Microsoft discloses serious flaw in Web site software. Microsoft Corp. acknowledged a serious flaw Wednesday in its Internet server software that could allow sophisticated hackers to seize control of Web sites, steal information and use vulnerable computers to attack others. Microsoft made available a free patch for customers using versions of Internet Information Server software with Windows NT or Windows 2000 operating systems. The server software included in Microsoft's Windows XP operating system was not affected by the security flaw. A researcher with eEye Digital Security Inc., Riley Hassell, found the Web server flaw in mid-April during testing of eEye's own hacker-defense software, but the discovery was kept closely guarded under an agreement with Microsoft until Wednesday. Microsoft described the risk to Web servers as "moderate", but top experts have for months recommended turning off the vulnerable feature, which is turned on automatically the first time the software is installed. Marc Maiffret, the self-described ``chief hacking officer'' for eEye, said malicious hackers would devise automated tools to scan the Internet and attack vulnerable computers rather than targeting machines individually. The same technique was used to spread the damaging ``Code Red'' and ``Nimda'' across the Internet last year, which infected nearly 1 million servers. ``It could readily be exploited with a worm,'' Maiffret said. ``It's kind of a scary thing.'' (AP-Washington, 12 Jun) NIPC WWU Comment: The flaw allows a remote buffer overflow in an HTR request. It affects MS Windows NT 4.0, IIS 4.0, and MS Windows 2000 IIS 5.0. NIPC recommends patching affected systems as soon as possible using the free patch provided by Microsoft. Patch is at www.microsoft.com <http://www.microsoft.com> Malaysia sets up cyber-warfare hub. The Malaysian Defense Ministry is commissioning a secure network infrastructure to safeguard information from unauthorized access. Minister Datuk Seri Najib Razak said the ministry was also setting up a cyber warfare center, which would look at both offensive and defensive information operations. Najib said that the cyber warfare center would provide surveillance of, and protection from, cyber threats, and if necessary, counter any threats from cyberspace. He said development of the network would be completed in about five years and would link all the information databases within the Defense Ministry and the armed forces. (New Straits Times Malaysia, 11 Jun) Chinese software firm discovers native e-mail virus. Beijing Ruixing global virus supervision center intercepted a domestically produced e-mail virus they have temporarily named "Chinese Hacker". According to Ruixing, the virus is very infectious, fast, and has the ability to bypass anti-virus software and enter computer memory. Furthermore, according to Ruixing, even if anti-virus software can discover the virus, it cannot be destroyed. The virus infects through e-mail and, once resident on the computer memory, has a self-start function. The current version does not carry a destructive payload, but if an attacker added a destructive payload to the virus, it could pose a serious threat. (Xinhua, 11 Jun) Area residents can comment on possible routes for a new regional power transmission line. Bonneville Power Administration (BPA) officials say the 500,000-volt line is needed to carry more power to rapidly growing King County, in Washington State, or the next spell of sub-freezing winter weather could bring brownouts or other problems. BPA earlier picked a route along an existing BPA line through the Cedar River Watershed, which is the source of water for most King County residents. That raised strong objections from Seattle City officials and environmentalists, but the route hasn't been ruled out. (Southcountyjournal.com, 12 Jun) Poll urges Congress to pass energy plan. According to a recent poll conducted on 1,000 adults at the behest of the Alliance for Energy and Economic Growth, Americans feel more strongly about the need to enact an energy plan now than they did last fall. More than 8 of 10 Americans polled want Congress to pass comprehensive energy legislation now in order to ensure stable energy supplies and strengthen national security. These findings come as a House-Senate Conference Committee is being appointed to resolve differences in House and Senate passed energy bills. The Alliance for Energy and Economic Growth is a broad coalition of more than 1,300 energy producers and users, representing both large and small businesses, as well as labor unions. The Alliance is united in support of comprehensive energy legislation that will increase domestic energy supplies, modernize the energy infrastructure, and strengthen the economy. (Federal Computer Week, 12 Jun) Status of General Aviation Operations at Reagan National Airport. Over the past 45 days, officials of the U.S. Department of Transportation (DOT) have been working closely with the General Aviation (GA) community to develop plans to restore GA operations at Ronald Reagan Washington National Airport (DCA). Tentative conclusions on such plans have been reached by DOT and the GA community. In a meeting yesterday with representatives of the GA community, DOT Deputy Secretary Michael Jackson announced that the U.S. Government would delay any implementation of the draft plans while continuing to assess security requirements for General Aviation at DCA. Deputy Secretary Jackson said that the Department would convene another meeting with General Aviation industry representatives in approximately 30 days, and will continue to keep them apprised of its progress. (PR Newswire, 12 Jun)
This archive was generated by hypermail 2b30 : Thu Jun 13 2002 - 07:41:38 PDT