="FONT-SIZE: 13.5pt"></span></strong>&nbsp;</div>
<div class="MsoNormal" style="MARGIN: 0in 0in 0pt"><strong><span style="FONT-SIZE: 13.5pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Password:........................</span></strong></div>
<div class="MsoNormal" style="MARGIN: 0in 0in 0pt"><strong><span style="FONT-SIZE: 13.5pt"></span></strong>&nbsp;</div>
<div class="MsoNormal" style="MARGIN: 0in 0in 0pt"><font size="4"><font face="arial narrow"><strong style="FONT-FAMILY: arial narrow"><span style="FONT-SIZE: 13.5pt">&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Your Birthday:.................</span></strong>
 </font></font></div>
<div class="MsoNormal" style="MARGIN: 0in 0in 0pt"><font size="4"><font face="arial
 narrow"><strong style="FONT-FAMILY: arial narrow"><span style="FONT-SIZE: 13.5pt"></span></strong></font></font>&nbsp;</div>
<div class="MsoNormal" style="MARGIN: 0in 0in 0pt"><strong><span style="FONT-SIZE: 13.5pt"><label for="persistent"></label>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; Your Country or Territory:...........</span></strong> </div></font></font></font></strong>
</div>
<div>&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;Enter the <strong>Security Characters:.........&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp;&nbsp; <img style="WIDTH: 125px; HEIGHT: 38px" alt="Registration Verification Code" src="https://ab.login.yahoo.com/img/LVnEpeVZFekTjDHcj06RTVxEZ3._lwVb0bZmRLXJUxldX3JOnZnejReq4nmXD_..xGmoMjBT9h9WFcSARc5o427WyZP6hQ1z1juqhTkOyV68FA04yd2HiHVj.jpg" border="0">
 </strong></div></span></strong></div>
<div class="MsoNormal"><span style="FONT-SIZE: 10pt; COLOR: rgb(18,66,130); FONT-FAMILY: Arial"></span>&nbsp;</div>
<div class="MsoNormal"><span style="FONT-SIZE: 10pt; COLOR: rgb(18,66,130); FONT-FAMILY: Arial"><img style="WIDTH: 148px; HEIGHT: 53px" height="139" src="http://www.genbeta.com/images/2007/01/gmail%20logo%20blanco.gif" width="118">
 </span></div>
<div><strong><span style="FONT-SIZE: 12pt; COLOR: red; FONT-FAMILY: Arial">Warning!!! &nbsp;</span> </strong><strong><span style="FONT-SIZE: 12pt; COLOR: black">Account owner that refuses to update his or her account before two weeks of receiving this warning will lose his or her account permanently.
</span></strong></div>
<div><strong><span style="FONT-SIZE: 12pt; COLOR: black"></span></strong>&nbsp;</div>
<div><strong><span style="FONT-SIZE: 12pt; COLOR: black">Sincerely,</span></strong></div>
<div><strong><span style="FONT-SIZE: 12pt; COLOR: black">Gmail Team</span></strong></div></span></font></td></tr></tbody></table>

------=_Part_11145_31274162.1197116792293--

They used Outlook to published this email and leeched numbers of images across different “known” web services ↓

Image Sources

Gmail Logo: Google Presskit logo

Captcha : yahoo (SSL)

Gmail Logo 2: genbeta.com (might be their host)

Header: EbayStatic Server

Whats the motiff

It may seem funny to read the message as this are pretty much a script kiddies at work. I’m sure that most savvy users will not trust this types of threat. But what most people unaware of is the “Image” portions of the message. It can play a big role for expoiting email.

QuickInfo: Spam “images” trends start around june 2006 and earlier version of popular email client (Outlook and Thunderbird) doesn’t block images by default.

If you are familliar with Internet Security in general,you may notice that there is many attemp and proof of concept method in exploiting Images like “TIFF & JPEG“. Both of this vulnurebilities exists in Internet Explorer Browser and various microsoft windows products. While we can only make educated guesses as there is no real working proof yet.

My doodling scenario produce this ↓

Session “hacker” create a malicious server side image → proxy tunnel send to multiple email server → the curious victim open the email → steal client informations (cookie or server session cookie) → spoof the request → send RST back to client (reset) → dump the victims data in one instance. → write signature on victim email (avoid loop) → propogate using victims session → new net-worm is born

Try digging around VX Heavens & milw0rm Database you’ll find something to start thinkering.

Jonathan Snook is having a good evening at Mix’n'mash Conferences 2007. His simple question spurs out hilarious response from bill gates. Read all the transcript at snook.ca.

This news got digg 2 days ago. The annoucement doesn’t confirm anything other than Comparing Products Names and Guessing games.

I’m pretty much dissapointed by Dean Hachamovitch announcement. all its says is bunch of names that wont matter much consider as crap.

Dean Hachamovitch Announcement

Below is the lists of the possible name by dean’s.

Excerpt from IEblog ~ Dean Hachamovitch : Just as he was the first to talk about IE7, Bill Gates kept the tradition alive and discussed IE8 at the Mix ‘n Mash event here on campus yesterday. Bill was talking to some bloggers about IE.Next and called it IE8, the same way we do here in the IE team hallway.

So, yes, the version after IE7 is IE8. We looked at a lot of options for the product name. Among the names we considered and ruled out:

• IE 7+1
• IE VIII
• IE 1000 (think binary)
• IE Eight!
• iIE
• IE for Web 2.0 (Service Pack 2)
• IE Desktop Online Web Browser Live Professional Ultimate Edition for the Internet.
• Ie^2.079 (Math Major Edition)

He was making a bad jokes.

The response by commenter’s on IE blog is much interesting ( & depressing ). Just hope IE8 wont introduce new property language (ie: css-expression, silverlight , cardspace … ) and bundle with legacy bugs .

Related

• The Web Standards Project ACID2 Test

Apple QuickTime contains a stack buffer overflow vulnerability in the way it handles the RTSP Content-Type header. This vulnerability may be exploited by specially crafted RTSP stream protocol

Live Example

• GNUcitizen- Backdooring QuickTime Movies
• Apple QuickTime redirection to the RTSP exploit

Elia Florio (Symantec) wrap a good introduction post regarding QuickTime 0 day Exploit.

Known Vulnerabilities Proof of concept (milw0rm).

• Apple QuickTime 7.3 RTSP Response Content-Type Header Stack Buffer Overflow exploit
• Apple QuickTime Remote stack rewrite exploit for Internet Explorer 6 & 7
• Apple QuickTime 7.2/7.3 RTSP Response Universal Exploit (IE7/FF/Opera)
• Apple Quicktime (Vista/XP Sp2 RTSP RESPONSE) Code Exec Exploit

Workarounds

You may try the following workarounds, as there is no complete patch for this this vulnerability.

• Block TCP port 554 (optionaly 7070) and UDP 6970 through 6999 in your firewall
• Update Quicktime
• Disabled Apple Quicktime ActiveX control running in Internet Explorer (Windows registry file)
• For Firefox - Noscripts addons

Related Links

• RTSP - rfc2326 & RTP - rfc1889
• Apple Security Update on Safari 3 Beta Update 3.0.4
• NVD Database - Buffer overflow in Apple QuickTime
• Microsoft KB240797 - How to stop an ActiveX control from running in Internet Explorer

WordPress 2.3.1 Support Windows Live Writer RSD. I’m posting this via live writer. You can download this Polaroid plugins at LiveWriter Addons Gallery .

Photo courtesy of ChaosKaizer