It looks like you're using an Ad Blocker.
Please white-list or disable AboveTopSecret.com in your ad-blocking tool.
Thank you.
Some features of ATS will be disabled while you continue to use an ad-blocker.
SCI/TECH: Internet Threat News 5/11/2004
page: 10
share:
There is much computer security related information being released this week, although it is not as harrying as the first week of May. Some new
flavors of old threats have been spotted, a couple of new villains are loose and more security flaws need patching.
Microsoft �Patch of the Month Club�
Microsoft Windows Security Bulletin Summary for May, 2004
Microsoft's Windows XP and Windows Server 2003, its flagship client and server operating systems, are vulnerable to attacks because of a flaw in the �Help and Support Center� feature. "An attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft warned. The attack could be triggered by simply visiting a maliciously constructed Web site or viewing an e-mail message.
Technical Details from Microsoft:
MS04-015 - Vulnerability in Help and Support Center Could Allow Remote Code Execution
Affected Software:
- Windows XP and Windows XP Service Pack 1
- Windows XP 64-Bit Edition Service Pack 1
- Windows XP 64-Bit Edition Version 2003
- Windows Server 2003
- Windows Server 2003 64-Bit Edition
www.microsoft.com...
Since keeping your Windows box up-to-date has never been as important as now, this next item raises some eyebrows.
Will MS Allow Pirate Copies of its OS to install WinXP SP2?
It looks like the answer is �No.� Service Pack 2, which will be released soon for download and given away free on discs via retail stores, may not be available to users who run illegal copies of Windows. This has been a subject of controversy since it seemingly puts profits ahead of the risk of having thousands of un-patched, un-secure computers connected to the Internet.
www.theregister.co.uk...
SP2 will check the product ID used by the machine it is being installed on, and if the ID matches Microsoft's list of known pirated IDs, then it won't install. Which means it looks like it's going to do pretty much the same as SP1 did, and that the checking systems Microsoft implemented at Windows Update will at the very least remain in force.
Related Sources:
zdnet.com.com...
www.eweek.com...
Microsoft Updates �Sasser� Removal Tool
Microsoft Sasser Removal Tool
The free Sasser tool (which can be downloaded from Microsoft's Website) now detects and removes five instances of Sasser. BUT! A sixth �Sasser� variant (see next item) has been found �in the wild.� Truly, it is the tale that never ends.
Symantec on "Sasser.F"
W32.Sasser.F.Worm is a variant of W32.Sasser.Worm. This worm attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011. It spreads by scanning randomly selected IP addresses for vulnerable systems.
W32.Sasser.F.Worm differs from W32.Sasser.Worm as follows:
Uses a different mutex: billgate.
Uses a different file name: napatch.exe.
Creates a different value in the registry: "napatch.exe."
New �Sasser� Worms Released Despite Recent Arrest
Undeterred by the arrest of Swen Jaschan in Germany last Friday, coders have released a new Sasser variant (Sasser-F) and the first worm in a new strain, Cycle-A. Both worms exploit a hole in Window's Local Security Authority Subsystem Service (LSASS) component. Neither is spreading particularly widely and most AV vendors place them low on the peril index.
www.theregister.co.uk...
New Mass-mailing worm: �Wallon�
A new, low-to-medium risk Mass-mailing worm, �Wallon,� attempts to trick the user into downloading a copy of itself using a URL in an email message, then installing automatically via an un-patched security flaw.
www.symantec.com...@mm.html
W32.Wallon.A@mm is a mass-mailing worm that sends out emails containing a hyperlink to download the worm body from certain URL. It also harvests email addresses on the infected machine. The worm exploits the following vulnerability:
[Related Sources]
TrendMicro - "Wallon"
F-Secure - "Wallon"
Here is a bit of good news. To further increase the number of security options for the end-user, a major player in the motherboard chipset arena is integrating firewall technology into some of their upcoming products.
Nvidia brings hardware firewall to Athlon XP rigs
www.theregister.co.uk...
Nvidia has upgraded its AMD Athlon XP-oriented chipset, the nForce 2, to add a Gigabyte Ethernet interface to the product, RAID and a TCP/IP packet processing core the company is pitching as a "hardware-optimised firewall security solution".
Just to be fair I will include a Mac news item. It is a week old announcement, so �news� might not be an appropriate term, but it will make it seem less like beating up on Microsoft!
Apple Issues Patch for Mac OS X
www.internetnews.com...
Apple Computer has rolled out a major security update to plug several vulnerabilities in its flagship Mac OS X server and client versions. The patch, which is being described as "highly critical," addresses security issues with the AFP Server, CoreFoundation and IPSec and also integrates a previously issued patch which contained bugs, Apple said.
[Edited on 11-5-2004 by Banshee]
Microsoft �Patch of the Month Club�
Microsoft Windows Security Bulletin Summary for May, 2004
Microsoft's Windows XP and Windows Server 2003, its flagship client and server operating systems, are vulnerable to attacks because of a flaw in the �Help and Support Center� feature. "An attacker who successfully exploited this vulnerability could take complete control of an affected system," Microsoft warned. The attack could be triggered by simply visiting a maliciously constructed Web site or viewing an e-mail message.
Technical Details from Microsoft:
MS04-015 - Vulnerability in Help and Support Center Could Allow Remote Code Execution
Affected Software:
- Windows XP and Windows XP Service Pack 1
- Windows XP 64-Bit Edition Service Pack 1
- Windows XP 64-Bit Edition Version 2003
- Windows Server 2003
- Windows Server 2003 64-Bit Edition
www.microsoft.com...
Since keeping your Windows box up-to-date has never been as important as now, this next item raises some eyebrows.
Will MS Allow Pirate Copies of its OS to install WinXP SP2?
It looks like the answer is �No.� Service Pack 2, which will be released soon for download and given away free on discs via retail stores, may not be available to users who run illegal copies of Windows. This has been a subject of controversy since it seemingly puts profits ahead of the risk of having thousands of un-patched, un-secure computers connected to the Internet.
www.theregister.co.uk...
SP2 will check the product ID used by the machine it is being installed on, and if the ID matches Microsoft's list of known pirated IDs, then it won't install. Which means it looks like it's going to do pretty much the same as SP1 did, and that the checking systems Microsoft implemented at Windows Update will at the very least remain in force.
Related Sources:
zdnet.com.com...
www.eweek.com...
Microsoft Updates �Sasser� Removal Tool
Microsoft Sasser Removal Tool
The free Sasser tool (which can be downloaded from Microsoft's Website) now detects and removes five instances of Sasser. BUT! A sixth �Sasser� variant (see next item) has been found �in the wild.� Truly, it is the tale that never ends.
Symantec on "Sasser.F"
W32.Sasser.F.Worm is a variant of W32.Sasser.Worm. This worm attempts to exploit the LSASS vulnerability described in Microsoft Security Bulletin MS04-011. It spreads by scanning randomly selected IP addresses for vulnerable systems.
W32.Sasser.F.Worm differs from W32.Sasser.Worm as follows:
Uses a different mutex: billgate.
Uses a different file name: napatch.exe.
Creates a different value in the registry: "napatch.exe."
New �Sasser� Worms Released Despite Recent Arrest
Undeterred by the arrest of Swen Jaschan in Germany last Friday, coders have released a new Sasser variant (Sasser-F) and the first worm in a new strain, Cycle-A. Both worms exploit a hole in Window's Local Security Authority Subsystem Service (LSASS) component. Neither is spreading particularly widely and most AV vendors place them low on the peril index.
www.theregister.co.uk...
New Mass-mailing worm: �Wallon�
A new, low-to-medium risk Mass-mailing worm, �Wallon,� attempts to trick the user into downloading a copy of itself using a URL in an email message, then installing automatically via an un-patched security flaw.
www.symantec.com...@mm.html
W32.Wallon.A@mm is a mass-mailing worm that sends out emails containing a hyperlink to download the worm body from certain URL. It also harvests email addresses on the infected machine. The worm exploits the following vulnerability:
[Related Sources]
TrendMicro - "Wallon"
F-Secure - "Wallon"
Here is a bit of good news. To further increase the number of security options for the end-user, a major player in the motherboard chipset arena is integrating firewall technology into some of their upcoming products.
Nvidia brings hardware firewall to Athlon XP rigs
www.theregister.co.uk...
Nvidia has upgraded its AMD Athlon XP-oriented chipset, the nForce 2, to add a Gigabyte Ethernet interface to the product, RAID and a TCP/IP packet processing core the company is pitching as a "hardware-optimised firewall security solution".
Just to be fair I will include a Mac news item. It is a week old announcement, so �news� might not be an appropriate term, but it will make it seem less like beating up on Microsoft!
Apple Issues Patch for Mac OS X
www.internetnews.com...
Apple Computer has rolled out a major security update to plug several vulnerabilities in its flagship Mac OS X server and client versions. The patch, which is being described as "highly critical," addresses security issues with the AFP Server, CoreFoundation and IPSec and also integrates a previously issued patch which contained bugs, Apple said.
[Edited on 11-5-2004 by Banshee]
Nice job Spectre.
I might start coming here for my info, 'stead of NAI, or Microsoft!
Just wanted you to know that
we might be winning the battle with
GFI languard, and that Microsofts Baseline Security analyzer is the engine for checking patched machines
For SMS 2003.
The catch is that it misses a lot of NT4
machines. We have to run NT4 for a while longer, due to
an old front end publishing system we still own. Once NT is gone, we may make the move..
I might start coming here for my info, 'stead of NAI, or Microsoft!
Just wanted you to know that
we might be winning the battle with
GFI languard, and that Microsofts Baseline Security analyzer is the engine for checking patched machines
For SMS 2003.
The catch is that it misses a lot of NT4
machines. We have to run NT4 for a while longer, due to
an old front end publishing system we still own. Once NT is gone, we may make the move..
Thanks, SD. It is good to hear from you.
I agree; LANGuard and MBSA -along with the IIS Lockdown tool- have saved much time and sorrow. Thankfully our honeypots have "sacrificial lambs" have been the only victims of worm/virus/hacking exploits to date. Fortunately for us, we are down to a lone NT4 box which is pretty easy to babysit and is a strictly internal server. I hope you have continued good luck with your "War on Patches."
To make you shake your head, get a load of these notes from the most recent SANS Newsletter:
Security Policies Fail Because They Are Ignored
Security manager reports that security policies are routinely ignored, "No one uses these documents. They just sit in a binder on a bookshelf or in a shared disk...."
www.computerworld.com...
Many Companies Don't Maintain Adequate Log Files
Research from NTA Monitor, a European security testing company, shows that companies often do not adequately maintain log files that could be used as evidence in the event of an intrusion or other security breach. Some errors companies make include not turning on logging for various reasons, keeping logs for just a short period of time, storing log data in public folders and neglecting time synchronization.
www.vnunet.com...
[Editor's Note (Tan): When responding to incidents, some don't even know where the log files are stored. In many cases, log files are alien to them.
Now doesn't that just make you feel all warm inside about computer security?
I agree; LANGuard and MBSA -along with the IIS Lockdown tool- have saved much time and sorrow. Thankfully our honeypots have "sacrificial lambs" have been the only victims of worm/virus/hacking exploits to date. Fortunately for us, we are down to a lone NT4 box which is pretty easy to babysit and is a strictly internal server. I hope you have continued good luck with your "War on Patches."
To make you shake your head, get a load of these notes from the most recent SANS Newsletter:
Security Policies Fail Because They Are Ignored
Security manager reports that security policies are routinely ignored, "No one uses these documents. They just sit in a binder on a bookshelf or in a shared disk...."
www.computerworld.com...
Many Companies Don't Maintain Adequate Log Files
Research from NTA Monitor, a European security testing company, shows that companies often do not adequately maintain log files that could be used as evidence in the event of an intrusion or other security breach. Some errors companies make include not turning on logging for various reasons, keeping logs for just a short period of time, storing log data in public folders and neglecting time synchronization.
www.vnunet.com...
[Editor's Note (Tan): When responding to incidents, some don't even know where the log files are stored. In many cases, log files are alien to them.
Now doesn't that just make you feel all warm inside about computer security?
Yep,
In some ways I understand. The threats have become so numerous now. Compared to just a few years ago,
when, only 2 or 3 times a year, did folks have to gear up
and watch for breaches and Virii. I'll bet a lot of these people haven't lost significant amounts of data, or missed deadlines....YET.
Sometimes, thats what it takes.
BTW it's my turn to go on vacation.
YES!
In some ways I understand. The threats have become so numerous now. Compared to just a few years ago,
when, only 2 or 3 times a year, did folks have to gear up
and watch for breaches and Virii. I'll bet a lot of these people haven't lost significant amounts of data, or missed deadlines....YET.
Sometimes, thats what it takes.
BTW it's my turn to go on vacation.
YES!
Originally posted by Spectre
Will MS Allow Pirate Copies of its OS to install WinXP SP2?
It looks like the answer is �No.� Service Pack 2, which will be released soon for download and given away free on discs via retail stores, may not be available to users who run illegal copies of Windows. This has been a subject of controversy since it seemingly puts profits ahead of the risk of having thousands of un-patched, un-secure computers connected to the Internet.
www.theregister.co.uk...
SP2 will check the product ID used by the machine it is being installed on, and if the ID matches Microsoft's list of known pirated IDs, then it won't install. Which means it looks like it's going to do pretty much the same as SP1 did, and that the checking systems Microsoft implemented at Windows Update will at the very least remain in force.
Hey, recently taken from slashdot.com, pirated copies of xp will be able to use sp2, windows felt security took top priority in this situation. wow, m$ being responcible.
slashdot.org.../05/09/142203&mode=thread&tid=126&tid=172&tid=185&tid=190&tid=201
[Edited on 13-5-2004 by illuminatus destructus]
Important Update!
Symantec Security Software Vulnerable to Attack
We saw with the "Witty" worm the destructive potential of a malicious application that specifically attacks a flaw in the very software that is designed to defend again such attacks. Now it has been discovered that a number of Symantec products have a High-risk vulnerability that could be exploited by a future worm. The ISS products targetted by "Witty" were arguably not as popular with the home user or as widely distributed as these Symantec packages.
eEye on Symantec Flaws
eEye Digital Security has discovered a critical vulnerability in the Symantec firewall product line that would allow a remote, anonymous attacker to execute arbitrary code on a system running an affected version of the product. By sending a single specially-crafted NetBIOS Name Service (UDP port 137) packet to a vulnerable host, an attacker could cause an arbitrary memory location to be overwritten with data he or she controls, leading to the execution of attacker-supplied code with kernel privileges and the absolute compromise of the target.
The port which would have to be attacked is not enabled by default, but is often opened to facilitate easy file sharing.
List of vulnerable products:
Symantec Norton Internet Security 2002
Symantec Norton Internet Security 2003
Symantec Norton Internet Security 2004
Symantec Norton Internet Security Professional 2002
Symantec Norton Internet Security Professional 2003
Symantec Norton Internet Security Professional 2004
Symantec Norton Personal Firewall 2002
Symantec Norton Personal Firewall 2003
Symantec Norton Personal Firewall 2004
Symantec Client Firewall 5.01, 5.1.1
Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1)
Symantec Norton AntiSpam 2004
EDIT: Download the update
[Edited on 14-5-2004 by Spectre]
Symantec Security Software Vulnerable to Attack
We saw with the "Witty" worm the destructive potential of a malicious application that specifically attacks a flaw in the very software that is designed to defend again such attacks. Now it has been discovered that a number of Symantec products have a High-risk vulnerability that could be exploited by a future worm. The ISS products targetted by "Witty" were arguably not as popular with the home user or as widely distributed as these Symantec packages.
eEye on Symantec Flaws
eEye Digital Security has discovered a critical vulnerability in the Symantec firewall product line that would allow a remote, anonymous attacker to execute arbitrary code on a system running an affected version of the product. By sending a single specially-crafted NetBIOS Name Service (UDP port 137) packet to a vulnerable host, an attacker could cause an arbitrary memory location to be overwritten with data he or she controls, leading to the execution of attacker-supplied code with kernel privileges and the absolute compromise of the target.
The port which would have to be attacked is not enabled by default, but is often opened to facilitate easy file sharing.
List of vulnerable products:
Symantec Norton Internet Security 2002
Symantec Norton Internet Security 2003
Symantec Norton Internet Security 2004
Symantec Norton Internet Security Professional 2002
Symantec Norton Internet Security Professional 2003
Symantec Norton Internet Security Professional 2004
Symantec Norton Personal Firewall 2002
Symantec Norton Personal Firewall 2003
Symantec Norton Personal Firewall 2004
Symantec Client Firewall 5.01, 5.1.1
Symantec Client Security 1.0, 1.1, 2.0(SCF 7.1)
Symantec Norton AntiSpam 2004
EDIT: Download the update
[Edited on 14-5-2004 by Spectre]
new topics
-
The US Supreme Court Appears to Side With the January 6th 2021 Capitol Protestors.
Political Conspiracies: 41 minutes ago -
That which the "news" never talks about; Truth about election fraud
Mainstream News: 2 hours ago -
Biden doesnt want the votes of "Death to America" chanters
US Political Madness: 2 hours ago -
Horizon Post office scandal
Regional Politics: 2 hours ago -
Joe Biden and Donald Trump are both traitors
US Political Madness: 4 hours ago -
I'm new here. Avid conspiracy fan.
Introductions: 5 hours ago -
Denmark's Notre-Dame moment - 17th Century Borsen goes up in Flames
Mainstream News: 6 hours ago
top topics
-
Suspected Iranian agent working for Pentagon while U.S. coordinated defense of Israel
US Political Madness: 14 hours ago, 17 flags -
The Baloney aka BS Detection Kit
Social Issues and Civil Unrest: 14 hours ago, 7 flags -
That which the "news" never talks about; Truth about election fraud
Mainstream News: 2 hours ago, 6 flags -
Denmark's Notre-Dame moment - 17th Century Borsen goes up in Flames
Mainstream News: 6 hours ago, 4 flags -
How does my computer know
Education and Media: 17 hours ago, 3 flags -
Joe Biden and Donald Trump are both traitors
US Political Madness: 4 hours ago, 3 flags -
I'm new here. Avid conspiracy fan.
Introductions: 5 hours ago, 3 flags -
Biden doesnt want the votes of "Death to America" chanters
US Political Madness: 2 hours ago, 2 flags -
The US Supreme Court Appears to Side With the January 6th 2021 Capitol Protestors.
Political Conspiracies: 41 minutes ago, 2 flags -
Horizon Post office scandal
Regional Politics: 2 hours ago, 1 flags
0