MooSoft has posted a new Trojan definitions update
Symantec has confirmed the existence of the worm, known as VBS.Hard.A@mm, VBS/Hard-A, or VBS/Hard@mm, and created software to detect it. So far, the virus has a low geographical distribution and has infected a small number of sites, according to a Symantec report published earlier this week.
The worm distributes itself--like several in the past, including Love Letter Homepage--as an attachment to an e-mail message. The message is called "FW: Symantec Anti-Virus Warning," and claims to contain a description of a non-existent worm in an attached file.
Read more
The worm distributes itself--like several in the past, including Love Letter Homepage--as an attachment to an e-mail message. The message is called "FW: Symantec Anti-Virus Warning," and claims to contain a description of a non-existent worm in an attached file.
Read more
Microsoft has released a new security patch for IIS 4.0 and 5.0
The patches provided in the bulletin address two security vulnerabilities that are unrelated to each other except in the sense that both affect Index Server 2.0. The first vulnerability is a buffer overrun vulnerability. Index Server 2.0 has an unchecked buffer in a function that processes search requests. If an overly long value were provided for a particular search parameter, it would overrun the buffer. If the buffer were overrun with random data, it would cause Index Server to fail. If it were overrun with carefully selected data, code of the attacker´s choice could be made to run on the server, in the Local System security context.
The second vulnerability affects both Index Server 2.0 and Indexing Service in Windows 2000, and is a new variant of the "Malformed Hit-Highlighting" vulnerability discussed in Microsoft Security Bulletin MS00-006 ( http://www.microsoft.com/technet/security/bulletin/MS00-006.asp). The new variant has almost the same scope as the original vulnerability, but potentially exposes a new file type If an attacker provided an invalid search request, she could read "include" files residing on the web server. The new patch eliminates all known variants of the vulnerability.
Read more
The second vulnerability affects both Index Server 2.0 and Indexing Service in Windows 2000, and is a new variant of the "Malformed Hit-Highlighting" vulnerability discussed in Microsoft Security Bulletin MS00-006 ( http://www.microsoft.com/technet/security/bulletin/MS00-006.asp). The new variant has almost the same scope as the original vulnerability, but potentially exposes a new file type If an attacker provided an invalid search request, she could read "include" files residing on the web server. The new patch eliminates all known variants of the vulnerability.
Read more
When SQL Server 7.0 Service Packs 1, 2, or 3 are installed on a
machine that is configured to perform authentication using Mixed Mode, the password for the SQL Server standard security System Administrator (sa) account is recorded in plaintext in the files %TEMP%sqlsp.log and %WINNT%setup.iss. The default permissions on the files would allow any user to read them who could log onto the server interactively.
The password is only recorded if Mixed Mode is used, and even then, only if the adminstrator chose to use SQL Server Authentication when installing the service pack. Microsoft has long recommended that SQL servers be configured to use the more secure Windows NT Authentication Mode, and customers who have followed this recommendation would not be affected. Even on affected machines, the password could not be compromised if, per normal security recommendations, normal users are prevented from logging onto the machine interactively.
Read more
machine that is configured to perform authentication using Mixed Mode, the password for the SQL Server standard security System Administrator (sa) account is recorded in plaintext in the files %TEMP%sqlsp.log and %WINNT%setup.iss. The default permissions on the files would allow any user to read them who could log onto the server interactively.
The password is only recorded if Mixed Mode is used, and even then, only if the adminstrator chose to use SQL Server Authentication when installing the service pack. Microsoft has long recommended that SQL servers be configured to use the more secure Windows NT Authentication Mode, and customers who have followed this recommendation would not be affected. Even on affected machines, the password could not be compromised if, per normal security recommendations, normal users are prevented from logging onto the machine interactively.
Read more
Less than 24 hours after the Homepage worm started spreading, the surge of e-mail created by the infectious computer code has started to subside, antivirus experts said Wednesday.
Read more
Read more
A core service running on all Windows 2000 domain controllers (but
not on any other machines) contains a memory leak, which can be triggered when it attempts to process a certain type of invalid service request. By repeatedly sending such a request, an attacker could deplete the available memory on the server. If memory were sufficiently depleted, the domain controller could become unresponsive, which would prevent it from processing logon requests or issuing new Kerberos tickets. An affected machine could be put back into service by rebooting.
A patch is available to fix this vulnerability. Please read the Security Bulletin http://www.microsoft.com/technet/security/bulletin/ms01-024.asp for information on obtaining this patch.
not on any other machines) contains a memory leak, which can be triggered when it attempts to process a certain type of invalid service request. By repeatedly sending such a request, an attacker could deplete the available memory on the server. If memory were sufficiently depleted, the domain controller could become unresponsive, which would prevent it from processing logon requests or issuing new Kerberos tickets. An affected machine could be put back into service by rebooting.
A patch is available to fix this vulnerability. Please read the Security Bulletin http://www.microsoft.com/technet/security/bulletin/ms01-024.asp for information on obtaining this patch.
MooSoft has posted a new trojan definitions update for The Cleaner.
Symantec has released a new virus definitions update for Norton Antivirus.
Thanks to clutch for forwarding me the follow newsletter from IIS Answers:
------------------------------------------------
Urgent Action required for IIS 5 Administrators
------------------------------------------------
I do not normally send out security bulletins so pardon the interruption. However, a new and serious IIS 5 vulnerability has been announced by Microsoft that requires your attention.
First of all, let me say, that this problem is just another in a
continuing series of attacks on anything and everything that IIS can do.
If you will do the following, you will eliminate the need for emergency response to this and other issues as they continue to be exploited.
Rule: Disable all application mapping that you aren´t using!
This new exploit involves a buffer overflow for the .printer isapi
extension. Most of you probably weren´t even aware that IIS 5 can print to a printer over HTTP so you can send a document to a printer using IIS 5. IIS 5, by default, recognizes .printer as an extension just like .asp or .htm. Not exactly a mind blowing capability, but certainly an exploitable one.
Here´s what I do on a lot of servers to keep me from worrying about this and other as of yet undiscovered problems of this nature.
Goto your Master website properties.
Click Home Directory
Click Configuration - the application mappings will be displayed.
You will see here the subject of many a security problem, .htr files,
.idc, and now .printer.
Ideally, remove all mapping except for those you use.
Since I don´t know what my clients will want in the future, I preserve the entry, but disable the functionality by adding to all extensions an "x_1" (or something equally odd) except for .asp. So ".idq" becomes ".idqx_1", ".printer" becomes ".printerx_1". This will invalidate script kiddie tool efforts to exploit these extensions. Now you could exploit the problem if you could somehow figure out the correct extensions, but no one is going to try that hard most likely and script kiddies won´t have a clue how to proceed. This is not a "solution" but will buy you time when exploits are discovered. The solution is to remove the mapping and the associated dll if possible.
This vulnerability will be included in automated hacking tools immediately, so get on this. There is a hotfix as well should you prefer to keep this ability.
---------------------------------
Brett Hill - IISAnswers.com
brett@iisanswers.com (303) 543-7502
MCSE MCT A+ Net+ CIW-TT
Specializing in IIS training
------------------------------------------------
Urgent Action required for IIS 5 Administrators
------------------------------------------------
I do not normally send out security bulletins so pardon the interruption. However, a new and serious IIS 5 vulnerability has been announced by Microsoft that requires your attention.
First of all, let me say, that this problem is just another in a
continuing series of attacks on anything and everything that IIS can do.
If you will do the following, you will eliminate the need for emergency response to this and other issues as they continue to be exploited.
Rule: Disable all application mapping that you aren´t using!
This new exploit involves a buffer overflow for the .printer isapi
extension. Most of you probably weren´t even aware that IIS 5 can print to a printer over HTTP so you can send a document to a printer using IIS 5. IIS 5, by default, recognizes .printer as an extension just like .asp or .htm. Not exactly a mind blowing capability, but certainly an exploitable one.
Here´s what I do on a lot of servers to keep me from worrying about this and other as of yet undiscovered problems of this nature.
Goto your Master website properties.
Click Home Directory
Click Configuration - the application mappings will be displayed.
You will see here the subject of many a security problem, .htr files,
.idc, and now .printer.
Ideally, remove all mapping except for those you use.
Since I don´t know what my clients will want in the future, I preserve the entry, but disable the functionality by adding to all extensions an "x_1" (or something equally odd) except for .asp. So ".idq" becomes ".idqx_1", ".printer" becomes ".printerx_1". This will invalidate script kiddie tool efforts to exploit these extensions. Now you could exploit the problem if you could somehow figure out the correct extensions, but no one is going to try that hard most likely and script kiddies won´t have a clue how to proceed. This is not a "solution" but will buy you time when exploits are discovered. The solution is to remove the mapping and the associated dll if possible.
This vulnerability will be included in automated hacking tools immediately, so get on this. There is a hotfix as well should you prefer to keep this ability.
---------------------------------
Brett Hill - IISAnswers.com
brett@iisanswers.com (303) 543-7502
MCSE MCT A+ Net+ CIW-TT
Specializing in IIS training
Windows 2000 introduced native support for the Internet Printing Protocol (IPP), an industry-standard protocol for submitting and controlling print jobs over HTTP. The protocol is implemented in Windows 2000 via an ISAPI extension that is installed by default on
all Windows 2000 servers but which can only be accessed via IIS 5.0.
A security vulnerability results because the ISAPI extension contains
an unchecked buffer in a section of code that handles input parameters. This could enable a remote attacker to conduct a buffer overrun attack and cause code of her choice to run on the server. Such code would run in the Local System security context. This would give the attacker complete control of the server, and would enable her to take virtually any action she chose.
The attacker could exploit the vulnerability against any server with which she could conduct a web session. No other services would need
to be available, and only port 80 (HTTP) or 443 (HTTPS) would need to be open. Clearly, this is a very serious vulnerability, and Microsoft strongly recommends that all IIS 5.0 administrators install the patch immediately. Alternatively, customers who cannot install the patch can protect their systems by removing the mapping for Internet Printing ISAPI extension.
Read more
all Windows 2000 servers but which can only be accessed via IIS 5.0.
A security vulnerability results because the ISAPI extension contains
an unchecked buffer in a section of code that handles input parameters. This could enable a remote attacker to conduct a buffer overrun attack and cause code of her choice to run on the server. Such code would run in the Local System security context. This would give the attacker complete control of the server, and would enable her to take virtually any action she chose.
The attacker could exploit the vulnerability against any server with which she could conduct a web session. No other services would need
to be available, and only port 80 (HTTP) or 443 (HTTPS) would need to be open. Clearly, this is a very serious vulnerability, and Microsoft strongly recommends that all IIS 5.0 administrators install the patch immediately. Alternatively, customers who cannot install the patch can protect their systems by removing the mapping for Internet Printing ISAPI extension.
Read more
The first known virus that spreads by MSN´s Messenger Service application has been discovered.
W32/Hello, an Internet worm that affects Windows machines, arrives via MSN Messenger as a file called Hello.exe.
Read more
W32/Hello, an Internet worm that affects Windows machines, arrives via MSN Messenger as a file called Hello.exe.
Read more
MooSoft has posted a new trojan definitions updates for The Cleaner
Symantec has released a new virus definitions update for Norton Antivirus.
MooSoft has posted a new trojan definitions update for The Cleaner
MooSoft has posted a new trojan definitions update for The Cleaner