[ISN] Security UPDATE--Combined Attack Methods--June 30, 2004

From: InfoSec News (isn@private)
Date: Thu Jul 01 2004 - 04:31:39 PDT

  • Next message: InfoSec News: "[ISN] E-Mail Snooping Ruled Permissible"

    ==== This Issue Sponsored By ====
    Windows & .NET Magazine
    10 Things Hackers Don't Want You To Know
    1. In Focus: Combined Attack Methods
    2. Security News and Features
       - Recent Security Vulnerabilities
       - News: Vulnerable IIS Sites and IE Users Under Attack
       - News: AOL Engineer Charged with Selling Screen Names to Spammer
       - News: MasterCard and NameProtect Team to Stop Phishing
    3. Instant Poll
    4. Security Toolkit
       - FAQ
       - Featured Thread
    5. New and Improved
       - Monitoring Software Bundle Reduces Prices
    ==== Sponsor: Windows & .NET Magazine ====
       Get 2 Sample Issues of Windows & .NET Magazine!
       Every issue of Windows & .NET Magazine includes intelligent,
    impartial, and independent coverage of security, Active Directory,
    Exchange, scripting, and much more. Our expert authors deliver how-to
    articles and product evaluations that will help you do your job
    better. Try two, no-risk sample issues today, and find out why 100,000
    IT professionals rely on Windows & .NET Magazine each month!
    ==== 1. In Focus: Combined Attack Methods ====
       by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net
    The June 16 Security UPDATE includes a link to the news story "New IE
    Flaws Might Allow Code Injection," which describes a relatively new
    attack method being used by both intruders and purveyors of suspicious
    or malicious software to infest systems that use Microsoft Internet
    Explorer (IE). Jelmer Kuperus said that the attack uses Javascript,
    iframes, PHP, and timing techniques to gain access to the trusted
    intranet zone on a user's system. According to Kuperus, the exploit
    also "uses several known vulnerabilities and two previously unknown
    vulnerabilities." One of the vulnerabilities, for which no patch
    exists, involves ActiveX Data Objects (ADO).
    Through this attack method that uses multiple vulnerabilities, many
    people's systems (possibly even the systems of some of you readers)
    have become infected with various sorts of software, most of which is
    annoying, if not outright dangerous. For example, nefarious entities
    have installed adware that generates an endless stream of pop-up
    windows on users' systems. That's the lighter side of the problem
    As you can learn by reading the news story "Vulnerable IIS Sites and
    IE Users Under Attack" below, yet another factor was added to the mix
    last week, this time involving Microsoft IIS. Using the IIS
    vulnerability described in Microsoft Security Bulletin MS04-011
    (Security Update for Microsoft Windows) on systems that haven't yet
    been updated with a patch that's been available since mid-April,
    intruders can inject Javascript into a server's Web pages. The
    Javascript then uses a technique similar to the one I described above
    to get IE to download Trojan horse software onto an unsuspecting
    user's systems. The Trojan horse program then gathers ("phishes")
    log-on and financial information.
    So now instead of intruders having to establish their own Web sites to
    host malicious Javascript code, they're penetrating unpatched IIS
    systems around the Internet that host legitimate Web sites. As Bugtraq
    mailing list moderator David Amhad points out in a June 25 posting,
    these combined vulnerabilities have "no dependence on version or
    memory layout or any other such messy factors, firewalls are totally
    irrelevant and VPNs become basically a free ride in, [and] the browser
    doesn't end up crashing (i.e., the victim remains blissfully unaware
    that they've been owned)." These combined vulnerabilities have the
    potential to become devastating.
    Some preventive steps are obvious, and some aren't so obvious,
    depending on the user or administrator. Obviously, loading the IIS
    patch MS04-011 on your servers will stop intruders from manipulating
    the servers' Web pages into hosting malicious code. Turning off
    scripting in the IE security zones will also protect users to a
    certain extent. But in countless scenarios, turning scripting off just
    isn't possible. And sometimes scripting is essential to a Web site's
    usability. Many of you probably already know how to improve security
    in IE, but in case you don't, Microsoft has some recommendations that
    you can read at the following URL:
    One workaround if you can't turn off scripting is to disable ADO
    databases (ADODB) in IE. Drew Copley of eEye Digital Security wrote a
    simple registry script that does this very thing and one that undoes
    the changes. He also wrote an executable program that disables and
    re-enables ADODB. You can download the scripts and executable program
    at the eEye Web site.
    Another way of protecting IE systems against ADODB attacks is to use
    PivX Solutions' Qwik-Fix, which protects IE against a variety of
    intrusion methods. Recently, the company made available a version of
    Qwik-Fix for enterprise environments. I don't know of any other tool
    that provides the same sort of functionality.
    ==== Sponsor: 10 Things Hackers Don't Want You To Know ====
       Do you think all hackers use the same techniques to break into your
    network? Do you think they all guess your passwords? Do you think that
    an unpatched vulnerability is the only way to compromise your domain
    controllers? In this free web seminar, you will learn about the 10
    (actually 14) things that very successful hackers will do to
    compromise your network. You will learn how hackers use these
    techniques, and how to prevent them. The techniques may surprise you,
    but your network health will improve greatly once you understand them.
    Sign up now!
    ==== 2. Security News and Features ====
    Recent Security Vulnerabilities
       If you subscribe to this newsletter, you also receive Security
    Alerts, which inform you about recently discovered security
    vulnerabilities. You can also find information about these discoveries
    News: Vulnerable IIS Sites and IE Users Under Attack
       A new form of attack is spreading over the Internet. The attack
    affects unpatched Microsoft IIS systems, which then attack unprotected
    Microsoft Internet Explorer (IE) systems.
    News: AOL Engineer Charged with Selling Screen Names to Spammer
       Jason Smathers, an America Online (AOL) engineer, has been arrested
    and charged with stealing tens of millions of AOL screen names (email
    addresses) and selling them. Sean Dunaway, who purchased the addresses
    from Smathers, has also been charged. He is accused of sending spam to
    AOL customers and selling the list of AOL screen names to other
    News: MasterCard and NameProtect Team to Stop Phishing
       MasterCard International and NameProtect announced a partnership in
    which NameProtect will provide its services to MasterCard to help stop
    phishing scams and illegal credit card use.
    ==== Announcements ====
       (from Windows & .NET Magazine and its partners)
    Free eBook--"The Expert's Guide for Exchange 2003: Preparing for,
    Moving to, and Supporting Exchange Server 2003"
       This eBook will educate Exchange administrators and systems
    managers about how to best approach the migration and overall
    management of an Exchange 2003 environment. The book will focus on
    core issues such as configuration management, accounting, and
    monitoring performance with an eye toward migration, consolidation,
    security, and management.
    Now the Windows & .NET Magazine Network VIP Web Site/Super CD Really
    Does Have It All!
       Our VIP Web site/Super CD subscribers are used to getting online
    access to all of our publications, plus a print subscription to
    Windows & .NET Magazine and exclusive access to our banner-free VIP
    Web site. But now we've added even more content from the archives of
    SQL Server Magazine! You won't find a more complete and comprehensive
    resource anywhere--check it out!
    ==== 3. Instant Poll ====
    Results of Previous Poll
       The voting has closed in the Windows & .NET Magazine Network
    Security Web page nonscientific Instant Poll for the question, "Where
    are your wireless Access Points (APs)?" Here are the results from the
    59 votes.
       - 42% Inside the border firewall
       - 24% Outside the border firewall
       - 34% Between the border firewall and an internal firewall
    New Instant Poll
       The next Instant Poll question is, "Which Web browser does your
    company currently use for Internet (as opposed to intranet) browsing?"
    Go to the Security Administrator Web site and submit your vote for:
       - Microsoft Internet Explorer (IE)
       - Mozilla
       - Firefox
       - Opera
       - Other
    ==== 4. Security Toolkit ====
    FAQ: How Can I Enable a Connection to a Machine over RDP and Through a
       by John Savill, http://www.winnetmag.com/windowsnt20002003faq
    A. RDP operates over TCP port 3389. To enable connectivity to any
    machine on the network through a firewall, open this port on the
    firewall. To connect to a particular system on the LAN, configure port
    forwarding on the firewall to send traffic from port 3389 to that
    Featured Thread: Running Multiple Antivirus Scanners
       (Three message in this thread)
       A reader wants to know whether running two different antivirus
    software packages on a network at the same time is a good idea. If
    yes, why? If no, why not? Lend a hand or read the responses:
    ==== Events Central ====
       (A complete Web and live events directory brought to you by Windows
    & .NET Magazine: http://www.winnetmag.com/events )
    Get Smart! Evaluate Your Options in the Entry-Level Server Market
       Comparing the options in the server market, including the decision
    to purchase an OEM-supplied server versus building your own, can be a
    daunting task. This free Web seminar provides an introduction to
    entry-level servers, evaluates the current market of entry-level
    servers, and assesses the value of vendor-supplied service and
    support. Register now!
    ==== 5. New and Improved ====
       by Jason Bovberg, products@private
    Monitoring Software Bundle Reduces Prices
       GFI Software launched the GFI LANguard Security Event Log Monitor
    (SELM) and GFI Network Server Monitor bundle. Customers can now
    purchase GFI LANguard SELM 5.0 and GFI Network Server Monitor 5.5
    together at a reduced price. GFI LANguard SELM performs networkwide
    event-log monitoring to alert you to important security events
    immediately, whereas GFI Network Server Monitor automatically detects
    network and server problems. The bundled software lets you monitor 10
    servers through GFI LANguard SELM and unlimited servers through GFI
    Network Server Monitor for $1295 (as opposed to $1649 without the
    bundle pricing). Complete bundle pricing information is available at
    GFI's Web site.
    Tell Us About a Hot Product and Get a T-Shirt!
       Have you used a product that changed your IT experience by saving
    you time or easing your daily burden? Tell us about the product, and
    we'll send you a Windows & .NET Magazine T-shirt if we write about the
    product in a future Windows & .NET Magazine What's Hot column. Send
    your product suggestions with information about how the product has
    helped you to whatshot@private
    ==== Sponsored Links ====
       Comparison Paper: The Argent Guardian Easily Beats Out MOM
       CommVault - Free White Paper: Managing the Infinite Inbox
    VERITAS Software
       VERITAS White Paper: Reclaim 30% of Your Windows Storage Space Now!
    Editor's note: Share Your Security Discoveries and Get $100
       Share your security-related discoveries, comments, or problems and
    solutions in the Security Administrator print newsletter's Reader to
    Reader column. Email your contributions (500 words or less) to
    r2rsecadmin@private If we print your submission, you'll get
    $100. We edit submissions for style, grammar, and length.
    ==== Contact Us ====
    About the newsletter -- letters@private
    About technical questions -- http://www.winnetmag.com/forums
    About product news -- products@private
    About your subscription -- securityupdate@private
    About sponsoring Security UPDATE -- emedia_opps@private
    This email newsletter is brought to you by Windows & .NET Magazine,
    the leading publication for IT professionals deploying Windows and
    related technologies. Subscribe today.
    You received this email message because you asked to receive
    additional information about products and services from the Windows &
    .NET Magazine Network. To unsubscribe, send an email message to
    mailto:Security-UPDATE_Unsub@private Thank you!
    View the Windows & .NET Magazine privacy policy at
    Windows & .NET Magazine, a division of Penton Media, Inc.
    221 East 29th Street, Loveland, CO 80538
    Attention: Customer Service Department
    Copyright 2004, Penton Media, Inc. All rights reserved.
    Help InfoSec News with a donation: http://www.c4i.org/donation.html

    This archive was generated by hypermail 2b30 : Thu Jul 01 2004 - 05:23:40 PDT