IP: Bogus Microsoft Security Bulletin

[David Farber <dave () farber net>]

> X-Sender: @ (Unverified)
> Date: Thu, 19 Jul 2001 17:58:29 -0400
> To: undisclosed-recipients:;
> From: Monty Solomon <monty () roscom com>
> Subject: Bogus Microsoft Security Bulletin
>
> <http://www.microsoft.com/technet/treeview/default.asp?url=/technet/itsolutions/security/news/bogus.asp>
>
> Information on Bogus Microsoft Security Bulletin
>
> Microsoft has learned that a malicious user is circulating an e-mail that 
> purports to be a Microsoft Security Bulletin, and which directs the reader 
> to download an executable file from a web site. Customers who receive such 
> an e-mail should delete it, and under no circumstances should they 
> download the executable.
>
> The would-be bulletin claims to be Microsoft Security Bulletin MS01-037. 
> However, the issue it describes is fictitious. In addition, it provides a 
> link to a web site whose URL looks like the Microsoft web site, but in 
> reality is not. The "patch" hosted on the site is a piece of hostile code 
> that could enable an attacker to remotely control another user's system.
>
> There are several dead giveaways that indicate that the e-mail isn't a 
> bona fide security bulletin:
>
> * The e-mail isn't signed using the Microsoft Security Response Center's 
> PGP key. Microsoft always signs its bulletins before mailing them, and you 
> can verify the signature using the key we publish at 
> http://www.microsoft.com/technet/security/bulletin/notify.asp. If you are 
> ever in doubt about the authenticity of a bulletin mailer you've received, 
> consult the web-hosted bulletins on the Microsoft Security web site - the 
> versions there are the authority versions.
>
> * The e-mail contains a link to a supposed patch. Authentic bulletin 
> mailers never provide a link to the patch; instead, they refer the reader 
> to the complete version of the bulletin on our web site, which provides a 
> link to the patch.
>
> * The "patch" the bogus bulletin links to isn't digitally signed. 
> Microsoft always digitally signs the patches it releases. Always be sure 
> you check the signature of any executable before installing it on your system.
>
> Microsoft is taking aggressive action to protect customers from this 
> issue. We have contacted the Internet Service Provider where the 
> counterfeit patch was hosted, and they have removed it. We also are 
> working with the anti-virus community to ensure that current virus scanner 
> products will detect the hostile code and remove it. Just the same, this 
> is not the first time malicious users have issued counterfeit security 
> bulletins, and it will likely not be the last. Microsoft urges customers 
> to always verify any mail that claims to be a Microsoft security bulletin.



For archives see: http://www.interesting-people.org/