-----Original Message----- From: information_technology-admin@private [mailto:information_technology-admin@private] On Behalf Of InfraGard Sent: Wednesday, January 14, 2004 6:48 AM To: Information Technology Subject: [Information_technology] Daily News 1/14/04 January 13, Microsoft - Microsoft Security Bulletin MS04-003: Buffer Overrun in MDAC Function Could Allow Code Execution (832483). Microsoft Data Access Components (MDAC) is a collection of components that provides the underlying functionality for a number of database operations. When a client system on a network tries to see a list of computers that are running SQL Server and that reside on the network, it sends a broadcast request to all the devices that are on the network. Because of a vulnerability in a specific MDAC component, an attacker could respond to this request with a specially-crafted packet that could cause a buffer overflow. An attacker who successfully exploited this vulnerability could gain the same level of privileges over the system as the program that initiated the broadcast request. For an attack to be successful an attacker would have to simulate a SQL server that is on the same IP subnet as the target system. A target system must initiate such a broadcast request to be vulnerable to an attack. An attacker would have no way of launching this first step but would have to wait for anyone to enumerate computers that are running SQL Server on the same subnet. Also, a system is not vulnerable by having these SQL management tools installed. Code executed on the client system would only run under the privileges of the client program that made the broadcast request. Microsoft has assigned a severity rating of "Important" to this issue. Source: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/bulletin/MS04-003.asp January 13, Microsoft - Microsoft Security Bulletin MS04-001: Vulnerability in Microsoft Internet Security and Acceleration Server 2000 H.323 Filter Can Allow Remote Code Execution. A security vulnerability exists in the H.323 filter for Microsoft Internet Security and Acceleration Server 2000 that could allow an attacker to overflow a buffer in the Microsoft Firewall Service in Microsoft Internet Security and Acceleration Server 2000. An attacker who successfully exploited this vulnerability could try to run code of their choice in the security context of the Microsoft Firewall Service. This would give the attacker complete control over the system. The H.323 filter is enabled by default on servers running ISA Server 2000 computers that are installed in integrated or firewall mode. ISA Servers running in cache mode are not vulnerable because the Microsoft Firewall Service is disabled by default. Users can prevent the risk of attack by disabling the H.323 filter. Microsoft has assigned a severity rating of "Critical" to this issue. Source: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/bulletin/MS04-001.asp January 13, Microsoft - Microsoft Security Bulletin MS04-002: Vulnerability in Exchange Server 2003 Could Lead to Privilege Escalation. A vulnerability exists in the way that Hypertext Transfer Protocol (HTTP) connections are reused when NTLM authentication is used between front-end Exchange 2003 servers providing Outlook Web Access (OWA) and, OWA on Windows 2000 and Windows Server 2003, and when using back-end Exchange 2003 servers that are running Windows Server 2003. Users who access their mailboxes through an Exchange 2003 front-end server and OWA might get connected to another user's mailbox if that other mailbox is (1) hosted on the same back-end mailbox server and (2) if that mailbox has been recently accessed by its owner. Attackers seeking to exploit this vulnerability could not predict which mailbox they might become connected to. The vulnerability causes random and unreliable access to mailboxes and is specifically limited to mailboxes that have recently been accessed through OWA. This vulnerability is exposed if the Website that is running the Exchange Server 2003 programs on the Exchange back-end server has been configured not to negotiate Kerberos authentication, causing OWA to fall back to using NTLM authentication. The only known way that this vulnerability can be exposed is by a change in the default configuration of Internet Information Services 6.0 on the Exchange back-end server. Microsoft has assigned a severity rating of "Moderate" to this issue. Source: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur ity/bulletin/MS04-002.asp January 12, esecurityplanet.com - Buffer overflow plugged in Sun ONE web server. Sun Microsystems on Monday, January 12, warned of a buffer overflow vulnerability in its Sun ONE/iPlanet Web Server product. The firm said the flaw could be exploited by a remote user to crash the Web server, which is a type of denial-of-service attack. Independent research firm Secunia has rated the security hole as "moderately critical." The vulnerability affects the Sun ONE/iPlanet Web Server 6.0 Service Pack 5 and earlier versions on the HP-UX platform. Sun has issued a new service pack to fix the flaw, noting that there are no workarounds. The susceptible products are a crucial part of Sun's Web services initiative which falls under Sun Open Net Environment (Sun ONE) brand. The Sun ONE brand includes the Sun ONE Web Server, Sun ONE Portal Server, Sun ONE Application Server, Sun ONE Directory Server, Sun ONE Identity Server, Sun ONE Messaging Server and the Sun ONE Integration Server (all formerly iPlanet products). A service pack is available online: http://wwws.sun.com/software/download/products/3f186391.html Source: http://www.esecurityplanet.com/prodser/article.php/3298031 January 12, Government Computer News - Intelligence community seeks protection from inside threats. A team of companies is building a tool to help the intelligence community keep tabs behind its firewalls. The Voltaire system will integrate existing technology to identify suspicious activity by insiders with legitimate access to sensitive information. Voltaire is intended to make it easier for agencies to share sensitive and classified information by providing a tool to enforce access policy and prevent misuse. The goal of Voltaire is to detect and stop the kind of activity that FBI turncoat Robert Hanssen got away with for years. Hanssen gathered and sold information about FBI counterintelligence activities by browsing through computer files to which he had access. Although he had no legitimate need to see much of the information, investigators found he was able to access it over a period of years without raising any flags. A demonstration version of Voltaire is expected to be ready for testing by summer. Feedback from intelligence agencies will then be implemented into a final product. Source: http://www.gcn.com/vol1_no1/daily-updates/24622-1.html Internet Alert Dashboard Current Alert Levels AlertCon: 1 out of 4 https://gtoc.iss.net Security Focus ThreatCon: 1 out of 4 http://analyzer.securityfocus.com/ Current Virus and Port Attacks Virus: #1 Virus in the United States: WORM_LOVGATE.G Source: http://wtc.trendmicro.com/wtc/wmap.html, Trend World Micro Virus Tracking Center [Infected Computers, North America, Past 24 hours, #1 in United States] Top 10 Target Ports 135 (epmap), 1434 (ms?sql?m), 137 (netbios?ns), 6129 (dameware), 4000 (Connect?BackBackdoor), 445 (microsoft?ds), 3410 (???), 903 (ideafarm?catch), 80 (www), 17300 (Kuang2TheVirus) Source: http://isc.incidents.org/top10.html; Internet Storm Center _______________________________________________ Information_technology mailing list Information_technology@listserv
This archive was generated by hypermail 2b30 : Wed Jan 14 2004 - 10:08:31 PST