|
|
rpc/dcom worms | w32.spybot | new microsoft bulletins | ie6 | windows 2003 server | cisco ios | sendmail | pine | internet storm center | pop-up spam | windows repair site | spammers |
W32.Wechia.Worm/Blaster attacks are wake-up call for networks worldwide
In August, two new strains of very aggressive computer worms attacked a vulnerability in Microsoft's Remote Procedure Call (RPC) implementation, replicating at record speeds and slowing networks worldwide.
W32.Welchia: This worm exploits a particular vulnerability that affects a Distributed Component Object Model (DCOM) interface with RPC that handles DCOM object activation requests sent by client machines to the server. Affected machines include Windows 2000 and Windows XP. (Linux, Macintosh, OS/2, and Unix machines are not affected).
The worm checks for active machines to infect, replicating rapidly as each infected machine continues to be a tool of the exploit. The increased network traffic Welchia generates can cause serious slow-downs—even shut-downs—of individual networks.
Resources: Complete information on W32.Welchia, including instructions for protection and removal, is available from
W32.Blaster: This worm exploits the same RPC/DCOM vulnerabilities described above, using TCP port 135. Blaster targets Windows 2000 and Windows XP machines, running code of the attacker's choice.
Resources:
Important Note to UO Users: To protect yourself against W32 variants, UO Windows users should run the Microcomputer Services Security CD 2003 before connecting to UOnet. Do not attempt to download the security patches online, because your machine will become infected before you're able to download and install the patches.
In addition to spreading via KaZaA file sharing and mIRC (Internet Relay Chat Program), this family of worms can also spread to computers infected with common backdoor trojan viruses. The Spybot worm copies itself to the System folder of machines running Windows 95/98/NT/2000/XP/Me, and can be configured to perform a denial of service attack on specified servers or to terminate security product processes.
Macintosh, OS/2, Unix, and Linux systems are not affected.
For complete details, including security recommendations, see Symantec's Security Response page at http://securityresponse.symantec.com/avcenter/venc/data/w32.spybot.worm.html
On September 3, Microsoft released five new security bulletins, one of which was rated critical.
Four of the newly discovered vulnerabilities affect Microsoft Office desktop software. Of these, a vulnerability in Visual Basic for Applications is of most concern, as it could be exploited to gain control of a targeted PC.
The four lesser problems included a flaw in Microsoft Word and a buffer overrun in the WordPerfect converter that were rated "important," a glitch in Access's snapshot designated "moderate," and a hole in NetBIOS that was not considered significant. Despite the lesser ratings, these vulnerabilities also have potentially serious consequences.
Microsoft reiterated its advice not to open unexpected email attachments and to keep up-to-date on all patches—especially those rated "critical." For more information on these particular vulnerabilities, see The Register "MS launches Office security blitz" at http://www.theregister.co.uk/content/55/32660.html
Get the patches. See Microsoft's Office Update page at http://office.microsoft.com/officeupdate/
Note that running Windows Update itself does not update Microsoft Office products! You must check for critical updates for Office separately.
In late August, Microsoft issued two more critical updates addressing security holes in its Internet Explorer 6 Service Pack 1 and Data Access Components. Both vulnerabilities could allow attackers to compromise Windows-based systems and execute malicious code.
IE 6 Service Pack 1: This vulnerability has the potential to compromise a system with IE installed—even if IE is not used as the web browser.
Get the patch. The cumulative patch for IE 6 (MS03-032: August 2003 Cumulative Patch for Internet Explorer) is available from http://support.microsoft.com/default.aspx?scid=kb;en-us;822925
Data Access Components (MDAC): This collection of components, which provide database connectivity on Windows operating systems, is likely to be present on most Windows systems. Versions earlier than 2.8 contain the flaw.
Get the patch. You can download the patch for this vulnerability ( MS03-033: Security Update for Microsoft Data Access Components ) from http://support.microsoft.com/default.aspx?scid=kb;en-us;823718
NGSSoftware security research breakthrough prevents stack-based buffer overflow vulnerabilities
On September 8, NGSSoftware published a paper that describes how to effectively defend against a vulnerability in Windows 2003 Server that leaves systems open to buffer overflow exploits. The paper may be downloaded from http://www.nextgenss.com/papers/defeating-w2k3-stack-protection.pdf
All Cisco devices running Cisco IOS software that are configured to process Internet Protocol version 4 (IPv4) packets are vulnerable to denial-of-server attacks. The vulnerability is described in a July CERT Advisory (CA-2003-25:Cisco IOS Interface Blocked by IPv4 Packet) at http://www.cert.org/advisories/CA-2003-15.html as well as a Cisco Security Advisory ( http://cisco.com/warp/public/707/cisco-sa-20030717-blocked.shtml )
Installing the latest release of Sendmail fixes a known security problem and fixes other potential problems. For full details, including download information, see http://www.sendmail.org/8.12.10.html
A patch is also available from http://www.sendmail.org/parse8.359.2.8.html
On September 10, iDEFENSE ( http://www.idefense.com/ ) identified two exploitable overflows in the email program Pine. Pine versions 4.56 and earlier are vulnerable. You can fix both these issues by upgrading to Pine 4.58, available from http://www.washington.edu/pine/getpine/
View the locations of detected anomalies, by netblock, at http://isc.incidents.org/source_report.html
You may be getting hit by Messenger spam. To make it stop, see http://www.stopmessengerspam.com/
A University of Iowa site has a comprehensive list of examples and steps for repairing Windows compromises at http://www.its.uiowa.edu/cio/ITSecurity/documents/compromise/
Last July, Amazing Internet Products' order log (inadvertently exposed by a security flaw in one of its websites) revealed that some 6000 people responded to the company's email ads and purchased penis-enlargement pills. The company grossed more than half a million dollars in one month. (For the full story on Amazing Internet Products, see the Wired News article, "Swollen Orders Show Spam's Allure" at http://www.wired.com/news/business/0,1367,59907,00.html )