I was actually thinking the same thing. Rob seems too nice to refer to by last name only. =Þ For someone who's so smart he doesn't seem the least bit pretentious or stuffy. Since we're talking about Microsoft, I thought I'd share the newest TruSecure ALERT on IIS vulnerabilities. It's suggested that this patch be applied within 7 days. It's difficult for me to be pro-Microsoft right now when I'm attempting to convince the support staff responsible for 6000 known NT servers why they need to treat this with some degree of urgency. I lost 150 hours of my life coordinating emergency patching for Code Red and Nimda. Does this look like another Nimda to ya'll? Vikki --------------------------------------------------------------------------------------------------------------- TruSecure ALERT- TSA 02-007 - Numerous Significant IIS Vulnerabilities -- ALERT Date: April 10, 2002 Time: 2200 UTC RISK INDICIES: Initial Assessment: HOT Threat: Medium - High, (example code has been distributed) Vulnerability Prevalence: High, affects all IIS servers version 4.0, 5.0, 5.1 and likely 6.0 Cost: Medium - High, Cost will vary and is dependent on the exploit or combination of exploits. Vulnerable Systems: IIS 4.0, 5.0, 5.1 and likely 6.0 Impact: Today, ten newly discovered vulnerabilities effecting virtually all IIS installations were published by Microsoft. The TruSecure Information Security/Reconnaissance (IS/RECON) team believes that active development of autonomous attack code has been underway for some time prior to this public notification. Attacks are likely to materialize in the form of Internet based Worm(s) that are largely or entirely dependent upon at least one of these newly described IIS web server vulnerabilities. Proof of concept exploit code is already circulating, and formulated attacks are reportedly being developed. Because of the potential impact of these attacks and those experimenting with them, TruSecure anticipates that attacks may begin as soon as next week, with a high probability of attacks within the next 3-5 weeks. Many of the TruSecure Alerts published last year (TSA 01-015, TSA 01-017 and TSA 01-018 and others) contain recommendations for IIS configurations that still mitigate many, but not all, of the anticipated attack scenarios. Therefore, TruSecure recommends the adoption and installation of this patch within the next seven days, or as soon as possible given operational constraints. In the TruSecure methodology of mitigating significant risks with easy to implement controls, this "roll-up" or cumulative patch will provide significant risk reduction. The ICSA Labs have not yet conducted independent testing on this patch, however, due to the significant risk mitigation potential, a TruSecure Alert is being issued to encourage clients to be early adopters of this remedy. SUMMARY: As of April 10, 2002, Microsoft has released a security bulletin (MS02-018) announcing a cumulative patch for IIS 4.0, 5.0, and 5.1. The patch reportedly addresses 10 new vulnerabilities that may impact both internal as well as Internet facing web servers. Several of these exploits are similar in scope to past vulnerabilities and may be used in combination, limiting the effectiveness of traditional secondary controls. This cumulative patch encompasses all prior hot fixes and patches for IIS 4.0 (since service pack 6a), IIS 5.0, and IIS 5.1. ADDITIONAL RECOMMENDATIONS: TruSecure has recommended removing ISAPI extension mappings in the past, however, to avoid potentially interrupting business operations, TruSecure has recommended leaving .ASP and .ASA script mappings. These ISAPI extensions are now potentially vulnerable, and therefore should be removed if not required. (See TruSecure Alert TSA 01-017 for instructions on how to remove these script mappings.) Mitigations: 1. Apply the Microsoft cumulative patch identified in MS02-018 to BOTH Internet and Intranet IIS Web servers within the next seven days. 2. Utilize a URL pre-parsing/scanning tool such as the URL Scan tool referenced in the security bulletin, or other similar tools. 3. Disable .ASP and .ASA extensions if not required. (See TSA 01-017) 4. Ensure that essential IIS configuration recommendations are implemented. Many of these recommendations have been published in earlier TruSecure Alerts. The Microsoft IIS lockdown tool may help to validate that appropriate controls have been implemented. 5. Determine which if any IIS systems could be temporarily disabled during an attack, if necessary. 6. Be vigilant for new alerts and actual attacks, and consider the possibility of blocking access to or disabling IIS servers during the initial phase of any widespread attacks. 7. Consider that many internal IIS servers may be unsanctioned and/or unidentified to IT and security personnel. IIS web servers operating inside your organization are particularly vulnerable, if not included in normal maintenance cycles. Organizations should consider preemptively discovering these devices and disabling or appropriately configuring and patching them. 8. Consider using one of several third party web server "proxy" filtering tools to help buffer and protect your IIS web servers. |---------+--------------------------------------------> | | "Crispin Cowan" | | | <crispin@private> | | | Sent by: | | | owner-crime@/var/spool/majordomo/| | | lists/crime | | | | | | | | | 04/12/2002 03:48 PM | | | | |---------+--------------------------------------------> >-----------------------------------------------------------------------------------------------| | | | To: Toby <toby@private> | | cc: "Andrew Plato" <aplato@private>, "Steve Beattie" <steve@private>, | | crime@private | | Subject: Re: CRIME Perspective on Criticisms leveled at Microsoft | >-----------------------------------------------------------------------------------------------| Toby wrote: >Rob writes some very good stuff (stop calling him "Graham" dammit! He has a >name and he isn't in the military). That is not what Crispin or anyone else >has said. Crispin said the article misses the point. > Sorry, that was me. That really was me being an academic, where we're in the habit of referring to authors by their last names. So "Graham" wrote an interesting :) article, and "Cheswick & Bellovin" wrote a nice book about firewalls. Crispin -- Crispin Cowan, Ph.D. Chief Scientist, WireX Communications, Inc. http://wirex.com Security Hardened Linux Distribution: http://immunix.org Available for purchase: http://wirex.com/Products/Immunix/purchase.html
This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:40:37 PDT