CRIME FW: [Information_technology] Daily News 7/17/03

From: George Heuston (GeorgeH@private)
Date: Thu Jul 17 2003 - 08:45:42 PDT

  • Next message: Jerod Alexander: "CRIME"

    -----Original Message-----
    From: InfraGard [mailto:infragard@private] 
    Sent: Thursday, July 17, 2003 7:33 AM
    To: Information Technology
    Subject: [Information_technology] Daily News 7/17/03
    July 16, Microsoft
    Microsoft Security Bulletin MS03-026: Buffer Overrun In RPC Interface
    Allow Code Execution. Remote Procedure Call (RPC) is a protocol used by
    Windows operating system which provides an inter-process communication
    mechanism that allows a program running on one computer to seamlessly
    execute code on a remote system. There is a vulnerability in the part of
    that deals with message exchange over TCP/IP which results because of
    incorrect handling of malformed messages. This vulnerability affects a
    Distributed Component Object Model (DCOM) interface with RPC, which
    on TCP/IP port 135. This interface handles DCOM object activation
    that are sent by client machines to the server. To exploit this
    vulnerability, an attacker would need to send a specially formed request
    the remote computer on port 135. If successful, an attacker could then
    code with Local System privileges on an affected system and then be able
    take any action on the system, including installing programs, viewing
    changing or deleting data, or creating new accounts with full
    Microsoft has assigned a risk rating of "Critical" to this issue and
    recommends that system administrators install the patch immediately.
    July 16, Microsoft
    Microsoft Security Bulletin MS03-027: Unchecked Buffer in Windows Shell
    Could Enable System Compromise. An unchecked buffer exists in one of the
    functions used by the Windows shell to extract custom attribute
    from certain folders. An attacker could seek to exploit this
    by creating a Desktop.ini file that contains a corrupt custom attribute,
    then host it on a network share. If a user were to browse the shared
    where the file was stored, the vulnerability could then be exploited. A
    successful attack could have the effect of either causing the Windows
    to fail, or causing an attacker's code to run on the user's computer in
    security context of the user. This vulnerability only affects Windows XP
    Service Pack 1. Microsoft has assigned a risk rating of "Important" to
    issue and recommends that system administrators install the patch at the
    earliest opportunity. Source:
    July 16, Microsoft
    Microsoft Security Bulletin MS03-028: Flaw in ISA Server Error Pages
    Allow Cross-Site Scripting Attack. ISA Server contains a number of
    HTML-based error pages that allow the server to respond to a client
    requesting a Web resource with a customized error. A cross-site
    vulnerability exists in many of these error pages that are returned by
    Server under specific error conditions. To exploit this flaw, an
    would have to first be aware of a specific ISA server and its access
    policies or host an ISA server of their own and create specific access
    policies designed to exploit this vulnerability. The attacker could then
    craft a request to trigger a page refusal and host a Web site containing
    link, or send the link to the user in the form of an HTML e-mail. After
    user previewed or opened the e-mail, the malicious site could be visited
    automatically without further user interaction. The vulnerability would
    normally enable an attacker to gain any privileges on an affected ISA
    computer, breach the firewall, or compromise any cached content, unless
    user is operating on the ISA server itself and is using the Web Proxy
    service to access the Internet. Microsoft has assigned a risk rating of
    "Important" to this issue and recommends that system administrators
    the patch at the earliest opportunity. Source:
    July 16, U.S. Department of Homeland Security, FedCIRC
    DHS/FedCIRC Advisory FA-2003-15 Cisco IOS Interface Blocked by IPv4
    A vulnerability in many versions of Cisco IOS could allow an intruder to
    execute a denial-of-service attack against a vulnerable device. Cisco
    IOS is
    a very widely deployed network operating system. A vulnerability in IOS
    could allow an intruder to execute a denial-of-service attack against an
    affected device. Cisco has published an advisory on this topic,
    available at ed.shtml
    According to Cisco, a device receiving specially crafted IPv4 packets
    force the inbound interface to stop processing traffic. This issue can
    affect all Cisco devices running Cisco IOS software. This vulnerability
    be exercised repeatedly resulting in loss of availability until a
    has been applied or the device has been upgraded to a fixed version of
    The solution to this vulnerability is to apply the appropriate patch
    Cisco. Until a patch can be applied, you can mitigate the risks
    presented by
    this vulnerability by judicious use of access control lists (ACLs). For
    information, see
    unds Source:
    July 15, Government Accounting Office
    GAO-03-987T: Polar-Orbiting Environmental Satellites: Project Risks
    Affect Weather Data Needed by Civilian and Military Users.
    environmental satellites that provide the data and imagery used by
    forecasters, climatologists, and the military to map and monitor changes
    weather, climate, the ocean, and the environment. In the future, the
    National Polar-orbiting Operational Environmental Satellite System
    is to merge the two current satellite systems. The Government Accounting
    Office (GAO) found that the NPOESS program faces key programmatic and
    technical risks that may affect the successful and timely deployment of
    system. The NPOESS was supposed to be available to serve as a backup to
    March 2008 launch of the final satellite in one of the two current
    programs--the Polar-orbiting Operational Environmental Satellite (POES)
    system. However, the first NPOESS satellite will not be ready in time,
    resulting in a potential gap in satellite coverage should the satellite
    fail. If the final POES launch fails and if existing satellites are
    to continue operations beyond their expected life spans, the continuity
    weather data needed for weather forecasts and climate monitoring will be
    at risk. Source:
    Internet Security Systems - AlertCon: 2 out of 4
    Last Changed 17 July 2003
    Security Focus ThreatCon: 2 out of 4
    Last Changed 17 July 2003
    Current Virus and Port Attacks
    Virus: #1 Virus in USA: WORM_LOVGATE.F
    Source:, Trend World Micro Virus
    Tracking Center [Infected Computers, North America, Past 24 hours, #1 in
    United States]
    Top 10 Target Ports: 80 (www), 137 (netbios-ns), 445 (microsoft-ds),
    (ms-sql-m), 113 (ident), 4662 (eDonkey2000), 139 (netbios-ssn), 25
    (smtp), 0
    (---), 53 (domain)
    Source:; Internet Storm Center
    Information_technology mailing list

    This archive was generated by hypermail 2b30 : Thu Jul 17 2003 - 09:05:23 PDT