Slashdot Mirror

You're welcome.

Don't forget to thank the fine people at Mozilla as well. Their software recently allowed exploits in bitmap files.

Yes, but there are many applications besides Windows XP which use this same code that are vulnerable. See appendix B here for just a list of the Microsoft products that are vulnerable. There are third-party applications that are also vulnerable, but I couldn't (quickly) find a list with google.

So it is possible that NX will help protect against this bug in other applications. But then again, maybe it won't :-)

I spent about 45 minutes reading docs at MSDN/MSKB trying to find an explicit statement that IE6SP1 on Win98 is vulnerable, and I swear that they don't actually state that fact (explicitly) anywhere! I eventually was able to read between the lines and conclude that Win98 isn't vulnerable, but Win98 + IE6 is, so you should run Windows Update to DL the patch.

Am I certain? No. Like I said, it's very difficult to find answers to very simple questions in their docs sometimes. I especially hate reading their security bulletins because it's like they were written by very technical lawyers who are trying to maintain the illusion of releasing information without actually doing so. As often as is possible, I try wait a day or two for the DHS CERT to issue their bulletins because they do a slightly better job of relaying useful information.

Wasn't there a vulnerability in *nix's libpng a short while ago, though?

I have a set of tabs that I load every morning precisely for this; some of them are:

• ISS GTOC
• myNetWatchman (another perspective on port activity)
• NIPC Critical Infrastructure (updates are spotty but sometimes interesting)
• US-CERT Current Activity (often a tad behind)

ISC is definitely the main one to get but these are useful. I didn't list virus sites but those may be useful as well depending on your environment.

Port knocking is an excellent way to greatly reduce the probability that someone will be able to use a newly discovered exploit from using it against your server before an update is available to fix the exploit.

• cryptographic flaws which allow snooping of protected communications
• man-in-the middle attacks
• stream insertion or corruption possibilities
• ...

Of course, it's spyware causing the pop-ups, and we recommend using a product like Ad-aware to take care of the issue

Adaware and other canned products will usually work fine for well known problems. For the latest threats you need someone who is skilled enough to research these problems, hunt them down, etc...

we take around two dozen to three dozen tech support calls from users each day. Many have something to do with pop-up ads making using our product nearly impossible

If the client is having a client side problem with popup ads, then why not charge for your service or refuse to troubleshoot the problem? I assume of course that your web server has not been compromised.

A few things to consider are:

1. is the end user using a "power user" or administrator account? If so I would suggest that they set up a regular local/domain user account - this account. The "power user" and administrator accounts give the end user the ability to modify the OS and registry big time. You really cannot blame the "evil empire" if people's pc's are getting hosed because they have administrative rights and are clicking in unsolicited links, OKing every popup window they see without reading them etc...

2. Educate your customers about using the web securely - if needed, contact their IT dept and explain the problem.

3. Most (Windows) people dont patch their machines - educate them about this - while the evil empire is usually slow in issuing patches, old patches are better than none at all.

One last thing - Windows/IE is targeted by crapware writers because of its popularity - this is why you do not see anywhere near as many *nix/mozilla infestations etc... Lately many sites have been advising people to dump ie and use mozilla instead. If mozilla grows in popularity as a result, expect to see malware targeted for this too.

The Cyber Security Alert System provides all citizens--from computer security professionals to home computer users--with free, timely, actionable information to better secure their computer systems.

http://www.us-cert.gov/cas/signup.html

It also has a quote from Akamai saying "The attack was a result of a virus or worm infiltrating a system".

Interesting time to publish this - right between last week's IIS/IE multiple exploits and this week's Evaman Worm outbreak.

Now that CERT and the Dept. of Homeland Security both recommend consumers abandon Intenet Explorer, can we get them to recommend dropping Outlook Express?

True, Yahoo says it's so but can anybody find the actual CERT or DHS press release?

I've just spent a very unrewarding half hour clicking around the CERT and DHS sites and found nada, zip. If either of those bodies really made this inflammatory recommendation, they confided it only in Yahoo, that I can find.

Try this: Department of Homeland Security and this: US-CERT

An alert issued Thursday by the U.S. Computer Emergency Readiness Team (US-CERT)

An alert issued Thursday by the U.S. Computer Emergency Readiness Team (US-CERT)

You go here often? Why may I ask?

Resolution

Apply a patch

Although a patch is not yet available for this issue, it is a good practice to use Microsoft Windows Update to help ensure the security of your computer.
Disable Active scripting and ActiveX controls

Instructions for disabling Active scripting and ActiveX controls in the Internet Zone can be found in the Malicious Web Scripts FAQ.
Do not follow unsolicited links

Do not click on unsolicited URLs received in email, instant messages, web forums, or internet relay chat (IRC) channels.
Run and maintain an antivirus product

It is important that you use antivirus software and keep it up to date. Most antivirus software vendors frequently release updated information, tools, or virus databases to help detect and recover from virus infections. Many antivirus packages support automatic updates of virus definitions. US-CERT recommends using these automatic updates when possible.

US-CERT is aware of new activity affecting compromised web sites running Microsoft's Internet Information Server (IIS) 5 and possibly end-user systems that visit these sites. Compromised sites are appending JavaScript to the bottom of web pages. When executed, this JavaScript attempts to access a file hosted on another server. This file may contain malicious code that can affect the end-user's system. US-CERT is investigating the origin of the IIS 5 compromises and the impact of the code that is downloaded to end-user systems.

Web server administrators running IIS 5 should verify that there is no unusual JavaScript appended to the bottom of pages delivered by their web server.

This activity is another example of why end users must exercise caution when JavaScript is enabled in their web browser. Disabling JavaScript will prevent this activity from affecting an end-user's system, but may also degrade the appearance and functionality of some web sites that rely upon JavaScript. US-CERT recommends that end-users disable JavaScript unless it is absolutely necessary. Users should be aware that any web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code.

Resolution

Apply a patch

Although a patch is not yet available for this issue, it is a good practice to use Microsoft Windows Update to help ensure the security of your computer.
Disable Active scripting and ActiveX controls

Instructions for disabling Active scripting and ActiveX controls in the Internet Zone can be found in the Malicious Web Scripts FAQ.
Do not follow unsolicited links

Do not click on unsolicited URLs received in email, instant messages, web forums, or internet relay chat (IRC) channels.
Run and maintain an antivirus product

It is important that you use antivirus software and keep it up to date. Most antivirus software vendors frequently release updated information, tools, or virus databases to help detect and recover from virus infections. Many antivirus packages support automatic updates of virus definitions. US-CERT recommends using these automatic updates when possible.

US-CERT is aware of new activity affecting compromised web sites running Microsoft's Internet Information Server (IIS) 5 and possibly end-user systems that visit these sites. Compromised sites are appending JavaScript to the bottom of web pages. When executed, this JavaScript attempts to access a file hosted on another server. This file may contain malicious code that can affect the end-user's system. US-CERT is investigating the origin of the IIS 5 compromises and the impact of the code that is downloaded to end-user systems.

Web server administrators running IIS 5 should verify that there is no unusual JavaScript appended to the bottom of pages delivered by their web server.

This activity is another example of why end users must exercise caution when JavaScript is enabled in their web browser. Disabling JavaScript will prevent this activity from affecting an end-user's system, but may also degrade the appearance and functionality of some web sites that rely upon JavaScript. US-CERT recommends that end-users disable JavaScript unless it is absolutely necessary. Users should be aware that any web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code.

I think that the Washington Post has gotten it's facts wrong. The only thing they say to do is to disable Javascript:

http://www.us-cert.gov/current/current_activity.ht ml#iis5

I think this is the thursday past reference, but it certainly doesn't contain a reference to any browser switch.

"IIS 5 Web Server Compromises
added June 24

US-CERT is aware of new activity affecting compromised web sites running Microsoft's Internet Information Server (IIS) 5 and possibly end-user systems that visit these sites. Compromised sites are appending JavaScript to the bottom of web pages. When executed, this JavaScript attempts to access a file hosted on another server. This file may contain malicious code that can affect the end-user's system. US-CERT is investigating the origin of the IIS 5 compromises and the impact of the code that is downloaded to end-user systems.

Web server administrators running IIS 5 should verify that there is no unusual JavaScript appended to the bottom of pages delivered by their web server.

This activity is another example of why end users must exercise caution when JavaScript is enabled in their web browser. Disabling JavaScript will prevent this activity from affecting an end-user's system, but may also degrade the appearance and functionality of some web sites that rely upon JavaScript. US-CERT recommends that end-users disable JavaScript unless it is absolutely necessary. Users should be aware that any web site, even those that may be trusted by the user, may be affected by this activity and thus contain potentially malicious code."

If anyone has the URL reference that has the browser recommendations, please provide it, it will help in spreading the word better. people might take it more seriously coming from a cert reference than just some news article.

Here's a link to US-CERT's TA04-111A on this topic.

I do hope none of those stupid users go clicking on any URLs or reading web pages or e-mails. They should now better than that, now shouldn't they?

I think this is an unauthorized making of a derivative work,

Personally, I'm interested in taking this technology to the next level. I'd like to see an XML schema that would instruct a DVD player to cut the movie in a certain way, including adding or substituting external video sources, voice or complete sound tracks (Dark Side of the Rainbow? How about roll-your-own MST3K?) or adding subtitles (for languages that won't generate enough profit for the studio to warrant, for a film school professor to comment on techniques being used in the scene, history classes to give some background on an expression used in a period piece....) This should be a perfectly legal way for a director to do a 'remix' of a movie by distributing the XML file to people who would then have to buy the DVD to view the 'derivative work', so everybody gets paid. The buyer would still have the original, and be able to play it any time the way the original director intended, but might also be able to enjoy seeing some new perspectives on the work.

This is exactly the same as the software licenses that require derivative works to be released as patches only.

I've always considered this to be CERT, not this.

Apparently our new Dept. of Homeland Security launched us-cert.gov as a partnership with Carnegie Mellon's cert.org (and others, in the future).

I feel safer already.

Have you RTFA? The vulerability can be exploited by convincing the victim to view an HTML document or an email, no need to use the help system or anything.

RTFA here, and check out the exploit demo here, and then figure out that you didn't use the help system, and yet the exploit happened.

Do the users where you work not have Internet or e-mail access? Then I guess you are safe.

1. Stop subsidizing insecure software with taxpayer dollars.

How is a DOS attack anything like overwriting a hard drive? This is FUD.
From US Cert:
II. Impact
An unauthenticated, remote attacker could cause a denial of service in any application or system that uses a vulnerable OpenSSL SSL/TLS library.

About a week ago, we had a vulnerability announced in OpenSSL. I imagine most of us patched pretty quickly. But the Witty worm appeared within twenty-four hours of the announcement of the vulnerability it attacked, and it infected 95% of vulnerable machines within 45 minutes.

Yes, it's funny that it was a Windows firewall that was attacked. Yes, it's especially funny that it was an expensive Windows firewall that was attacked. Laugh.

But also think.

This could just as easily have been us. From my root logs I patched my servers for the OpenSSL vulnerability on Sunday 21st, which was four days after it had been announced. If the Witty worm had attacked OpenSSL, it would have got me. I suspect it would get most of us.

Linux (or BSD, or whatever) is not immune to this sort of attack. On the contrary, we're just as vulnerable as anyone else. Those of us who administer public-facing servers have got to learn to be still more cautious, and still more proactive about fixing holes as they are announced.

Looking at the US-CERT website, it looks like there are actually four lists on their National Cyber Advisory System page. Two are technical, and two are not.

One of the technical lists appears to be trying to disseminate timely information, and the other has bi-weekly summaries. The non-technical lists look like they mirror the above, approximately.

Looking at the US-CERT website, it looks like there are actually four lists on their National Cyber Advisory System page. Two are technical, and two are not.

One of the technical lists appears to be trying to disseminate timely information, and the other has bi-weekly summaries. The non-technical lists look like they mirror the above, approximately.