October 2005 - Posts

  Forum Administrators should move to the latest versions of phpBB, as security improvements continue to be made to this highly flexible and functional environment. 

http://www.phpbb.com/phpBB/viewtopic.php?t=336756

The phpBB Group is pleased to announce the release of phpBB 2.0.18, "The Halloween Special" release.  This is a major update to the 2.0.x codebase and includes fixes for numerous bugs reported by users to our Bug Tracker, as well as updates to those issues identified by the recent security audit of the code and a couple of security issues reported to us. In addition we have backported a further feature from our "Olympus" codebase to change the way automatic logins are handled.

  I don't think this one is widespread, but based on the stealth-like nature of rootkits, it's probably both difficult to detect and remove.

http://news.zdnet.com/2100-1009_22-5920403.html

A worm found spreading via America Online's Instant Messenger is carrying a nastier punch than usual, a security company has warned.  The unnamed worm delivers a cocktail of unwanted software, including a so-called rootkit, security experts at FaceTime Communications said Friday. A rootkit is a tool designed to go undetected by the security software used to lock down control of a computer after an initial hack.

Data base Administrators should watch for further developments as this weakness will most likely be corrected in the future. 

Article: Oracle password system comes under fire

QUOTE: Attackers could easily uncover Oracle database users'passwords because of a weak protection mechanism, putting corporate data at risk of exposure, experts have warned. 

The technique Oracle uses to store and encrypt user passwords doesn't provide sufficient security, said Joshua Wright of the SANS Institute and Carlos Sid of Royal Holloway college, University of London.

As noted in this Tech Republic Article, Internet Explorer version 7 will support a more robust protocol for encrypting user data and securing online transactions.

http://blogs.msdn.com/ie/archive/2005/10/22/483795.aspx

QUOTE:  In a posting on the Microsoft Internet Explorer blog, IE program manager Eric Lawrence said that IE7 would support the Transport Layer Security (TLS) protocol by default. 

Lawrence also explained how IE7 will behave differently from earlier versions when it encounters potential security problems.

"Whenever IE6 encountered a problem with a HTTPS-delivered Web page, the user was informed via a modal dialog box and was asked to make a security decision. IE7 follows the XPSP2 'secure by default' paradigm by defaulting to the secure behavior," said Lawrence.

IE7 will not give users the option of seeing both secure and insecure items within an HTTPS page. With IE6, this option appears when the browser encounters an HTTPS page that includes some HTTP content. But in IE7, only the secure content will be rendered by default, forcing the user to choose to access the rest via the information bar.

"This is an important change because very few users (or web developers) fully understand the security risks of rendering HTTP-delivered content within a HTTPS page," Lawrence claimed.

  This new Instant Messenger (IM) threat should be closely watched as it contains a security backdoor and other sophisticated capabilities.

http://secunia.com/virus_information/22890/virkel.a/

Virkel is a backdoor with IM (Instant Messenger) spreading capabilities. It was first found on October 26th, 2005. The backdoor can provide a hacker with information about a system, work as a proxy, update itself, perform a Denial of Service (DoS) attack, open remote shell, download files. It also kills processes of anti-virus and security software and blocks access to many different sites that belong to anti-virus and security software vendors.

Microsoft TechNet

Microsoft has just updated the Windows XP security guide and this free resource can be found through the following link:

Windows XP Security Guide

Any IT environment is only as secure as its weakest link. Unfortunately, client operating systems are often overlooked during security projects. As your organization plans to implement Microsoft® Windows® XP Professional with Service Pack 2 (SP2), ensure that security is an integral part of your deployment plans.

Although the default installation of Windows XP is quite secure, it is important to remember the trade-offs that exist between security, usability, and functionality of the client computers in your environment. A thorough understanding of these trade-offs places your organization in a position to maximize the security of your Windows XP deployment.

The guide provides specific recommendations about how to harden computers that run Windows XP with SP2 in three distinct environments:

Enterprise Client (EC). Client computers in this environment are located in an Active Directory® directory service domain and only need to communicate with systems that run Windows 2000 or later versions of the Windows operating system.

Stand-Alone (SA). Client computers in this environment are not members of an Active Directory domain and may need to communicate with systems that run Windows NT® 4.0.

Specialized Security – Limited Functionality (SSLF). Concern for security in this environment is so great that a significant loss of functionality and manageability is acceptable. For example, military and intelligence agency computers operate in this type of environment.

 Two more new exploits have developed as malicious individuals work to reverse engineer the changes and discover code weaknesses in unpatched systems.  These new potential attacks are based on the MS05-047 Microsoft Security Bulletin issued in October.  It's always a best practice to patch as soon as Microsoft performs a release which is usually the second Tuesday of each month.  

2005-10-24 : Microsoft Windows Plug and Play "Umpnpmgr.dll" DoS Exploit (MS05-047)

2005-10-21 : Microsoft Windows Plug and Play "Umpnpmgr.dll" Remote Exploit (MS05-047)

  A new attack based on August's security bulletin MS05-039 surfaced overnight. This new threat remains at low risk currently.  This was initially reported as an MS05-047 exploit, but after further analysis McAfee has confirmed that while MS05-047 code was present, the MS05-039 exploit was used as the key method to infect unpatched PCs.

MS05-039 -- Mocbot IRC Worm in the wild
http://secunia.com/virus_information/22746/irc-mocbot/
http://www.f-secure.com/v-descs/mocbot.shtml
http://vil.nai.com/vil/content/v_136637.htm

This botnet client was spread using the MS05-039 vulnerability in October 2005. This trojan installs itself in the WINDOWS SYSTEM directory as wudpcom.exe. It creates a service called "wudpcom". Once instructed, the bot scans the class A subnet addresses, sending SYN packets via TCP 139 (netbios), and 445 (microsoft-ds).

SYMPTOMS
1. Heavy netbois and microsoft-ds network traffic
2. Presense of the file wudpcom.exe in the WINDOWS SYSTEM directory
3. TCP 18067 connections to hostile websites


-- AVERT / McAfee Update Oct 23, 2005 -- After further analysis, AVERT has confirmed that this threat does not exploit MS05-047, but rather MS05-039. Initial analysis suggested the MS05-047 was being exploited due to similarities between those exploits (including overlapping code between publicly available source code), field infection reports where administrators incorrectly stated that machines were patched from MS05-039, and similarities between an earlier MS05-039 exploiting bot, where the only significant change was the exploit code being used.

Additionally, AVERT has confirmed that automated propagation has/had been configured on remote IRC servers, such that infected systems that are able to connect to the remote IRC server are immediately instructed to seek out vulnerable systems to infect them. This threat exploits the MS05-039 Microsoft Windows vulnerability.

Oracle Technology Network During October, Oracle released several critical security patches that companies should quickly test and apply to safeguard information in these data base repositories. 

2005-10-19 : Oracle Products Buffer Overflow and SQL Injection Vulnerabilities

Multiple vulnerabilities were identified in various Oracle products, which may be exploited by remote or local attackers to cause a denial of service, execute arbitrary commands, conduct SQL injection attacks and cross site scripting attacks, or bypass certain security restrictions. These flaws are due to unspecified errors in Oracle Database Server, Application Server, Collaboration Suite, E-Business Suite, Applications, Enterprise Manager, PeopleSoft Enterprise, and JD Edwards EnterpriseOne. No further details have been disclosed.

Security CenterAll Netscape 8.0x users should update to the latest version to stay protected as recent improvements in security have been released

http://browser.netscape.com/ns8/security/alerts.jsp

Fixed in Netscape Browser 8.0.4

• MFSA 2005-58 Firefox 1.0.7 / Mozilla Suite 1.7.12 Vulnerability Fixes
• MFSA 2005-57 IDN heap overrun using soft-hyphens

 So far, there are no published reports for MS05-051 which some security firms feel has the potential to be crafted into a possible Internet worm, that could especially impact Windows 2000 based PCs and Servers.  At least 3 proof-of-concept exploits were developed within a couple of days of the October 11th updates, so companies should carefully test their applications and patch expediently.  All users should stay as up-to-date as possible on any security patches that are released.

   » 2005-10-13 : Microsoft Collaboration Data Objects Buffer Overflow PoC Exploit (MS05-048)

   » 2005-10-13 : Microsoft Windows Network Connection Manager Local DoS Exploit (MS05-045)

   » 2005-10-13 : Microsoft Windows FTP Client File Location Tampering Exploit (MS05-044)

PCWorld.com   In the November 2005 issue of PC World magazine, 11 different products are evaluated.  Webroot Spysweeper continues to score near the top in all evaluations.  The MSAS beta release also had a positive review and scored as one of the best free products.  It's always best to look at more than one evaluation, as the review team can rank categories differently.  

PC World - Evaluation of 11 Anti-Spyware Products

PC World - Evaluation of 11 Anti-Spyware Product Grid

Microsoft TechNet  Microsoft's Technet Security team is introducting a new Learning Paths website that features resources on security threats and appropriate controls.  Each month new articles and training materials will be featured to provide on-going training for security professionals.

http://www.microsoft.com/technet/security/learning/default.mspx

Featured This Month:

Internal Threats: Mitigate the Risks in Your Environment

Today's IT Professionals work in a challenging environment where there's a constant effort to protect resources and vital information from internal misuse. Attend this series and learn about the risks, business challenges and recommendations for protecting your network from internal threats. We will cover topics such as Security risk management, assessment, and implementation as well as steps for meeting your business needs of operating in a more secure environment

   Microsoft Security Release - October 2005

The following provides an overview of several important updates.

Microsoft Security Release - October 2005
http://www.microsoft.com/technet/security/Bulletin/ms05-Oct.mspx

Internet Storm Center - Excellent Technical Analysis
http://isc.sans.org/diary.php?date=2005-10-11  

Vulnerability in DirectShow Could Allow Remote Code Execution (904706) - Critical
http://www.microsoft.com/technet/security/Bulletin/ms05-050.mspx

Vulnerabilities in MSDTC and COM+ Could Allow Remote Code Execution (902400) - Critical
http://www.microsoft.com/technet/security/Bulletin/ms05-051.mspx

Cumulative Security Update for Internet Explorer (896688) - Critical
http://www.microsoft.com/technet/security/Bulletin/ms05-052.mspx

Vulnerability in the Client Services for Netware Could Allow Remote Code Execution (899589) - Important
http://www.microsoft.com/technet/security/Bulletin/ms05-046.mspx

Vulnerability in Plug and Play Could Allow Remote Code Execution and Local Elevation of Privilege (905749) - Important
http://www.microsoft.com/technet/security/Bulletin/ms05-047.mspx

Vulnerability in the Microsoft Collaboration Objects Could Allow Remote Code Execution (907245) - Important
http://www.microsoft.com/technet/security/Bulletin/ms05-048.mspx

Vulnerabilities in Windows Shell Could Allow Remote Code Execution (900725) - Important
http://www.microsoft.com/technet/security/Bulletin/ms05-049.mspx

Vulnerability in the Windows FTP Client Could Allow File Transfer
Location and Tampering (905495) - Moderate

http://www.microsoft.com/technet/security/Bulletin/ms05-044.mspx

Vulnerability in Network Connection Manager Could Allow Denial Service (905414) - Important
http://www.microsoft.com/technet/security/Bulletin/ms05-045.mspx

 2005-10-11 : Microsoft Internet Explorer Multiple Remote Vulnerabilities (MS05-052)

 2005-10-11 : Microsoft Windows MSDTC and COM+ Multiple Vulnerabilities (MS05-051)

 2005-10-11 : Microsoft Windows DirectShow Remote Code Execution (MS05-050)

 2005-10-11 : Microsoft Windows Shell and Web View Vulnerabilities (MS05-049)

 2005-10-11 : Microsoft Collaboration Data Objects Code Execution (MS05-048)

 2005-10-11 : Microsoft Windows Plug and Play Remote Code Execution (MS05-047)

 2005-10-11 : Microsoft Client Service for NetWare Remote Code Execution (MS05-046)

 2005-10-11 : Microsoft Windows Network Connection Manager DoS (MS05-045)

 2005-10-11 : Microsoft Windows FTP Client Directory Traversal Issue (MS05-044)

More Posts Next page »