A core service running on all Windows 2000 domain controllers (but
not on any other machines) contains a memory leak, which can be triggered when it attempts to process a certain type of invalid service request. By repeatedly sending such a request, an attacker could deplete the available memory on the server. If memory were sufficiently depleted, the domain controller could become unresponsive, which would prevent it from processing logon requests or issuing new Kerberos tickets. An affected machine could be put back into service by rebooting.
A patch is available to fix this vulnerability. Please read the Security Bulletin http://www.microsoft.com/technet/security/bulletin/ms01-024.asp for information on obtaining this patch.
not on any other machines) contains a memory leak, which can be triggered when it attempts to process a certain type of invalid service request. By repeatedly sending such a request, an attacker could deplete the available memory on the server. If memory were sufficiently depleted, the domain controller could become unresponsive, which would prevent it from processing logon requests or issuing new Kerberos tickets. An affected machine could be put back into service by rebooting.
A patch is available to fix this vulnerability. Please read the Security Bulletin http://www.microsoft.com/technet/security/bulletin/ms01-024.asp for information on obtaining this patch.
MooSoft has posted a new trojan definitions update for The Cleaner.
Symantec has released a new virus definitions update for Norton Antivirus.
Thanks to clutch for forwarding me the follow newsletter from IIS Answers:
------------------------------------------------
Urgent Action required for IIS 5 Administrators
------------------------------------------------
I do not normally send out security bulletins so pardon the interruption. However, a new and serious IIS 5 vulnerability has been announced by Microsoft that requires your attention.
First of all, let me say, that this problem is just another in a
continuing series of attacks on anything and everything that IIS can do.
If you will do the following, you will eliminate the need for emergency response to this and other issues as they continue to be exploited.
Rule: Disable all application mapping that you aren´t using!
This new exploit involves a buffer overflow for the .printer isapi
extension. Most of you probably weren´t even aware that IIS 5 can print to a printer over HTTP so you can send a document to a printer using IIS 5. IIS 5, by default, recognizes .printer as an extension just like .asp or .htm. Not exactly a mind blowing capability, but certainly an exploitable one.
Here´s what I do on a lot of servers to keep me from worrying about this and other as of yet undiscovered problems of this nature.
Goto your Master website properties.
Click Home Directory
Click Configuration - the application mappings will be displayed.
You will see here the subject of many a security problem, .htr files,
.idc, and now .printer.
Ideally, remove all mapping except for those you use.
Since I don´t know what my clients will want in the future, I preserve the entry, but disable the functionality by adding to all extensions an "x_1" (or something equally odd) except for .asp. So ".idq" becomes ".idqx_1", ".printer" becomes ".printerx_1". This will invalidate script kiddie tool efforts to exploit these extensions. Now you could exploit the problem if you could somehow figure out the correct extensions, but no one is going to try that hard most likely and script kiddies won´t have a clue how to proceed. This is not a "solution" but will buy you time when exploits are discovered. The solution is to remove the mapping and the associated dll if possible.
This vulnerability will be included in automated hacking tools immediately, so get on this. There is a hotfix as well should you prefer to keep this ability.
---------------------------------
Brett Hill - IISAnswers.com
brett@iisanswers.com (303) 543-7502
MCSE MCT A+ Net+ CIW-TT
Specializing in IIS training
------------------------------------------------
Urgent Action required for IIS 5 Administrators
------------------------------------------------
I do not normally send out security bulletins so pardon the interruption. However, a new and serious IIS 5 vulnerability has been announced by Microsoft that requires your attention.
First of all, let me say, that this problem is just another in a
continuing series of attacks on anything and everything that IIS can do.
If you will do the following, you will eliminate the need for emergency response to this and other issues as they continue to be exploited.
Rule: Disable all application mapping that you aren´t using!
This new exploit involves a buffer overflow for the .printer isapi
extension. Most of you probably weren´t even aware that IIS 5 can print to a printer over HTTP so you can send a document to a printer using IIS 5. IIS 5, by default, recognizes .printer as an extension just like .asp or .htm. Not exactly a mind blowing capability, but certainly an exploitable one.
Here´s what I do on a lot of servers to keep me from worrying about this and other as of yet undiscovered problems of this nature.
Goto your Master website properties.
Click Home Directory
Click Configuration - the application mappings will be displayed.
You will see here the subject of many a security problem, .htr files,
.idc, and now .printer.
Ideally, remove all mapping except for those you use.
Since I don´t know what my clients will want in the future, I preserve the entry, but disable the functionality by adding to all extensions an "x_1" (or something equally odd) except for .asp. So ".idq" becomes ".idqx_1", ".printer" becomes ".printerx_1". This will invalidate script kiddie tool efforts to exploit these extensions. Now you could exploit the problem if you could somehow figure out the correct extensions, but no one is going to try that hard most likely and script kiddies won´t have a clue how to proceed. This is not a "solution" but will buy you time when exploits are discovered. The solution is to remove the mapping and the associated dll if possible.
This vulnerability will be included in automated hacking tools immediately, so get on this. There is a hotfix as well should you prefer to keep this ability.
---------------------------------
Brett Hill - IISAnswers.com
brett@iisanswers.com (303) 543-7502
MCSE MCT A+ Net+ CIW-TT
Specializing in IIS training
Windows 2000 introduced native support for the Internet Printing Protocol (IPP), an industry-standard protocol for submitting and controlling print jobs over HTTP. The protocol is implemented in Windows 2000 via an ISAPI extension that is installed by default on
all Windows 2000 servers but which can only be accessed via IIS 5.0.
A security vulnerability results because the ISAPI extension contains
an unchecked buffer in a section of code that handles input parameters. This could enable a remote attacker to conduct a buffer overrun attack and cause code of her choice to run on the server. Such code would run in the Local System security context. This would give the attacker complete control of the server, and would enable her to take virtually any action she chose.
The attacker could exploit the vulnerability against any server with which she could conduct a web session. No other services would need
to be available, and only port 80 (HTTP) or 443 (HTTPS) would need to be open. Clearly, this is a very serious vulnerability, and Microsoft strongly recommends that all IIS 5.0 administrators install the patch immediately. Alternatively, customers who cannot install the patch can protect their systems by removing the mapping for Internet Printing ISAPI extension.
Read more
all Windows 2000 servers but which can only be accessed via IIS 5.0.
A security vulnerability results because the ISAPI extension contains
an unchecked buffer in a section of code that handles input parameters. This could enable a remote attacker to conduct a buffer overrun attack and cause code of her choice to run on the server. Such code would run in the Local System security context. This would give the attacker complete control of the server, and would enable her to take virtually any action she chose.
The attacker could exploit the vulnerability against any server with which she could conduct a web session. No other services would need
to be available, and only port 80 (HTTP) or 443 (HTTPS) would need to be open. Clearly, this is a very serious vulnerability, and Microsoft strongly recommends that all IIS 5.0 administrators install the patch immediately. Alternatively, customers who cannot install the patch can protect their systems by removing the mapping for Internet Printing ISAPI extension.
Read more
The first known virus that spreads by MSN´s Messenger Service application has been discovered.
W32/Hello, an Internet worm that affects Windows machines, arrives via MSN Messenger as a file called Hello.exe.
Read more
W32/Hello, an Internet worm that affects Windows machines, arrives via MSN Messenger as a file called Hello.exe.
Read more
MooSoft has posted a new trojan definitions updates for The Cleaner
Symantec has released a new virus definitions update for Norton Antivirus.
MooSoft has posted a new trojan definitions update for The Cleaner
MooSoft has posted a new trojan definitions update for The Cleaner
The IE security architecture provides a caching mechanism that is
used to store content that needs to be downloaded and processed on the user´s local machine. The purpose of the cache is to obfuscate the physical location of the cached content, in order to ensure that the web page or HTML e-mail will work through the IE security
architecture to access the information. This ensures that the uses of the information can be properly restricted.
A vulnerability exists because it is possible for a web page or HTML e- mail to learn the physical location of cached content. Armed with
this information, an attacker could cause the cached content to be opened in the Local Computer Zone. This would enable him to launch compiled HTML help (.CHM) files that contain shortcuts to executables, thereby enabling him to run the executables.
Read more
used to store content that needs to be downloaded and processed on the user´s local machine. The purpose of the cache is to obfuscate the physical location of the cached content, in order to ensure that the web page or HTML e-mail will work through the IE security
architecture to access the information. This ensures that the uses of the information can be properly restricted.
A vulnerability exists because it is possible for a web page or HTML e- mail to learn the physical location of cached content. Armed with
this information, an attacker could cause the cached content to be opened in the Local Computer Zone. This would enable him to launch compiled HTML help (.CHM) files that contain shortcuts to executables, thereby enabling him to run the executables.
Read more
An application called SMBRelay, written by cDc´s Sir Dystic, exploits a design flaw in the SMB (Server Message Block) protocol on Win NT/2K boxes, easily enabling an attacker to interpose himself between the client and the server.
Read more
Read more
The Microsoft Data Access Component Internet Publishing Provider provides access to WebDAV resources over the Internet. By design, it should differentiate between requests made by a user and those made
by a script running in the user´s browser. However, because of an
implementation flaw, it handles all requests in the security context
of the user. As a result, if a user browsed to a web page or opened an HTML e-mail that contained script, that script could access web-based resources as the user.
The specific actions an attacker could take via this vulnerability
would depend on the Web-based resources available to the user, and
the user´s privileges on them. However, it is likely that at a minimum, the attacker could browse the user´s intranet, and potentially access web-based e-mail as well.
Read more
by a script running in the user´s browser. However, because of an
implementation flaw, it handles all requests in the security context
of the user. As a result, if a user browsed to a web page or opened an HTML e-mail that contained script, that script could access web-based resources as the user.
The specific actions an attacker could take via this vulnerability
would depend on the Web-based resources available to the user, and
the user´s privileges on them. However, it is likely that at a minimum, the attacker could browse the user´s intranet, and potentially access web-based e-mail as well.
Read more
The ISA Server Web Proxy service does not correctly handle web requests that contain a particular type of malformed argument. Processing such a request would result in an access violation, which would cause the Web Proxy service to fail. This would disrupt all ingoing and outgoing web proxy requests until the service was restarted.
Read more
Read more
MooSoft has posted new trojan definitions for the Cleaner
