Security UPDATE, July 30, 2003

Mark Joseph Edwards discusses the cancellation of a planned security exercise in Japan. He also reviews the current remote procedure call (RPC) buffer-overflow vulnerability that affects several Windows OSs. Demonstration code is available now.

13 Min Read
ITPro Today logo in a gray background | ITPro Today

Windows & .NET Magazine Security UPDATE--July 30, 2003

===============

==========

==========

FREE Network Security Report The FBI has identified 4000 ways a hacker can penetrate a network - even a well-protected network. They've issued a report on the top 20 vulnerabilities and how to close those doors to hackers. LearnKey Direct a leader in IT security training will give you the report FREE if you're in the US and one of the first 35 people to respond to this message. click here for online service http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BBde0AD Or Call 877 288-2764

==========

Editor's Note: We'd like your opinion about Security UPDATE! To improve the editorial quality of this email newsletter and determine the best delivery format, we need your feedback. Please take some time to answer our online survey. The survey gives you the opportunity to provide feedback in one online survey about all the Windows & .NET Magazine Network newsletters to which you subscribe. We appreciate your time, and we look forward to reading your comments. To answer the survey, go to http://websurveyor.net/wsb.dll/12237/EditorsEmail.htm ==== 1. In Focus: "Hacking" Contest and Demonstration Code ==== by Mark Joseph Edwards, News Editor, [email protected] An interesting news story described a recent occurrence in Japan. The country's Ministry of Economy, Trade and Industry (METI) had scheduled a tournament in which students would compete against one another to exercise their computer security skills. Many small teams would try to penetrate the security of one another's computers while at the same time protecting their machines from intrusion. The defended machines were to use the Windows 2000 OS. Students were free to use other OSs as well in their attempts to breach security. The exercise sounds great to me. All teams would use their protection and penetration knowledge--and learn by observing the tactics used against them. However, the Japanese government canceled the contest after many Japanese citizens complained that such a tournament was the equivalent of promoting cybercrime. (I wonder whether those same people also think that teaching law-enforcement officers about the criminal mind will turn cops into criminals.) I think that the government might be limiting its chances of developing a better set of white-hat "hackers." In last week's Security UPDATE, I wrote about the Last Stage of Delirium Research Group, the Polish group that discovered the remote procedure call (RPC) buffer-overflow vulnerability that affects Windows Server 2003, Windows XP, Win2K, and Windows NT 4.0. The problem is serious because it lets intruders run the code of their choice on an unprotected system--and it affects many OSs. The group chose not to divulge technical details about the discovery at the time the vulnerability became public. I noted that the Last Stage of Delirium Research Group does routinely publish technical details along with code for problems it discovers. I recommended that because the group would eventually release demonstration code, users should patch their systems before a known exploit became available to the public. I thought users might have at least a few weeks for the patching process. However, another group published working demonstration code sooner. On Friday, July 25, Xfocus (which is based in China) published code that attackers can use to exploit the same vulnerability. The code, which appeared on mailing lists and on the group's Web site, is designed for demonstration against any of the affected OSs. When attackers launch the code against an unprotected system, the code gives them a remote command shell. Several security professionals worry that with working code now readily available, someone will use it to create a worm and release it on the Internet. That scenario certainly could occur. Patch your systems now or perform a workaround, such as blocking port 135 at your network borders or disabling Distributed COM (DCOM) by using dcomcnfg.exe. Also, spread the word about the vulnerability to business associates, family, and friends--any of whom might be using an affected system that isn't protected properly. The release of the exploit code was inevitable. As far as I know, no public notices provided Xfocus with specific details about the RPC problem, but the group might have gleaned more specific details from some source. However, Xfocus and other groups could easily test a system until they find a weakness--and develop working code from that point. Many companies currently frown on the release of demonstration code, even some companies that formerly released code but have ceased doing so. Nevertheless, such code releases will continue to occur as they have for the past decade--with the stakes increasingly higher. In any case, we should guard against attacks as best we can. Diligent knowledge gathering and action are required--and should lead to protection when the actions are adequate. We need to keep monitoring newsletters, mailing lists, and other information outlets--and acting on the knowledge. You're probably aware, for example, that Microsoft recently released three more security patches, one of which is critical and affects all Windows OSs. eEye Digital Security discovered the critical flaws, which involve Microsoft DirectX. An unchecked buffer lets intruders run a specially crafted MIDI file to run code of their choice on an unprotected system. You'll find patches linked through the section "Multiple Buffer Overruns in DirectX" in this edition of Security UPDATE. Be sure to patch your systems if necessary!

==========

==== Sponsor: Ecora Software ==== Discover rogue machines and open ports on your network -- FREE How secure is your network? Want to quickly discover if there are any rogue machines or unauthorized open ports? Find out in minutes with Ecora's FREE utility, Ecora NetExplorer. Discover just about every type of device running within a specified IP range, giving you a complete, up-to-date inventory of your network. NetExplorer can also scan all TCP and UDP ports to close potential security holes before someone else finds them. Download this free utility now! http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BBdd0AC

==========

=========

==== 9. Contact Us ==== About the newsletter -- [email protected] About technical questions -- http://www.winnetmag.com/forums About product news -- [email protected] About your subscription -- [email protected] About sponsoring Security UPDATE -- [email protected]

=============== This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing Windows and related technologies. Subscribe today. http://www.secadministrator.com/sub.cfm?code=saei25xxup

To make other changes to your email account such as change your email address, update your profile, and subscribe or unsubscribe to any of our email newsletters, simply log on to our Email Preference Center. http://www.winnetmag.com/email

Thank you! __________________________________________________________ Copyright 2003, Penton Media, Inc.

Read more about:

ITPro Today
Sign up for the ITPro Today newsletter
Stay on top of the IT universe with commentary, news analysis, how-to's, and tips delivered to your inbox daily.

You May Also Like