-----Original Message----- From: NIPC Watch [mailto:nipc.watch@private] Sent: Thursday, March 20, 2003 6:57 AM To: Information Technology Subject: [Information_technology] Daily News 3/20/03 March 19, Microsoft Microsoft Security Bulletin MS03-008: Flaw in Windows Script Engine Could Allow Code Execution. The Windows Script Engine provides Windows operating systems with the ability to execute script code. A flaw exists in the way by which the Windows Script Engine for JScript processes information. An attacker could exploit the vulnerability by constructing a web page that, when visited by the user, would execute code of the attacker's choice with the user's privileges. The web page could be hosted on a web site, or sent directly to the user in email. Exploiting the vulnerability would allow the attacker only the same privileges as the user. Computers configured to disable active scripting in Internet Explorer are not susceptible to this issue. Users whose accounts are configured to have few privileges on the system would be at less risk than ones who operate with administrative privileges. Automatic exploitation of the vulnerability by an HTML email would be blocked by Outlook Express 6.0 and Outlook 2002 in their default configurations, and by Outlook 98 and 2000 if used in conjunction with the Outlook Email Security Update. Microsoft has assigned a risk rating of "Critical" to this vulnerability. A patch is available at the Microsoft Website. Microsoft has also provided information about preventive measures customers can use to help block the exploitation of this vulnerability while they are assessing the impact and compatibility of the patch. Source: http://www.microsoft.com/technet/treeview/default.asp?url=/t echnet/security/bulletin/MS03-008.asp March 19, Microsoft Microsoft Security Bulletin MS03-009: Flaw In ISA Server DNS Intrusion Detection Filter Can Cause Denial Of Service. Microsoft Internet Security and Acceleration (ISA) Server 2000 contains the ability to apply application filters to incoming traffic. A flaw exists in the ISA Server DNS intrusion detection application filter, and results because the filter does not properly handle a specific type of request when scanning incoming DNS requests. An attacker could exploit the vulnerability by sending a specially formed request to an ISA Server computer that is publishing a DNS server, which could then result in a denial of service to the published DNS server. DNS requests arriving at the ISA Server would be stopped at the firewall, and not passed through to the internal DNS server. All other ISA Server functionality would be unaffected. By default, no DNS servers are published. DNS server publishing must be manually enabled. The vulnerability would not enable an attacker to gain any privileges on an affected ISA Server or the published DNS server or to compromise any cached content on the server. It is strictly a denial of service vulnerability. Microsoft has assigned a risk rating of "Moderate" to this vulnerability. A patch is available at the Microsoft website. Source: http://www.microsoft.com/technet/treeview/default.asp?url=/t echnet/security/bulletin/MS03-009.asp March 19, CERT/CC CERT Advisory CA-2003-10: Integer overflow in Sun RPC XDR library routines. XDR (external data representation) libraries are used to provide platform-independent methods for sending data from one system process to another, typically over a network connection. The xdrmem_getbytes() function in the XDR library provided by Sun Microsystems contains an integer overflow that can lead to improperly sized dynamic memory allocation. Depending on how and where the vulnerable xdrmem_getbytes() function is used, subsequent problems like buffer overflows may result. Exploiting this vulnerability will lead to denial of service, execution of arbitrary code, or the disclosure of sensitive information. Specific impacts reported include the ability to crash the rpcbind service and possibly execute arbitrary code with root privileges. In addition, intruders may be able to crash the MIT KRB5 kadmind or cause it to leak sensitive information, such as secret keys. CERT recommends the application of a vendor specified patch or upgrade as specified by vendor. Source: http://www.cert.org/advisories/CA-2003-10.html March 17, eWEEK Details of Kerberos vulnerability leaked. There is a serious weakness in MIT's Kerberos v4 authentication protocol that allows an attacker to impersonate any principal in a given realm. The Kerberos development team at MIT said the contents of an unpublished paper with details of this vulnerability have been leaked on the Internet. Using these details, an attacker familiar with Kerberos could easily exploit the vulnerability. Kerberos v4 tickets-or credentials-do not have a cryptographic hash of the encrypted data, random padding or a random initial vector. As a result, using a chosen plaintext attack, an attacker could fabricate a ticket. An attacker who controls a Kerberos cross-realm key would be able to impersonate any principal in the remote realm to any service in that realm. This attack could lead to a root-level compromise of the Kerberos key distribution center as well as any other hosts that rely on the KDC for authentication. Kerberos, developed at the Massachusetts Institute of Technology, is among the most widely deployed authentication protocols on the Internet. It is implemented in dozens of software applications, as well, including Windows 2000. However, Windows 2000 uses Kerberos v5 and Microsoft officials said that, while they're still researching the issue, they don't believe that operating system is vulnerable. Additional information may be found on the MIT Web site: http://web.mit.edu/kerberos/www/advisories/MITKRB5-SA-2003-0 04-krb4.txt Source: http://www.eweek.com/article2/0,3959,937375,00.asp Internet Security Systems - AlertCon: 2 out of 4 https://gtoc.iss.net/ Last Changed 18 March 2003 Security Focus ThreatCon: 2 out of 4 www.securityfocus.com Last Changed 18 March 2003 Current Virus and Port Attacks Virus: #1 Virus in USA: PE_FUNLOVE.4099 Source: http://wtc.trendmicro.com/wtc/wmap.html, Trend World Micro Virus Tracking Center [Infected Computers, North America, Past 24 hours, #1 in United States] Top 10 Target Ports: 80 (www), 137 (netbios-ns), 1434 (ms-sql-m), 113 (ident), 445 (microsoft-ds), 53420 (---), 25 (smtp), 139 (netbios-ssn), 4662 (eDonkey2000), 53 (domain) Source: http://isc.incidents.org/top10.html; Internet Storm Center _______________________________________________ Information_technology mailing list Information_technology@listserv
This archive was generated by hypermail 2b30 : Thu Mar 20 2003 - 11:33:03 PST