View Full Version : 2005 Alerts

2005-11-28, 19:31

- http://isc.sans.org/diary.php?storyid=898
Last Updated: 2005-11-28 18:07:18 UTC
" A few readers reported that at there is trouble on the worldnic.com DNS servers.
Those servers are operated by Network Solutions and are hosting a number of their customer's DNS needs. Network Solutions is aware of the problem.
To clarify the impact to the casual reader:
* Not all customers of Network Solutions are affected.
* No root or TLD servers are known to reside on these machines.
* It's "just" individual domains that are affected, but it might be a lot of them.
* Only domains that have all their namervers on these machines will have significant impact.
There is a lesson to learn for those affected and those designing solutions. Do not put all your DNS servers on the same hardware, the same connections, the same location, ... , the same management. Diversity is the key to success.
This will be bad news for those organisations wanting to profit from Cyber Monday, the biggest on-line purchase day according to CNN.
- http://money.cnn.com/2005/11/28/news/economy/holiday_cybermonday/index.htm?cnn=yes

- http://www.networksolutions.com/help/index.jhtml?tab=home
"We are currently experiencing a widespread DNS related outage. If you are attempting to contact us to report a product that is not working, please know that we are aware of the issue, and are doing everything we can to resolve all issues as quickly as possible."


FYI...(as of date/time of this post):

- http://isc.sans.org/diary.php?storyid=898
Last Updated: 2005-11-28 19:14:20 UTC
"...seems to have fixed it..."


2005-12-08, 05:34

- http://isc.sans.org/diary.php?storyid=920
Last Updated: 2005-12-08 02:24:41 UTC
"...Packetstorm Security has released proof of concept code that causes a buffer overflow and denial of service on the Firefox browser. Long and short of it is, history.dat stores various pieces of information on websites you've visited. If the topic of a page is crafted to be long enough, it will crash the browser each time it is started after going to such a page. This vulnerability has been tested and does work, and no known patches are available at this time. Once this happens, firefox will be unable to be started until you erase the history.dat file manually. Presumably, if the topic was more tightly crafted than in the proof-of-concept code, a more malicious attack could be crafted that would install malware on the machine with the extra fun step of being reinstalled after each restart of firefox (unless you erase history.dat). As we research this more, details will be added on to this post...
However, the following is a workaround that should work...
Go to Tools -> Options.
Select the Privacy Icon, and then the History tab. Set the number of days to save pages at 0. This will disable writing anything to history.dat as far as I can tell, and should nullify the exploit.
If you need to delete your history.dat file (in case you tested this PoC code), it can be difficult to locate where exactly this file is. You can find instructions for locating the profile folder at the following URL:
- http://www.mozilla.org/support/firefox/edit#profile ..."


FireFox 1.5 Buffer overflow exploit
- http://forums.mozillazine.org/viewtopic.php?t=351648

- https://bugzilla.mozilla.org/show_bug.cgi?id=319004
(Bugzilla Bug 319004 - overlong document.title setting can corrupt history data, causing non-responsive temporary hang (crash?) on subsequent startups)
Last modified: 2005-12-08 12:06:34 PST


- http://isc.sans.org/diary.php?compare=1&storyid=920
Last Updated: 2005-12-09 15:33:49 UTC
"Update 2: The official response from the folks at mozilla.org can be found here*. Their results match our testing, that we were able to make it take a long time for Firefox to start, but were not able to make it crash. Further, there doesn't seem to be any credible evidence at this time that this could be exploited to execute arbitrary code."

* http://www.mozilla.org/security/history-title.html


FYI...(per http://isc.sans.org/diary.php?storyid=920 - the "NoScript extension" workaround choice):

- http://www.noscript.net/whats
" is out!
Main good news:
* NoScript already protects users against this Firefox DOS exploit. However, it would be theoretically possible to exploit bug 319004 from the server side (no JavaScript). Hence the new NoScript "Truncate title" option (enabled by default) is a quick and dirty additional protection which will work even on whitelisted sites..."
- http://www.noscript.net/changelog

Get it!:
- https://addons.mozilla.org/extensions/moreinfo.php?id=722


2005-12-09, 00:52

- http://isc.sans.org/diary.php?storyid=921
Last Updated: 2005-12-08 22:35:23 UTC
"...Stefan Esser published a critical vulnerability in phpMyAdmin, popular web based MySQL administration package. What's interesting about this vulnerability is that, in fact, it happens in the code which should protect the application.
The variable $import_blacklist is supposed to list variables that may not be overwritten. However, as this variable is not protected, an attacker can overwrite it and change the blacklist, after which this can be exploited to execute arbitrary script code in user's browser session, in the context of the site running a vulnerable installation of phpMyAdmin.
If you use this product, be sure to upgrade to phpMyAdmin 2.7.0-p1 from - http://sourceforge.net/project/showfiles.php?group_id=23067.
The original advisory is at
- http://www.hardened-php.net/advisory_252005.110.html ..."
"Risk: Critical...
It is strongly recommended to upgrade to the new version of phpMyAdmin which you can download at:
- http://www.phpmyadmin.net/home_page/downloads.php ..."

- http://secunia.com/advisories/17925/


2005-12-17, 11:30

- http://www.theregister.com/2005/12/16/dasher_worm_variant/
16th December 2005
"After an earlier unsuccessful attempt, Virus writers have created the first worm that successfully targets a critical Windows vulnerability (MS05-051) patched by Microsoft in October. The Dasher-B worm exploits a vulnerability in Microsoft Windows Distributed Transaction Coordinator (MSDTC) to spread across vulnerable systems. Unpatched Windows 2000 computers are particularly at risk. If successful, the worm establishes a backdoor on vulnerable computers and opens up a link to a remote server for further instructions. The server instructs infected machines to download a copy of the worm itself and a keylogger, which hides itself on infected systems by using a rootkit driver. Windows users are strongly urged to apply the latest Microsoft security fixes to guard against attack. The MS05-051 patch was the subject of early glitches, even after warnings that it was ripe for malware exploitation. "The worry is that the problems with the patch may have prevented it from being successfully rolled out onto some vulnerable computers," said Graham Cluley, senior technology consultant at anti-virus firm Sophos..."
- http://www.sophos.com/virusinfo/analyses/w32dasherb.html

- http://www.microsoft.com/technet/security/bulletin/MS05-051.mspx


2005-12-20, 02:53

- http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=379
December 19, 2005
"Websense Security Labs (TM) is seeing a large increase in the number of websites and emails that use deception and/or browser vulnerabilities to install potentially unwanted software. The common theme among these threats is the use lures of possible spyware infections on your machine. In some cases, the scam actually reports fraudulent information regarding the security of your PC.
In many cases they also request money in return for cleaning the outlined security problems (we have seen as much as $500 per year). Over the last 2 weeks, we have identified more than 1500 sites that have some (or all) of the following criteria:
- They are hosted in Ukraine and Russia
- The website domain names are registered in countries like Vanuatu and Mexico
- IP netblocks hosting sites are often hosting other questionable sites such as fraudulent search engines
- IP netblocks have been hosting malicious code such as Trojan horse downloaders, droppers, and hosts-file redirection software
- Malicious code that modifies DNS settings has used these netblocks for DNS resolving
- Downloaded code often includes several pieces of spyware, adware, and other potentially unwanted software
- Removing the software often requires that you to fill out a survey
- Several of the sites contain links to other sites that are hosting IE exploit code ..."

(Various Example Screenshots available at URL above.)


2005-12-22, 05:05

- http://www.security-protocols.com/advisory/sp-x21-advisory.txt
Release Date: December 20, 2005
Severity: High (think about how many ipods sold this year alone)
Vendor: Apple
Versions Affected:
Apple Quicktime 7.0.3 on OS X 10.4.3
Apple iTunes 6.0.1 (3) on OSX 10.4.3
Apple Quicktime 7.0.3 on Win32
Apple iTunes 6.0.1 (3) on Win32
A heap overflow vulnerability exists within Apple iTunes 6.0.1 and Quicktime 7.0.3. The vulnerability allows for an attacker to cause the program to crash, and or to execute arbitrary code in the context of the user who execute the player. These flaws exists within all current versions, and prior versions of Apple iTunes and Quicktime for Mac OS X and Win32..."
>>> http://security-protocols.com/upcoming/qt-overflow.png

- http://news.com.com/iTunes+and+QuickTime+flaw+detailed/2100-1002_3-6004635.html
December 21, 2005
...For protection, Ferris' recommends that computer users don't open media files, or -any- file for that matter, from untrusted sources."

- http://secunia.com/advisories/18149/


- http://isc.sans.org/diary.php?storyid=1033
Last Updated: 2006-01-10 20:55:19 UTC
"...Apple released a security update to Quicktime: http://docs.info.apple.com/article.html?artnum=303101 There are multiple vulnerabilities patched. To summarize the advisory: A maliciously-crafted GIF/TIFF/TGA/QTIF image or multimedia file may result in arbitrary code execution..."


QuickTime 7.0.4
>>> http://www.apple.com/quicktime/download/standalone.html


2005-12-25, 02:16

- http://isc.sans.org/diary.php?storyid=961
Last Updated: 2005-12-25 00:45:05 UTC
"It's an early holiday gift for phpBB admins all over the world. Exploit code affecting phpBB version 2.0.17 and previous has been made public. The targeted vulnerability was announced on Halloween, and updates have been available since then. I predict we'll be seeing profile.php probes appear in your web logs right along with the awstats and xml-rpc attacks that you've been getting."


2005-12-25, 02:45
NEWS FLASH - Dec. 24, 2005

Red vehicle seen streaking through the skies in multiple countries... unable to discern a host of animals seen forward of the red streak...

'Said to be dropping packages for children down chimneys causing potential fire hazards...


(The driver of that red vehicle has a white beard that suspiciously looks like mine... Hmmm.)


2005-12-28, 11:20

- http://isc.sans.org/diary.php?storyid=972
Last Updated: 2005-12-28 03:56:13 UTC
"Just when we thought that this will be another slow day, a link to a working unpatched exploit in, what looks like Windows Graphics Rendering Engine, has been posted to Bugtraq...
The HTML file runs another WMF (Windows Meta File) which executes a trojan dropper on a fully patched Windows XP SP2 machine. The dropper will then download Winhound*, a fake anti-spyware/virus program which asks user to purchase a registered version of software in order to remove the reported threats.
During the test Johannes ran, it was interesting that the DEP (Data Execution Prevention) on his system stopped this from working. However, as this was tested on a AMD64 machine, we still have to confirm whether (or not) the software DEP also stops this - let us know if you tested this.
Internet Explorer will automatically launch the "Windows Picture and Fax Viewer". Note that Firefox users are not totally imune either. In my install of Firefox, a dialog box will ask me if I would like to load the image in "Windows Picture and Fax Viewer". If I allow this to happen ("pictures are safe after all" NOT!), the exploit will execute.
For more information, see also http://vil.mcafeesecurity.com/vil/content/v_137760.htm and http://www.securityfocus.com/bid/16074/info ..."

* http://www.spywarewarrior.com/rogue_anti-spyware.htm
"...Most recent additions: ...WinHound (11-29-05)...
stealth installs through exploits, system hijacking (1,2); scare-mongering used as goad to purchase [A: 11-29-05 / U: 11-29-05]"

- http://secunia.com/advisories/18255/
Release Date: 2005-12-28
Critical: Extremely critical



Be careful with WMF files...
- http://www.f-secure.com/weblog/
Wednesday, December 28, 2005
" Over the last 24 hours, we've seen three different WMF files carrying the zero-day WMF exploit. We currently detect them as W32/PFV-Exploit.A, .B and .C. Fellow researchers at Sunbelt* have also blogged about this. They have discovered more sites that are carrying malicious WMF files. You might want to block these sites at your firewall while waiting for a Microsoft patch:
Crackz [dot] ws
unionseek [dot] com
www.tfcco [dot] com
Iframeurl [dot] biz
beehappyy [dot] biz
And funnily enough, according to WHOIS, domain beehappyy.biz is owned by a previous president of Soviet Union:
Registrant Name: Mikhail Sergeevich Gorbachev
Registrant Address1: Krasnaya ploshad, 1
Registrant City: Moscow
Registrant Postal Code: 176098
Registrant Country: Russian Federation
Registrant Country Code: RU
"Krasnaya ploshad" is the Red Square in Moscow..."

* http://sunbeltblog.blogspot.com/
December 28, 2005
"For this WMF exploit: Until Microsoft patches this thing, here is a workaround:
From the command prompt, type REGSVR32 /U SHIMGVW.DLL.
You can also do this by going to Start, Run and then pasting in the above command. This effectively disables your ability to view images using the Windows picture and fax viewer via IE. This is an old Windows feature that doesn’t even show up under programs. Not “core” or critical..." However, it is a preventative measure. If you are already infected, it will not help..."

Update on Windows WMF 0-day / Infocon changed to yellow
- http://isc.sans.org/diary.php?storyid=975
"Update 19:07 UTC: We are moving to Infocon Yellow...Regarding DEP (Data Execution Protection) of XPSP2, the default settings of DEP will not prevent this exploit from working. Comments we have received in the meantime suggest that if you enable DEP to cover all programs (as documented on Microsoft Technet**), the WMF exploit attempt will result in a warning and not run on its own. Don't feel too safe though, we have also received comments stating that a fully enabled DEP did not do anything good in their case..."
** http://www.microsoft.com/technet/security/prodtech/windowsxp/depcnfxp.mspx



- http://isc.sans.org/diary.php?storyid=991
Last Updated: 2005-12-31 16:33:11 UTC
"We have received information that a new IM Worm is hitting the Netherlands. Apparently the worm is spreading with MSN and is spreading with a malformed WMF file called "xmas-2006 FUNNY.jpg".
Kaspersky Lab Blogs*
Be very careful when opening the New Years Greetings that you receive folks. We wouldn't want you to have to spend the rest of your holiday weekend [i]rebuilding your computer..."

* http://www.viruslist.com/en/weblog?weblogid=176892530
December 31, 2005 | 11:54 GMT
"It was only a matter of time, the first IM-Worm exploiting the wmf vulnerability has been spotted. We have received multiple reports from the Netherlands about an IM-Worm which spreads via MSN using a link to "hxxp://[snip]/xmas-2006 FUNNY.jpg". This may well turn out to become a local epidemic(in NL), however so far it has not become big (Not even 1000 bots at this moment). The jpg is actually an HTML page with a (link to a) malicious wmf file which is heuristically detected as Exploit.Win32.IMG-WMF by Kaspersky Anti-Virus.
This wmf will download and execute a .vbs file which is detected as Trojan-Downloader.VBS.Psyme.br which in turn will download an Sdbot. The IRCBot is detected as Backdoor.Win32.SdBot.gen by KAV. At the time of writing this SdBot is instructed to download an IM-Worm.Win32.Kelvir variant. As you will know Kelvir is responsible for spreading across MSN. Looking at this IRCBot it's extremely likely that it has been made for cyber criminals.
Going back to the wmf vulnerability itself, we see number of sites mention that shimgvw.dll is the vulnerable file. This doesn't seem correct as it's possible to exploit a system on which shimgvw.dll has been unregistered and deleted. The vulnerability seems to be in gdi32.dll. So while unregistering shimgvw.dll may make you less vulnerable, several attack scenarios come to mind where the system can still be compromised..."



- http://isc.sans.org/diary.php?storyid=992
Last Updated: 2005-12-31 23:16:11 UTC
"On New Year's eve the defenders got a 'nice' present from the full disclosure community.
The source code claims to be made by the folks at metasploit and xfocus, together with a anonymous source.
The exploit generates files:
* with a random size;
* no .wmf extension, (.jpg), but could be any other image extension actually;
* a random piece of junk in front of the bad call; carefully crafted to be larger than the MTU on an ethernet network;
* a number of possible calls to run the exploit are listed in the source;
* a random trailer
From a number of scans we did through virustotal, we can safely conclude there is currently no anti-virus signature working for it. Similarly it is very unlikely any of the current IDS signatures work for it. Judging from the source code, it will likely be difficult to develop very effective signatures due to the structures of the WMF files. Considering this upsets all defenses people have in place, we voted to go to yellow in order to warn the good guys out there they need to review their defenses. We hate going back to yellow for something we were yellow on a couple of days ago and had returned to green, but the more we look at it and the uglier it gets.
For those of you wanting to try an unofficial patch with all the risks involved, please see http://www.hexblog.com/2005/12/wmf_vuln.html. Initially it was only for Windows XP SP2. Fellow handler Tom Liston is working with Ilfak Guilfanov to extend it to also cover Windows XP SP1 and Windows 2000. We will host the files once we have it verified. We are receiving signatures from Frank Knobbe that detect this newest variant, but we haven't done much testing for false positives or negatives at this point.
http://www.bleedingsnort.com/ ..."



- http://www.f-secure.com/weblog/archives/archive-012006.html#00000758
Sunday, January 1, 2006 - 00:49 GMT
"We are aware that a new exploit for the WMF vulnerability has been published. This one is much more advanced than the old one, and much more dangerous.
It enables clueless newcomers to easily craft highly variable and hard-to-detect variations of image files. Images that take over computers when viewed. And do this on all common Windows platforms. With no vendor patch for the vulnerability available. Meaning that there are hundreds of millions of vulnerable computers in the net right now.
Making such tools publicly available when there's no vendor patch available is irresponsible. Plain and simply irresponsible. Everybody associated in making and publishing the exploit knows this. And they should know better. Moore, A.S, San and FrSIRT: you should know better."

2nd generation WMF 0-day Expliot Spammed
- http://isc.sans.org/diary.php?storyid=995
Last Updated: 2006-01-01 11:06:07 UTC
"According to F-Secure's blog today*, the 2nd generation WMF exploit has been spammed and "When the HappyNewYear.jpg hits the hard drive and is accessed (file opened, folder viewed, file indexed by Google Desktop), it executes and downloads a Bifrose backdoor (detected by us as Backdoor.Win32.Bifrose.kt) from www[dot]ritztours.com.".
Trend Micro is calling it TROJ_NASCENE.H":
- http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=TROJ%5FNASCENE%2EH&VSect=T

* http://www.f-secure.com/weblog/archives/archive-012006.html#00000759
Sunday, January 1, 2006 - 09:38 GMT
"Some clown is spamming out "Happy New Year" emails which will infect Windows machines very easily. These emails contain a new version of the WMF exploit, which doesn't seem to be related to the two earlier Metasploit WMF exploits we've seen. The emails have a Subject: "Happy New Year", body: "picture of 2006" and contain an exploit WMF as an attachment, named "HappyNewYear.jpg" (MD5: DBB27F839C8491E57EBCC9445BABB755). We detect this as PFV-Exploit.D.
When the HappyNewYear.jpg hits the hard drive and is accessed (file opened, folder viewed, file indexed by Google Desktop), it executes and downloads a Bifrose backdoor (detected by us as Backdoor.Win32.Bifrose.kt) from www[dot]ritztours.com. Admins, filter this domain at your firewalls.
It's going to get worse..."



- http://isc.sans.org/diary.php?storyid=996
Last Updated: 2006-01-01 15:47:02 UTC by Tom Liston (Version: 1)
"Looking forward to the week ahead, I find myself in the very peculiar position of having to say something that I don't believe has ever been said here in the Handler's diary before: "Please, trust us."
I've written more than a few diaries, and I've often been silly or said funny things, but now, I'm being as straightforward and honest as I can possibly be: the Microsoft WMF vulnerability is bad. It is very, very bad.
We've received many emails from people saying that no one in a corporate environment will find using an unofficial patch acceptable. Acceptable or not, folks, you have to trust someone in this situation.
To the best of my knowledge, over the past 5 years, this rag-tag group of volunteers hasn't asked for your trust: we've earned it. Now we're going to expend some of that hard-earned trust:
This is a bad situation that will only get worse. The very best response that our collective wisdom can create is contained in this advice - unregister shimgvw.dll and use the unofficial patch. You need to trust us.
Looking back over the past year, the ISC handlers have faced up to any number of challenges: from worms and viruses to DNS poisoning and hurricanes. We've done our best to keep you informed and to tell it like it is. Somehow, it seems fitting that on the last day of 2005 we rang in the New Year in what can only be described as typical ISC style.
On December 31st, we received word that a "new and improved" version of the WMF exploit had been published. This new exploit code generated WMF files that were sufficiently different that they bypassed nearly all AV and IDS signatures. Publishing exploit code such as this for an unpatched vulnerability on a holiday weekend is, without any doubt, a totally irresponsible act.
And so, as the hours to the New Year slowly counted down, a group of volunteers gave up their holiday weekend to come together as a team and put their collective knowledge and intellect to work on the problems this reckless disclosure created. Some tested the exploit, some talked to AV vendors, some worked toward finding a means to mitigate the vulnerability, some tested "fix" ideas and the resulting patches.
I was privileged to be a part of that team, and I'm incredibly proud of everyone who participated. As it became obvious that the "fix" that we were working toward was essentially what had already been created by Ilfak Guilfanov, we wrote to him to ask if we could redistribute his patch from the ISC*. He was incredibly gracious and courteous in allowing us to do so and we were able to work with him to verify several changes that allowed the patch to work on a wider variety of Windows systems.

We have very carefully scrutinized this patch. It does only what is advertised, it is reversible, and, in our opinion, it is both safe and effective.
The word from Redmond isn't encouraging. We've heard nothing to indicate that we're going to see anything from Microsoft before January 9th.
The upshot is this: You cannot wait for the official MS patch, you cannot block this one at the border, and you cannot leave your systems unprotected.
It's time for some real trustworthy computing. All we're asking is if we've proved ourselves to be worthy of your trust."

* >>> http://isc.sans.org/diary.php?storyid=994
(See "What can I do to protect myself?")

Updated version of Ilfak Guilfanov's patch
- http://isc.sans.org/diary.php?storyid=999
Last Updated: 2006-01-01 18:18:10 UTC by Tom Liston (Version: 1)
"Ilfak Guilfanov has released an updated version of his unofficial patch for the Window's WMF issue. We have reverse engineered, reviewed, and vetted the version here**. Note: If you've already successfully installed the patch, this new version adds nothing new. It only adds code to make it able to install on some other very specific configurations and code to recognize when the patch has already been installed."
** http://handlers.sans.org/tliston/wmffix_hexblog14.exe

AplusWebMaster's Note: -You- have to decide for yourself. After a few years of following the good efforts and works of the folks at the ISC, they ARE -my- source for "Trustworthy Computing".


- http://www.websensesecuritylabs.com/alerts/alert.php?AlertID=390
January 02, 2006
"...The attack is a vulnerability within Windows Operating Systems which currently has no patch available. Because there is no patch from Microsoft available, there is exploit code published on the web, its trivial to create and attack, and there are multiple vectors which allow you to use this attack, we believe that there will continue to be exploits through the Web, Instant Messaging, Email, and other technologies over the next week...
Jan 1, 2006: Increase in web-attacks. Now more than 100 sites using exploit to install BOT's and Trojan Horses.
Jan 2, 2006: Targeted Trojan Horse attack discovered via email..."



Microsoft releases fix for Windows flaw
Company had said security patch would take until next week

Updated: 4:32 p.m. ET Jan. 5, 2006
SEATTLE - Microsoft Corp. on Thursday released a patch to fix a flaw in its Windows operating system that had spawned attempts to take control of Internet-connected computers.

The Redmond software maker had originally said it didn't expect to release the patch until Tuesday, but the company said Thursday it was able to complete testing earlier than planned.

The patch was available from Microsoft's Web site.

Bitman, thank you very much. Tarheel

having unregistered SHIMGVW.DLL, now that I have installed the Microsoft patch, how do I re-register it

having unregistered SHIMGVW.DLL, now that I have installed the Microsoft patch, how do I re-register it
- http://isc.sans.org/diary.php?storyid=1019
"...5. Re-register the .dll if you previously unregistered it (use the same command but without the "-u"):
regsvr32 %windir%\system32\shimgvw.dll ..."

[Start > Run > (enter) regsvr32 %windir%\system32\shimgvw.dll (in the box/window)]

Or, see http://isc.sans.org/diary.php?storyid=1019



- http://isc.sans.org/diary.php?storyid=1023
Last Updated: 2006-01-06 20:57:58 UTC
"...The Internet Storm Center is made up of a group of volunteers that have different backgrounds and perspectives on the overall risk of the WMF vulnerability, and the active exploitation seen. The group consensus was that the risk was high enough to warrant raising the Infocon level, and then testing and endorsing the unofficial patch. We are well aware that one size doesn't fit all. At the time it was the only mitigation technique that actually worked. Anti-virus, IDS/IPS do not give adequate protection against this attack and all of its vectors..."

Get the patch now. Choose Windows Update (http://v4.windowsupdate.microsoft.com/default.asp), MS Update (http://update.microsoft.com/microsoftupdate/v6/default.aspx), or manual download (http://www.microsoft.com/technet/security/Bulletin/MS06-001.mspx). But get it NOW. Other subliminal messages may be posted at anytime...