Re: CRIME Perspective on Criticisms leveled at Microsoft

From: victoria.evans@private
Date: Fri Apr 12 2002 - 17:02:46 PDT

  • Next message: Heidi Henry: "CRIME Re: monitoring software removal"

    I was actually thinking the same thing.  Rob seems too nice to refer to by
    last name only.  =Þ  For someone who's so smart he doesn't seem the least
    bit pretentious or stuffy.
    
    Since we're talking about Microsoft, I thought I'd share the newest
    TruSecure ALERT on IIS vulnerabilities.  It's suggested that this patch be
    applied within 7 days. It's difficult for me to be pro-Microsoft right now
    when I'm attempting to convince the support staff responsible for 6000
    known NT servers why they need to treat this with some degree of urgency.
    I lost 150 hours of my life coordinating emergency patching for Code Red
    and Nimda.  Does this look like another Nimda to ya'll?
    
    Vikki
    
    ---------------------------------------------------------------------------------------------------------------
    TruSecure ALERT- TSA 02-007 - Numerous Significant IIS
    Vulnerabilities -- ALERT
    
    Date: April 10, 2002
    Time:  2200 UTC
    
    RISK INDICIES:
    
    Initial Assessment: HOT
    
    Threat: Medium - High, (example code has been distributed)
    
    Vulnerability Prevalence: High, affects all IIS servers version 4.0,
    5.0, 5.1 and likely 6.0
    
    Cost: Medium - High, Cost will vary and is dependent on the exploit
    or combination of exploits.
    
    Vulnerable Systems:  IIS 4.0, 5.0, 5.1 and likely 6.0
    
    Impact:  Today, ten newly discovered vulnerabilities effecting
    virtually all IIS installations were published by Microsoft.
    
    The TruSecure Information Security/Reconnaissance (IS/RECON) team
    believes that active development of autonomous attack code has been
    underway for some time prior to this public notification.  Attacks
    are likely to materialize in the form of Internet based Worm(s) that
    are largely or entirely dependent upon at least one of these newly
    described IIS web server vulnerabilities.
    
    Proof of concept exploit code is already circulating, and formulated
    attacks are reportedly being developed.  Because of the potential
    impact of these attacks and those experimenting with them, TruSecure
    anticipates that attacks may begin as soon as next week, with a high
    probability of attacks within the next 3-5 weeks.
    
    Many of the TruSecure Alerts published last year (TSA 01-015, TSA
    01-017 and TSA 01-018 and others) contain recommendations for IIS
    configurations that still mitigate many, but not all, of the
    anticipated attack scenarios.
    
    Therefore, TruSecure recommends the adoption and installation of this
    patch within the next seven days, or as soon as possible given
    operational constraints.
    
    In the TruSecure methodology of mitigating significant risks with
    easy to implement controls, this "roll-up" or cumulative patch will
    provide significant risk reduction.  The ICSA Labs have not yet
    conducted independent testing on this patch, however, due to the
    significant risk mitigation potential, a TruSecure Alert is being
    issued to encourage clients to be early adopters of this remedy.
    
    
    SUMMARY:
    As of April 10, 2002, Microsoft has released a security bulletin
    (MS02-018) announcing a cumulative patch for IIS 4.0, 5.0, and 5.1.
    The patch reportedly addresses 10 new vulnerabilities that may impact
    both internal as well as Internet facing web servers.  Several of
    these exploits are similar in scope to past vulnerabilities and may
    be used in combination, limiting the effectiveness of traditional
    secondary controls.
    
    This cumulative patch encompasses all prior hot fixes and patches for
    IIS 4.0 (since service pack 6a), IIS 5.0, and IIS 5.1.
    
    
    ADDITIONAL RECOMMENDATIONS:
    
    TruSecure has recommended removing ISAPI extension mappings in the
    past, however, to avoid potentially interrupting business operations,
    TruSecure has recommended leaving .ASP and .ASA script mappings.
    These ISAPI extensions are now potentially vulnerable, and therefore
    should be removed if not required.  (See TruSecure Alert TSA 01-017
    for instructions on how to remove these script mappings.)
    
    Mitigations:
    
    1.    Apply the Microsoft cumulative patch identified in MS02-018 to
    BOTH Internet and Intranet IIS Web servers within the next seven
    days.
    2.    Utilize a URL pre-parsing/scanning tool such as the URL Scan tool
    referenced in the security bulletin, or other similar tools.
    3.    Disable .ASP and .ASA extensions if not required.  (See TSA
    01-017)
    4.    Ensure that essential IIS configuration recommendations are
    implemented.  Many of these recommendations have been published in
    earlier TruSecure Alerts.  The Microsoft IIS lockdown tool may help
    to validate that appropriate controls have been implemented.
    5.    Determine which if any IIS systems could be temporarily disabled
    during an attack, if necessary.
    6.    Be vigilant for new alerts and actual attacks, and consider the
    possibility of blocking access to or disabling IIS servers during the
    initial phase of any widespread attacks.
    7.    Consider that many internal IIS servers may be unsanctioned and/or
    unidentified to IT and security personnel.  IIS web servers operating
    inside your organization are particularly vulnerable, if not included
    in normal maintenance cycles.  Organizations should consider
    preemptively discovering these devices and disabling or appropriately
    configuring and patching them.
    8.    Consider using one of several third party web server "proxy"
    filtering tools to help buffer and protect your IIS web servers.
    
    
    
    |---------+-------------------------------------------->
    |         |           "Crispin Cowan"                  |
    |         |           <crispin@private>              |
    |         |           Sent by:                         |
    |         |           owner-crime@/var/spool/majordomo/|
    |         |           lists/crime                      |
    |         |                                            |
    |         |                                            |
    |         |           04/12/2002 03:48 PM              |
    |         |                                            |
    |---------+-------------------------------------------->
      >-----------------------------------------------------------------------------------------------|
      |                                                                                               |
      |        To:      Toby <toby@private>                                                       |
      |        cc:      "Andrew Plato" <aplato@private>, "Steve Beattie" <steve@private>,       |
      |        crime@private                                                                       |
      |        Subject: Re: CRIME Perspective on Criticisms leveled at Microsoft                      |
      >-----------------------------------------------------------------------------------------------|
    
    
    
    
    Toby wrote:
    
    >Rob writes some very good stuff (stop calling him "Graham" dammit! He has
    a
    >name and he isn't in the military). That is not what Crispin or anyone
    else
    >has said. Crispin said the article misses the point.
    >
    Sorry, that was me. That really was me being an academic, where we're in
    the habit of referring to authors by their last names. So "Graham" wrote
    an interesting :) article, and "Cheswick & Bellovin" wrote a nice book
    about firewalls.
    
    Crispin
    
    --
    Crispin Cowan, Ph.D.
    Chief Scientist, WireX Communications, Inc. http://wirex.com
    Security Hardened Linux Distribution:       http://immunix.org
    Available for purchase: http://wirex.com/Products/Immunix/purchase.html
    



    This archive was generated by hypermail 2b30 : Sun May 26 2002 - 11:40:37 PDT