MS broadening its efforts to warn customers

From: Hayes, Bill <Bill.Hayes(at)owh.com>
Date: Mon Aug 04 2003 - 11:44:40 EDT

It may be that this is just a Monday morning and I haven't had enough coffee yet.

Anyway,

<rant>

I just received a message from Microsoft that did not originate from MS, but instead with a legitimate third party bulk e-mailer Digital Impact (see http://www.digitalimpact.com/v2/). This is not a slam against Digital Impact, but I am questioning the decision by MS to have a security alert handled by a bulk e-mailer.

In what appears to be an honest effort to alert MS customers of the MS03-026 security advisory, Microsoft has enlisted the aid of bulk e-mailers at Digital Impact. Unfortunately the message may not get the wide dissemination that Microsoft wants. The mail server used by Digital Impact has the reverse DNS address of mh.microsoft.m0.net. It's IP address is 209.11.164.116.

Mail servers at the M0.net domain are known for sending unsolicted e-mail (see http://openrbl.org/ and enter the IP address 209.11.164.116). A few RBLs show m0.net as the originator of unsolicited e-mail. The majority do not. Therefore, the well intentioned message may well be blocked by organizations with stringent anti-spam controls.

Perhaps this move is intended to reach the more difuse home PC customer. If so, I hope they succeed. I do applaud their decision to reach out to as many folks as possible. However, the bottom line for me is if you have something important to tell me Microsoft, please use your owh e-mail servers.

</rant>

Here are the headers for the message I received:

Microsoft Mail Internet Headers Version 2.0 Received: from xxxxxxxxxxx ([xxx.xxx.xxx.xxxx]) by xxx.xxx.xxx.xxxx with xxxxxxxxxxx;

         Mon, 4 Aug 2003 09:12:18 -0500
Received: from xxxxxxxxxxx([xxxxxxxxxxx]) by xxxxxxxxxxx with xxxxxxxxxxx;

         Mon, 4 Aug 2003 09:12:17 -0500
Received: from xxxxxxx by xxxxxxxxxxx

          via smtpd (for xxxxxxxxxxx [xxx.xxx.xxx.xxxx]) with SMTP; 4 Aug 2003 14:12:17 UT Received: from xxxxxxxxxxx (mh.microsoft.m0.net) by xxxxxxxxxxx

 (xxxxxxxxxx) with SMTP id  for ;

 Mon, 4 Aug 2003 09:11:56 -0500
Received: from mh.microsoft.m0.net ([209.11.164.116]) by xxxxxxxxxxx

          via smtpd (for xxxxxxxxxxx [xxx.xxx.xxx.xxxx]) with SMTP; 4 Aug 2003 14:11:56 UT Received: from [209.11.138.126]

        by 10.203.1.116 (mh.microsoft.m0.net) with SMTP; 04 Aug 2003 07:35:38 +0000 Message-ID: <9707218726.1060006307040@m0.net> Date: Mon, 4 Aug 2003 07:11:47 -0700 (PDT) From: Microsoft <windowssecurity@email.microsoft.com> Reply-to: windowssecurity@email.microsoft.com To: bhayes@owh.com
Subject: Security Update for Microsoft Windows Errors-to: windowssecurity@email.microsoft.com Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="---=_NEXT_f6cd4ca4db" X-cid: 9707218726
X-pid: 228387
Return-Path: windowssecurity@email.microsoft.com X-OriginalArrivalTime: 04 Aug 2003 14:12:17.0964 (UTC) FILETIME=[69958EC0:01C35A92]

Here's the message body:

• PLEASE NOTE: Due to the critical importance of this message, this communication is being sent to all of our Microsoft customers to alert you of this Security Bulletin. ***

It has been widely reported in the press and on Microsoft's own web site, that on July 16th we released a critical security bulletin (MS03-026) and a patch regarding a vulnerability in the Windows operating system. We wanted to make sure that if you were not aware of this bulletin and corresponding patch that you take a moment to go to
http://www.microsoft.com/security/ security_bulletins/ ms03-026.asp <http://email.microsoft.com/m/s.asp?HB9707218726X2612303X228387X> to find out if you are running an affected version of the Windows operating system and get the specific information as to what you need to do to apply this patch if you have not already.

Although we encourage you to pay attention to all security bulletins and to deploy patches in a timely manner we wanted to call special attention to this particular instance as we have become aware of some activity on the internet that we believe increases the likelihood of the exploitation of this vulnerability. Specifically, code has been published on several web sites that would allow someone to spread a worm/virus that takes advantage of the vulnerability in question thereby impacting your computing environment.

Although it is our goal to produce the most secure and dependable products possible, we do become aware of these types of vulnerabilities. In order to minimize the risks of such vulnerabilities to your computing environment, we encourage you to subscribe to the Windows Update service by going to http://www.windowsupdate.com <http://email.microsoft.com/m/s.asp?HB9707218726X2612304X228387X> and also subscribe to Microsoft's security notification service at
http://register.microsoft.com/ subscription/subscribeme.asp?ID=135 <http://email.microsoft.com/m/s.asp?HB9707218726X2612305X228387X> if you have not already. By subscribing to these two services you will automatically receive information on the latest software updates and the latest security notifications thereby improving the likelihood that your computing environment will be safe from worms and viruses that occur.

We apologize for any inconvenience the implementation of this patch might cause and appreciate you taking the time to update your system.

Thank you,
Microsoft Corporation

---

Your network firewall and IDS products do not prevent Web application attacks - the most common form of online exploitation- resulting in Web defacement, data theft, sabotage and fraud. KaVaDo is the only company that provides a complete suite of Web application security products.
Download a FREE whitepaper on "Security Policy Automation for Web Applications":http://www.securityfocus.com/Kavado-focus-ms

---

Received on Mon Aug 4 15:24:00 2003