Slashdot Mirror

Actually its a moderately critical flaw. You are at risk only if you have enabled Remote Desktop, and are not using NAT.

Remote Desktop is disabled by default in every version of XP. Including SP2.

To be clear. The bug is in Remote Desktop not the Firewall. A denial of service. The Firewall has an exceptions for Services like RDP, FTP, WWW, POP3 nearly all Firewalls have this except the most basic.

Given that slashdot has been reduced to trolling about moderate flaws in windows, i would say SP2 is a great success :)

if the system is so obscure that hardly anyone can use it, it will be trivial to compromise to anyone who knows what he is doing.

What about human mind vulnerabilities? Like DOS by too complex html, various dizzying ascii image patterns? Leave alone vulnerabilities in telnet?

More info here.

http://www.kb.cert.org/vuls/id/297462, http://www.linuxsecurity.com/content/view/102413/1 10/

There have been lots of IM warnings in the pastjust look at CERT> warnings for a sense of how pervasive this threat is.

In most cases in the more recent issues, you'll see the list of IE's vulnerabilities is shorter than those for Firefox, Mozilla, and the other alternate browsers. Likewise, with the more recent bulletins, you'll also see the list of Windows' vulnerabilities is actually much shorter than that for the other operating systems, even though Windows is far more widely installed.

Where did he get this from??
Latest 10 vulnerabilities on front page are all Windows.

If you look at the bulletins like he does, you get a collection of vulnerabilities that have been patched.

US-Cert Vulnerability Notes is where he should be searching if he wants a proper comparison.
Firefox returns 11 results.
I didn't count how many results Internet Explorer returned, but even if you don't count pre-2004 vulnerabilities, the number is still twice as high as it is for Firefox.

1) All the MSFT vulnerabilities were reported, if not fixed, by 3rd party researchers. Not sure how much of this is true in the case of the OpenBSD errata you linked to, but I would hazard a guess the the OpenBSD team found most of the vulnerabilities themselves (rigorous code auditing and all).

Incorrect, most OpenBSD vulnerabilities are found in other operating systems and reported to OpenBSD by CERT.

2) The source code for the patch is linked right next to the vulnerability description! What more could you want? I don't think there could be a more specific "description" of the vulnerability. You've got the freely available original source code and the patch. Pretty exact, if you ask me.

The latest patch against tcp(4) is vague and non-specific.

They don't have to be "in charge of the Internet", any more than they have to be "in charge of the US". How about the FBI catching these criminals?

BTW, though CERT is partially funded by DHS (among others), it is by no means an agency of the government. It is part of "a non-academic unit of Carnegie Mellon University".

Maybe you should take a look at those CERT advisories again:

Red Hat:
http://www.kb.cert.org/vuls/bymetric?searchview&qu ery=red*hat&searchorder=4&count=100
Microsoft:
http://www.kb.cert.org/vuls/bymetric?searchview&qu ery=microsoft&searchorder=4&count=100

Guess which list is longer?
SELinux, Novell's SUSE Linux CC EAL4+ certification (where's XP's/2003's EAL4+ cert?).

Not to mention that the French government is putting 7 million euros into creating a Linux derivative with a CC EAL5+ certification. Windows ahead? Pah.

Maybe you should take a look at those CERT advisories again:

Red Hat:
http://www.kb.cert.org/vuls/bymetric?searchview&qu ery=red*hat&searchorder=4&count=100
Microsoft:
http://www.kb.cert.org/vuls/bymetric?searchview&qu ery=microsoft&searchorder=4&count=100

Guess which list is longer?
SELinux, Novell's SUSE Linux CC EAL4+ certification (where's XP's/2003's EAL4+ cert?).

Not to mention that the French government is putting 7 million euros into creating a Linux derivative with a CC EAL5+ certification. Windows ahead? Pah.

I get the feeling that part of the problem here wasn't that the book didn't cover the bare minimum of what the title implied it would cover, but that it had little value above that which is already available as PDFs. From what I could tell, the reviewer was hoping for a more in-depth discussion of OCTAVE and security threats - something more interesting and meaty that would make it worth paying sixty American ducats for it.

uh.. no, i was serious... i can only think of a few times in recent years i've heard of a tcp/ip stack implementation getting compromised.

i've searched US-CERT for "tcp/ip" and there's only two or three i see.

as for the other flash memory comment.. am i missing something? the tfa is about hardware tcp/ip implementations.. you'd want to be able to correct the code if a critical flaw was discovered.. wouldn't that be time for firmware?

RPC vulnerability from 2 years ago taken advantage of by several worms since.

Use PostgreSQL or FireBird (yes, there are Win32 versions) which don't run with elevated privileges and you won't risk a Slammer.

Microsoft first makes the software, and then nails it down after the fan sloshes to a halt. Almost everyone else makes it secure from Day One.

From my previous post: http://www.cert.org/advisories/CA-2003-23.html

From Microsoft's web site:
http://support.microsoft.com/kb/823980

Look for the string "Windows Server 2003, 32-Bit Edition".

Summary:
Windows 2003 is vulnerable to the Blaster worm and I still see those attacks in my firewall logs.

http://www.cert.org/advisories/CA-2003-23.html

Microsoft doesn't change anything unless forced to.

Microsoft patched the blaster vulnerability on July 17th, 2003. Link: here

Blaster security bulletin was posted on August 11th, 2003. Link: here

By my calculations, that puts the patch almost four weeks ahead of the worm.

When, sometimes your sky is Red. and often it's Blue, but mostly it's expensive, polouted and full of hotair, you need to find another sky. The air is free.

In addition to the guide above, remember to also look at the CERT security checklist for unix machines. http://www.cert.org/tech_tips/AUSCERT_checklist2.0 .html

Seriously now. How the hell did they work that one in? Security flaws in Icon files.

Perhaps the same way as the widely-used and open source libpng library had a number of vulnerabilities last year? (ref 1, ref 2)

Or the same sort or way the Mozilla XBM vulnerability arose? (ref)

This isn't a new thing, and it's not unique to Microsoft, either.

...perhaps leaking your deepest secrets for others to sniff (i.e. padding short packets with old data)?
Better watch out! :-)

--This tip was brought to you by: a (small) angel whispering in my ear...

"...said Marty Lindner, a team leader at the U.S. Computer Emergency Readiness Team at Carnegie Mellon University."

I think the author of the article is referring to CERT. According to their FAQ (found here: http://www.cert.org/faq/cert_faq.html#A2), they don't appreciate "CERT" being expanded into an acronymn.

You are probably thinking of Sendmail 8.12.6.
Someone trojaned the source tarball so that the make process built, installed, and ran a trojan horse. Here's a link to the CERT advisory:

CERT® Advisory CA-2002-28 Trojan Horse Sendmail Distribution

It appears that the guide is available as pdf files at this location http://www.cert.org/security-improvement/

I just started a grad program in information security offered through the Information Networking Institute at Carnegie Mellon University. It's a unique program, because along with a very solid technology core, we also take some policy and business classes to better prepare for industry. I think alot of problems still stem from the tech/security guys not being able to communicate with management and vice versa, so hopefully having this background will allow us to bridge that gap more effectively - and even fill some of those management positions ourselves. A few potential employers I've spoken with seem to agree. The general consensus is that it is easier to teach the geeks policy and management than it is to teach tech to the MBA's.

We're also affiliated with a number of research centers, which allows for some pretty interesting research opportunities. CERT/CC, Carnegie Mellon CyLab, and the Center for Wireless and Broadband Networking are the main three.

I cannot find anything on The Finnish Communications Regulatory Authority's WWW site about it, and (thanks to timothy not even looking articles he posts links to) the text in the story, "warned computer users against using Microsoft's Internet Explorer 6" links to an article which doesn't even *mention* the warning.

*If* the story is true, can some of the /. Powers that Be edit the story to link to an article that *is* about the story.

Are you sure you've been hit by _this_ exploit? Because the parent article does not mention any exploit being seen "in the field", as they say.

CERT says "As of the writing of this document, we have not received any reports indicating exploitation of this vulnerability outside of the context of obtaining it from the Brown Orifice web site."

If you think you have, then which website were you browsing? I.e. which one contained the rogue applet that can exploit the bug.

Don't worry if it's pr0n - we're all adults here :-)

Well, you are correct. I withdrawl my inaccurate statement about IIS 6not having any vulnerabilities. I was using CERT to look for incidents, and they do not list any of those three.

Anyhow, I'm no big fan of Microsoft, but the Server 2003 line is an exception to their normal substandard products.

You're welcome.

...like I'm going to listen to eWeek.

I've got "MyYahoo" set as my homepage and their tech news stories are particularly disgusting. There was an exploit tool that was to be released under the GPL so the headline was " Open-Source Exploit Tool: 'Point, Click, Root' ". Mind you the tool attacks Windows and OSX machines, not Linux. But since it was released under the GPL, Open Source==Bad!

FUD! Just like when IDG reported the "double-free" CVS flaw in a story titled: "Search finds new holes in open source tool" (Notice, they reported this in July of 2004). After a little looking around I noticed that CERT released an advisory Feb. 2003!

The CERT Coordination Center has received reports of a vulnerability in implementations of the Java Applet Security Manager. This vulnerability is present in the Netscape Navigator 2.0 Java implementation and in Release 1.0 of the Java Developer's Kit from Sun Microsystems, Inc. These implementations do not correctly implement the policy that an applet may connect only to the host from which the applet was loaded.
CERT® Advisory CA-1996-05 Java Implementations Can Allow Connections to an Arbitrary Host
CERT® Advisory CA-1996-07 Weaknesses in Java Bytecode Verifier

The CERT Coordination Center has received reports of a vulnerability in implementations of the Java Applet Security Manager. This vulnerability is present in the Netscape Navigator 2.0 Java implementation and in Release 1.0 of the Java Developer's Kit from Sun Microsystems, Inc. These implementations do not correctly implement the policy that an applet may connect only to the host from which the applet was loaded.
CERT® Advisory CA-1996-05 Java Implementations Can Allow Connections to an Arbitrary Host
CERT® Advisory CA-1996-07 Weaknesses in Java Bytecode Verifier

_Most_ programmers with any measurable breadth can sit back and shake their head. Sorry!

I completely agree that most programmers still agree with your point of view. That's why so much software is still full of security holes, crashes so frequently, requires hundreds of megabytes of memory, and misses so many deadlines.

struggling to grip with a wide variety of blindlingly obvious fact.

Yes, the facts are blindingly obvious.

As networks become increasingly complex and increasingly interconnected, the difficulty in adequately securing them properly increases exponentially.

If you're housing millions+ of dollars in data/IP/personal information or are protecting government assets/secrets, well you are probably REQUIRED to comply with DITSCAP/HIPAA/Sarbanes-Oxley or some other mandated standard...and by god you need a security infrastructure. And more and more organizations are beginning to realize how difficult it is to do it right.

Standard security procedures:
- Lock down the perimeter
- Lock down the servers
- Lock down the desktops
- Limit data portability (thumbdrives/USB drives/CD-R(W))
- Limit external access by employees
- Partition your network into secure zones
- ACLs on everything that sends or recieves a packet
- Encryption for sensitive data
- Monitor everything and *gasp* actually review the logs
- Make passwords be strong and expire often
- Quarantine your remote users/connections
- Checks and balances in the 'meat-space' authorization process
- 3+ factor authentication (SecurID, biometrics, certificates, PKI)
- Redundancy, redundancy, redundancy
- Incident response capability
- Off-site data storage and recovery
- Conduct regular security audits and reviews

And this is just for the small business networks I deal with. Sounds like a lot, but it STILL will not meet some security standards.

Now lets take a fictional mid-size company: 500 employees over 3 sites, 30 file/database/infrastructure servers, 4 public servers, dial-up PPP RAS. The company requires persistent/semi-persistent connections to 3 other organizations. The desktops are a mishmash of XP/2000/NT4, the servers range from NT4-2003, a couple Netware boxes, a couple of Solaris machines running unpatched Oracle 9i and you are using a half-dozen proprietary closed-source apps that connect to the Internet in some fashion. They recently landed a contract as a sub to Lockheed-Martin and are going to be handling sensitive documents. You've just been hired as CIO and your first priority as dictated by the CEO is to 'secure the network'. Your IT staff consists of a DBA, 2 MCSDs, a Unix guru, 4 MCSEs, 7 A+ techs, a dozen secretaries with rudimentary troubleshooting skills and the PHB who lords over them. So now how much money do you think you need?


when the info they had is worth next to nothing or it is even public

Value is in the eye of the beholder. There's very little data that you can make money off of that isn't valuable to someone. You think that PeopleSoft database might not be worth a few bucks to the right person?

This started to look a little bit like the Y2K craze

Increased awareness creating increased vigilance does not mean the issue is self-created.

Check here in the Incidents Reported section. That 1394% increase between 1999 and 2003 kinda reaches out and grabs ya.

Here is the pertinent CERT advisory for this flaw.

The idea is that all the website designer has to do is make an image that LOOKs like a scrollbar. The user goes and clicks and drags it to scroll down, not knowing it's fake. If there is a DYNSRC="..." attribute specified in the <IMG...> tag, Internet Explorer downloads and runs whatever program is specified, without any kinds of prompts whatsoever.

Even with SP2 installed.

SANS Internet Storm Center
Provides current Internet port graph history and advisories

CERT's Vulnerabilities page
Provides current Internet virus history and news.

Keynote Internet Health Report
Provides a table of ping times between various Internet backbones and providers. Great for checking if it's your ISP, or the backbone they are attached to that's having a slow day.

I advise everyone to check these out, as they provide a great wealth of information in a nice organized format.

Use:
RewriteEngine on
RewriteCond %{REQUEST_METHOD} ^(TRACE|TRACK)
RewriteRule .* - [F]

To avoid Cross-Site-Tracing http://www.kb.cert.org/vuls/id/867593/

"The deliberate destruction, disruption or distortion of digital data or information flows with widespread effect for political, religious or ideological reasons."

"The deliberate destruction, disruption or distortion of digital data or information flows with widespread effect for political, religious or ideological reasons."

No, that's SCO's belated response to an 'old' (as you quoted!) advisory CA-2003-25 (http://www.cert.org/advisories/CA-2003-25.html)

It would be much easier to write a BIOS flashing virus, I believe a few of these did exist at one point

CERT.org's tips for home network security. It's very basic but might help.

They also offer The Home Computer Security guide, which seems to parallel Mr. Greene's book in some key areas. This page includes a link to a pdf which goes into detail on the examples (encryption, firewall, anti-virus, patches, ACLs).

Point your tech support callers to these free docs - or others easily available via your favorite search engine - if the idea of a commercial book bothers you that much. Not everything has to be open source. Alternatively, why don't you write the open source manual that you need? Isn't that the idea behind F/OSS?

CERT.org's tips for home network security. It's very basic but might help.

They also offer The Home Computer Security guide, which seems to parallel Mr. Greene's book in some key areas. This page includes a link to a pdf which goes into detail on the examples (encryption, firewall, anti-virus, patches, ACLs).

Point your tech support callers to these free docs - or others easily available via your favorite search engine - if the idea of a commercial book bothers you that much. Not everything has to be open source. Alternatively, why don't you write the open source manual that you need? Isn't that the idea behind F/OSS?

CERT.org's tips for home network security. It's very basic but might help.

They also offer The Home Computer Security guide, which seems to parallel Mr. Greene's book in some key areas. This page includes a link to a pdf which goes into detail on the examples (encryption, firewall, anti-virus, patches, ACLs).

Point your tech support callers to these free docs - or others easily available via your favorite search engine - if the idea of a commercial book bothers you that much. Not everything has to be open source. Alternatively, why don't you write the open source manual that you need? Isn't that the idea behind F/OSS?

Just in case his site gets /.'ed, here is his impressive list of links. - Jonah Hex in non-karma whore mode.
Downloads
Linux Wipe Tools: Three shell scripts for securely wiping all data from the swap partition, wiping unused disk space on the root partition, or wiping an entire disk, by Thomas C. Greene.

No Messenger: A batch file that eliminates Windows Messenger and fixes the problem of Outlook Express loading slowly when Messenger is absent, by an anonymous friend of The Register.

FileCheck MD5: A free, simple, lightweight MD5 utility for Windows, courtesy of Brandon Staggs.

Errata: A text file containing my various blunders and ommissions in the book (right-click and "save as," or view as HTML). Last updated 6 June 2004.

Links to Other Goodies
Mozilla: A free, open source Web browser and e-mail client for Linux and Windows, feature rich and far more secure than Internet Explorer and Outlook Express. Recommended for novices.

Firefox: A free, open source, stand-alone Web browser for Linux and Windows. Very light and fast. Recommended for intermediate users.

Thunderbird: A free, open source e-mail and news client for Linux and Windows. Recommended for intermediate users.

GnuPG: Gnu Privacy Guard; a free, open source replacement for PGP, for Windows and Linux.

WinPT: Windows Privacy Tools; a free, open source GUI frontend to GnuPG for Windows.

Anonymizer: Various services for anonymous Web surfing, e-mail, chat, etc.

OpenSSH: A free, open source SSH (Secure Shell) client and server for Windows and Linux.

PuTTY: A free, open source GUI frontend to OpenSSH for Windows.

Ethereal: A free, open source network traffic analyzer for Windows and Linux. Windows users will need to install WinPcap before installing Ethereal.

Ad-Aware: A free, closed source adware/spyware scanner for Windows.

SpyBot Search & Destroy: A free, closed source adware/spyware scanner for Windows.

Sam Spade: CGI gateways to numerous online tools, such as whois, traceroute, etc.

SourceForge: A vast repository of open-source software for Windows and Linux. The site can be overwhelming, but it has a search engine to help users locate packages.

GNU Project: The home base of the open source movement. A repository of open source products, chiefly for UNIX-compatible systems.

Security Information
About Internet/Network Security: An informative and useful site dealing with computer and Internet security, with reviews of security products and books, practical howtos and tips, and links to numerous tools and information resources, geared toward beginners and intermediate users.

SANS Institute: An educational and research organization with a vast archive of security research documents, news, and advisories, geared toward intermediate and advanced users.

CERT/CC: Computer Emergency Response Team Coordination Cente

Yeah, and they can pound back 3 Classic Dews in under 30 seconds... gotta love that wide-mouth can!

Finishing off one Code Red, however, is another issue entirely...

kindly check the attached LOVELETTER coming from me.

... and I guarantee this will be modded down.

What do you find interesting, and what do you need to be informed about?
Security?
Wine updates?
http://seclists.org/
http://www.cert.org/
Those are interesting and informative for me, but a perl developer can probably give a damn about the latest nmap release.

What are your needs?

Luckily, Microsoft can account for nearly half of all security vulnerabilities in 2003 and they also hold the top 10 spots on isc.org for current vulnerabilites. With stats like this, there will be plenty of feedback for Mr. Hachamovitch to warm up with.

http://www.kb.cert.org/vuls/id/323070

the very last suggested solution states:

There are a number of significant vulnerabilities in technologies relating to the IE domain/zone security model, the DHTML object model, MIME type determination, and ActiveX. It is possible to reduce exposure to these vulnerabilities by using a different web browser.

i'm no web journalist, but i'd hardly call that a recommendation or urging to use a browser other than ie.