|
|
Windows JSscript | Windows DLL | Windows RPC | New IE, Outlook Patches | Sendmail | OpenSSL | MS-SQL server worm | UT hackers | Sprint modems | Samba |
In mid-March, Microsoft announced a new critical flaw in Windows that has the potential to allow an attacker to run malicious programs on a user’s computer. This flaw, which results from the way Windows interprets and executes JSscript, exposes users to vulnerability if they open an email or web page containing malicious code.
Get the patch. ll Windows users are urged to run Windows
Update at once, or download the patch immediately from Microsoft’s security
website at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-008.asp
Microsoft also reminds users to use discretion when choosing what websites to visit, or what links to open in an email.
A newly identified critical security vulnerability in Windows 2000 could allow an attacker to take control of computers used as web servers. Thus far, only IIS 5.0 servers that are WebDAV-enabled have been affected, although DLL is a core operating system component and it’s possible that other exploits exist.
Complete information about this vulnerability is available from CERT (Advisory CA-2003-09, “Buffer Overflow in Core Microsoft DLL”) at http://www.cert.org/advisories/CA-2003-09.html and Microsoft (Security Bulletin MS03-007, “Unchecked Buffer in Windows Component Could Cause Web Server Compromise”) at http://www.microsoft.com/technet/security/bulletin/ms03-007.asp
Get the patch. You should download the patch immediately from Microsoft at
http://www.microsoft.com/downloads/details.aspx?FamilyId=C9A38D45-5145-4844-B62E-C69D32AC929B&displaylang=en
NT 4.0 too flawed to fix
On March 26, Microsoft released an “important” security bulletin (MS03-010) regarding its Remote Procedure Call (RPC) communication protocol. This protocol contains a flaw that could allow a remote attacker to launch a denial of service attack on a Windows machine.
Patches are available for Windows 2000 and XP, but not for NT 4.0. Microsoft cites “architectural limitations” as an impediment to removing the vulnerability in NT 4.0, and urges NT users to employ a firewall instead. Both the NT workaround and patches for 2000/XP are available at http://www.microsoft.com/technet/security/bulletin/MS03-010.asp?frame=true
In late April, Microsoft issued new patches for security flaws discovered in its Internet Explorer and Outlook Express applications. IE 5.01, 5.5, and 6.0 are all affected by four flaws, the worst of which could allow an attacker to take control of a victim’s computer. The Outlook Express vulnerability results from an error in the software that handles the encapsulation of HTML in emails, and it could also allow an attacker to run programs on a victim’s computer.
Even if you don’t use either Microsoft Outlook Express or Internet Explorer on your Windows machine, you are advised to install the updates.
For more details, see Microsoft’s Security Bulletin MS03-014 at http://www.microsoft.com/security/security_bulletins/ms03-014.asp
This March, Internet Security System researchers reported discovering two vulnerabilities in Sendmail that could be exploited to cause a denial-of-service condition and allow an intruder to gain control of a Sendmail server.
1. Mail transfer agents exploit. This particular Sendmail exploit is triggered by a malicious email message that can be passed undetected via mail transfer agents (MTAs) on a network system—even penetrating many common packet filters or firewalls.
Get the patch. System administrators should apply the appropriate patch, as listed on the CERT Advisory site at http://www.cert.org/advisories/CA-2003-07.html
2. Address parsing code. Because of a flaw in Sendmail’s address parsing code, an email message with a specially crafted address could trigger a stack overflow. CERT warned that most medium- to large-sized organizations are likely to have at least one vulnerable Sendmail server, and common packet filters or firewalls are an inadequate defence against this exploit.
Get the patch. System administrators should apply the appropriate patch, as listed on the CERT Advisory site at http://www.cert.org/advisories/CA-2003-12.html
Users of versions prior to 0.9.6i and 0.9.7a strongly advised to upgrade
Swiss University security researchers recently uncovered a weakness in a common security protocol supported by all major web browsers.
Their tests demonstrated that Secure Sockets Layer (SSL) and Transport Layer Security (TLS) with CBC encryption could be compromised by a timing-based attack on a local network server. This vulnerability is described in detail in a paper by David Brumley and Dan Boneh, “Remote Timing Attacks Are Practical,” which is available in PDF format at http://crypto.stanford.edu/~dabo/papers/ssl-timing.pdf
Upgrading to OpenSSL 0.9.7a (most desirable) or 0.9.6i is recommended. If such an upgrade is not immediately possible, a source code patch is available at http://www.openssl.org/news/secadv_20030219.txt
Two buffer overrun vulnerabilities in Microsoft’s database server SQL Server 2000 caused havoc last January 25 when the so-called “SQL Slammer Virus” was released on the Internet, negatively impacting network performance worldwide.
The SQL Slammer worm has powerful denial-of-service capability. By using a large number of UDP packets to spread infection, it attacks systems at randomly generated IP addresses and generates huge, paralyzing, amounts of traffic.
Affected systems include:
Get the patch. Although Microsoft first reported this SQL vulnerability in July 2002 and released a patch for it, many servers remained unpatched and vulnerable. Systems administrators are urged to immediately install the patch, which is available at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS02-039.asp
You'll find more information on the SQL server worm at
A hacker broke into a University of Texas’ database in late February, compromising the personal information of nearly 60,000 staff members and students. University officials acknowledged that the break-in could have easily been prevented with basic precautions, and redoubled their efforts to phase out most uses of Social Security numbers on campus as quickly as possible.
In addition to 59,000 names and Social Security numbers, the hacker obtained email addresses and some office addresses and phone numbers of current faculty, leaving them vulnerable to the crime of identity theft. (The hacker, a UT student, was soon apprehended. See http://www.dailytexanonline.com/vnews/display.v/ART/2003/03/17/3e75d4b44ed82 for details.)
In an article posted March 14, 2003, on eWeek (http://www.eweek.com/article2/0,3959,933132,00.asp), Timothy Dyck discusses the lessons learned from this attack — in particular, the need to implement intrusion detection capabilities in web applications.
In late January, security experts warned Sprint DSL customers that weak security controls on their DSL modems put them at risk of having their email addresses and passwords stolen—even when their computers were powered off.
The ZyXEL Communications DSL modems issued by Sprint to tens of thousands of its FastConnect broadband customers are protected by the default password “1234” Until recently, Sprint didn’t provide instructions for resetting this administrative password, and many of its customers were unaware of the need to create their own password to safeguard access to their personal information. Leaving their modem password set to the widely-known default exposed users to a remote attack even if they shut down their computers when not in use, because their ZyXEL modems often remain powered on.
After the problem was reported, Sprint published instructions for changing the administrative password on ZyXEL modems online at http://csb.sprint.com/home/local/dslhelp/release645m.html
Immediate upgrade to 2.2.8 advised
A recently discovered flaw in the main smbd code of the Open Source Samba freeware suite could allow an attacker to anonymously gain root privileges on a server running Samba. The flaw exists in all versions of Samba from 2.0.x to 2.2.7a, and users are urged to either update to v. 2.2.8 immediately or prohibit access to TCP ports 139 and 445.
Release notes for the Samba upgrade are available at http://us1.samba.org/samba/whatsnew/samba-2.2.8.html This page also contains a full description of the vulnerability, as well as advice for protecting an unpatched Samba server. You may download the source code for Samba 2.2.8 from http://download.samba.org/samba/ftp/