Microsoft Guide to Security Patch Management
Organizations depend on information technology resources and expect them to be trustworthy: a few days of downtime is expensive, while a security compromise of corporate assets can have disastrous consequences.
Viruses and worms such as Klez, Nimda, and SQL Slammer exploit security vulnerabilities in software to attack a computer and launch new attacks on other computers. These vulnerabilities also provide opportunities for attackers to compromise information and assets by denying access to valid users, enabling escalated privileges, and exposing data to unauthorized viewing and tampering.
The operational cost of a day's downtime can be calculated for most, but what if the information with which others entrust your organization is compromised publicly?
A breach of corporate security and the resulting loss of credibility (with customers, partners, and governments) can put the very nature of an organization at risk. Organizations that fail to perform proactive security patch management as part of their information technology security strategy do so at their own peril.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/topics/patch/secpatch/default.asp
Saturday, August 30, 2003
411 DV: Web Resources for Non-Linear Editors
Have a question on the latest nonlinear editing software? Need a hard-to-find piece of video editing equipment? Or are you just starting out in the field of digital video and need some direction? . Like virtually every other topic imaginable, the digital video fieldhas seen an explosion of online resources, discussion groups, and chat areas to help both neophytes and seasoned pros achieve their goals more effectively and do their jobs more efficiently. Here, we'll take a look at ten sites that specialize in the world of digital video, though each one offers its own unique features that range user forums to tutorials to sales. (And don't forget about EMedia's own site, http://www.emedialive.com, which offers twice-weekly breaking news, online product "demo rooms," and articles from the magazine.)
http://www.emedialive.com/news/2003/0722_4.html
Have a question on the latest nonlinear editing software? Need a hard-to-find piece of video editing equipment? Or are you just starting out in the field of digital video and need some direction? . Like virtually every other topic imaginable, the digital video fieldhas seen an explosion of online resources, discussion groups, and chat areas to help both neophytes and seasoned pros achieve their goals more effectively and do their jobs more efficiently. Here, we'll take a look at ten sites that specialize in the world of digital video, though each one offers its own unique features that range user forums to tutorials to sales. (And don't forget about EMedia's own site, http://www.emedialive.com, which offers twice-weekly breaking news, online product "demo rooms," and articles from the magazine.)
http://www.emedialive.com/news/2003/0722_4.html
Friday, August 29, 2003
Batten Down Those Ports
With worms such as Blaster prowling the Net, every user ought to know the ways a computer may be exposing itself to attacks. One of the simplest but most vital tests you can do to determine potential vulnerabilities is to find out which ports your PC has open to the outside world.
http://www.pcmag.com/print_article/0,3048,a=55855,00.asp
With worms such as Blaster prowling the Net, every user ought to know the ways a computer may be exposing itself to attacks. One of the simplest but most vital tests you can do to determine potential vulnerabilities is to find out which ports your PC has open to the outside world.
http://www.pcmag.com/print_article/0,3048,a=55855,00.asp
Code that directs infected computers to seven mail and name servers owned by an AOL Time Warner Inc. subsidiary.
Anti-virus experts are downplaying recent claims that there is a second hidden cache of data in the SoBig worm's code that directs infected computers to contact a group of seven mail and name servers owned by an AOL Time Warner Inc. subsidiary.
Officials at BitDefender, a unit of Softwin SRL in Bucharest, Romania, said on Tuesday that they had found a second set of encrypted server addresses in the code of the eminently annoying SoBig.F worm. All of the server names appear to belong to Time Warner Telecom Inc.
"The code is quite straightforward and accurately indicates that the virus asks for information at this address, waits for the answer and than runs the downloaded file on the infected host," said Mihai Chiriac, a virus researcher at BitDefender. "As for the moment, there is no information at any of these addresses; we can't predict the code's effects."
http://www.eweek.com/article2/0,3959,1232316,00.asp
Anti-virus experts are downplaying recent claims that there is a second hidden cache of data in the SoBig worm's code that directs infected computers to contact a group of seven mail and name servers owned by an AOL Time Warner Inc. subsidiary.
Officials at BitDefender, a unit of Softwin SRL in Bucharest, Romania, said on Tuesday that they had found a second set of encrypted server addresses in the code of the eminently annoying SoBig.F worm. All of the server names appear to belong to Time Warner Telecom Inc.
"The code is quite straightforward and accurately indicates that the virus asks for information at this address, waits for the answer and than runs the downloaded file on the infected host," said Mihai Chiriac, a virus researcher at BitDefender. "As for the moment, there is no information at any of these addresses; we can't predict the code's effects."
http://www.eweek.com/article2/0,3959,1232316,00.asp
Wednesday, August 27, 2003
Microsoft Baseline Security Analyzer
As part of Microsoft's Strategic Technology Protection Program, and in response to direct customer need for a streamlined method of identifying common security misconfigurations, Microsoft has developed the Microsoft Baseline Security Analyzer (MBSA).
MBSA Version 1.1.1 includes a graphical and command line interface that can perform local or remote scans of Windows systems. MBSA runs on Windows 2000, Windows XP, and Windows Server 2003 systems and will scan for common system misconfigurations in the following products: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Internet Information Server (IIS) 4.0 and 5.0, SQL Server 7.0 and 2000, Internet Explorer (IE) 5.01 and later, and Office 2000 and 2002. MBSA will also scan for missing security updates for the following products: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, IIS 4.0 and 5.0, SQL Server 7.0 and 2000, IE 5.01 and later, Exchange 5.5 and 2000, and Windows Media Player 6.4 and later.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/Tools/mbsahome.asp
As part of Microsoft's Strategic Technology Protection Program, and in response to direct customer need for a streamlined method of identifying common security misconfigurations, Microsoft has developed the Microsoft Baseline Security Analyzer (MBSA).
MBSA Version 1.1.1 includes a graphical and command line interface that can perform local or remote scans of Windows systems. MBSA runs on Windows 2000, Windows XP, and Windows Server 2003 systems and will scan for common system misconfigurations in the following products: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, Internet Information Server (IIS) 4.0 and 5.0, SQL Server 7.0 and 2000, Internet Explorer (IE) 5.01 and later, and Office 2000 and 2002. MBSA will also scan for missing security updates for the following products: Windows NT 4.0, Windows 2000, Windows XP, Windows Server 2003, IIS 4.0 and 5.0, SQL Server 7.0 and 2000, IE 5.01 and later, Exchange 5.5 and 2000, and Windows Media Player 6.4 and later.
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/Tools/mbsahome.asp
Windows XP Security Checklist
Although Windows XP Professional is built on the Windows 2000 kernel, there are significant differences between the operating systems - especially when it comes to security. This checklist is partially based on our popular Windows 2000 security checklist and covers both Windows XP Professional and XP Home Edition. Unfortunately, Windows XP Home Edition doesn't have all of the security features of XP Professional, so not all of the options are available for both versions. If you're concerned about your data, we strongly recommend upgrading to XP Professional as soon as possible. When implementing these recommendations, keep in mind that there is a trade off between increased security levels and usability for any Operating System. To help you decide how much security you need, we've divided the checklist into Basic, Intermediate, and Advanced Security options. You should assess your potential security risks, determine the value of your data, and balance your needs accordingly.
This is a "live" document which will be updated over time as new security recommendations are published by Microsoft. We have tried to make the checklist as complete as possible, however if you have any suggestions or feedback, please e-mail bernie@labmice.net
http://www.labmice.net/articles/winxpsecuritychecklist.htm
Although Windows XP Professional is built on the Windows 2000 kernel, there are significant differences between the operating systems - especially when it comes to security. This checklist is partially based on our popular Windows 2000 security checklist and covers both Windows XP Professional and XP Home Edition. Unfortunately, Windows XP Home Edition doesn't have all of the security features of XP Professional, so not all of the options are available for both versions. If you're concerned about your data, we strongly recommend upgrading to XP Professional as soon as possible. When implementing these recommendations, keep in mind that there is a trade off between increased security levels and usability for any Operating System. To help you decide how much security you need, we've divided the checklist into Basic, Intermediate, and Advanced Security options. You should assess your potential security risks, determine the value of your data, and balance your needs accordingly.
This is a "live" document which will be updated over time as new security recommendations are published by Microsoft. We have tried to make the checklist as complete as possible, however if you have any suggestions or feedback, please e-mail bernie@labmice.net
http://www.labmice.net/articles/winxpsecuritychecklist.htm
Monday, August 25, 2003
A Cumulative Patch for Internet Explorer
Microsoft (Quote, Company Info) Wednesday issued a cumulative patch for its Internet Explorer browser that also protects against several newly discovered vulnerabilities that it labeled as "critical."
Microsoft said the patch combines all the previously released patches for IE 5.01, 5.5 and 6.0 and also addresses several vulnerabilities that would allow an attacker to use a malicious Web site or specially-formed HTML email to access certain privileges on a user's computer.
The first new flaw patched involves the cross-domain security model of IE, which is intended to keep windows of different domains from sharing information. Microsoft said the flaw could allow an attacker to execute script in the user's My Computer zone, run an executable file already present on the local system, or view files on the computer.
To exploit the flaw, an attacker would have to host a malicious Web site that contained a page specifically designed to exploit the vulnerability, and then persuade a victim to visit the site. Once the user is on the site, Microsoft said the attacker could run malicious script by misusing the method IE uses to retrieve files from the browser cache, causing that script to access information in a different domain.
The second new vulnerability patched would allow an attacker to run arbitrary code on a user's system because Internet Explorer doesn't properly determine an object type returned from a Web server, Microsoft said. This vulnerability could be exploited either through convincing a user to visit a malicious Web site or through an HTML email.
The cumulative patch also sets the Kill Bit on the BR549.DLL ActiveX control, which was originally implemented to support the Windows Reporting Tool. IE no longer supports the tool, which has been found to contain a security vulnerability. The new patch prevents the control from running or from being reintroduced onto a user's system.
Microsoft has also used the cumulative patch to change the way IE renders HTML files, in order to address a flaw that could cause IE or Outlook Express to fail. Currently, IE does not properly render an input tag, Microsoft said, which would allow an attacker to craft a malicious Web site that would cause the browser to fail. The flaw would also allow an attacker to create a specially-formed HTML email that would cause Outlook Express to fail when the email is opened or previewed.
Finally, the patch modifies an earlier patch in order to cover specific languages.
http://www.internetnews.com/dev-news/article.php/3066741
Microsoft (Quote, Company Info) Wednesday issued a cumulative patch for its Internet Explorer browser that also protects against several newly discovered vulnerabilities that it labeled as "critical."
Microsoft said the patch combines all the previously released patches for IE 5.01, 5.5 and 6.0 and also addresses several vulnerabilities that would allow an attacker to use a malicious Web site or specially-formed HTML email to access certain privileges on a user's computer.
The first new flaw patched involves the cross-domain security model of IE, which is intended to keep windows of different domains from sharing information. Microsoft said the flaw could allow an attacker to execute script in the user's My Computer zone, run an executable file already present on the local system, or view files on the computer.
To exploit the flaw, an attacker would have to host a malicious Web site that contained a page specifically designed to exploit the vulnerability, and then persuade a victim to visit the site. Once the user is on the site, Microsoft said the attacker could run malicious script by misusing the method IE uses to retrieve files from the browser cache, causing that script to access information in a different domain.
The second new vulnerability patched would allow an attacker to run arbitrary code on a user's system because Internet Explorer doesn't properly determine an object type returned from a Web server, Microsoft said. This vulnerability could be exploited either through convincing a user to visit a malicious Web site or through an HTML email.
The cumulative patch also sets the Kill Bit on the BR549.DLL ActiveX control, which was originally implemented to support the Windows Reporting Tool. IE no longer supports the tool, which has been found to contain a security vulnerability. The new patch prevents the control from running or from being reintroduced onto a user's system.
Microsoft has also used the cumulative patch to change the way IE renders HTML files, in order to address a flaw that could cause IE or Outlook Express to fail. Currently, IE does not properly render an input tag, Microsoft said, which would allow an attacker to craft a malicious Web site that would cause the browser to fail. The flaw would also allow an attacker to create a specially-formed HTML email that would cause Outlook Express to fail when the email is opened or previewed.
Finally, the patch modifies an earlier patch in order to cover specific languages.
http://www.internetnews.com/dev-news/article.php/3066741
A recent eWEEK.com article quotes a network administrator critical of Microsoft for not providing essentially what Automatic Updates provides, especially in conjunction with Microsoft's Software Update Services, which basically allows an administrator to set up an internal update server for clients to use instead of the Windows Update site.
Tightening The Security Screws In Windows
Either we're not educating people or education is not working: Too many users still fail to take simple precautions to protect themselves, and many engage in dangerous practices that perpetuate attacks.
The incidents of the past couple of weeks are both illustrative. The Blaster worm succeeded in spite of a massive publicity campaign on the danger of the relevant flaw in Windows and the existence of a patch.
Worse, in monitoring several security mailing lists I saw many users looking for any excuse not to apply the patch. According to conservative estimates, some 500,000 systems were infected with Blaster, and I've seen much higher estimates. For example, Satellite ISP DirecWay just sent out an e-mail to their customers stating that "approximately 10 to 20 percent of DIRECWAY end-users are infected with the Blaster virus."
Meanwhile, based on the hundreds of Sobig.F e-mails I received in the first 24 hours of this week's outbreak, clearly users have left themselves wide open to it as well.
Has education failed? Short of making computer hygiene mandatory like driver's education with tests, something on the order of John Dvorak's idea to license computer users, I can't see public education campaigns having any better results than we found with Blaster. And that was completely unacceptable.
If users won't take care of their computers, the unfortunate answer (depending on your point of view) is to do it for them. This is what Microsoft is considering, according to a recent Washington Post article. It states that Microsoft is considering having Windows download and apply security patches automatically.
Currently available in Windows XP and Windows 2000 SP3+, this updating capability is called Automatic Updates and is accessible through the Control Panel System applet. It is turned off by default. (For Windows 2000 Server, Automatic Updates is only aware of patches for the OS, not for important server applications like SQL Server or IIS).
The applet has 3 options if you turn Automatic Updates on:
Notify the user that updates are available;
Download any updates that are available and notify the user, but don't install them; and
Download any updates that are available and install them according to a schedule specified by the user.
So, it sounds as if Microsoft is considering making the third option the default behavior, at least with respect to certain very critical updates, such as the one that prevented the Blaster worm.
Believe it or not, even some experienced admins are unaware of this feature in its current state. A recent eWEEK.com article quotes a network administrator critical of Microsoft for not providing essentially what Automatic Updates provides, especially in conjunction with Microsoft's Software Update Services, which basically allows an administrator to set up an internal update server for clients to use instead of the Windows Update site. This administrator said: "The only way it's going to happen is automation...Microsoft should provide this free."
Hello. They do.…
http://security.ziffdavis.com/article2/0,3973,1227322,00.asp
SoBig: What You Need to Know
If you or someone you know (or on your network) is infected, here's the manual process for recovering and for preventing SoBig from spreading to other users:
Unplug your computer from the network.
Boot the computer, then hit the F8 key to activate the text-only boot menu; choose Safe mode.
Wait until the boot process completes.
Open Task Manager by pressing Ctrl+Alt+Del and select the Processes tab.
Find and Highlight Winppr32.exe in the Processes tab.
To kill Winppr32.exe, click the End Process button at the bottom of the Processes tab window.
Click the Start button and select Find or Search from the menu. Search All files and Folders for the file Winppr32.exe on all local drives.
Delete all files named Winppr32.exe from the search window.
Repeat steps 7 and 8 for this file Winstt32.dat
Repeat steps 7 and 8 for this file: Winstf32.dll
Got to the Start menu, select Run and type in RegEdit to run the Registry Editor.
From the menu, select Edit/Find to search for this string: WINPPR32.EXE /sinc. Check only the Data box.
Select the Registry Key in the right-hand pane and Edit/Delete from the menu.
Press F3 to find and delete additional keys with values containing WINPPR32.EXE /sinc
Close Registry Editor.
Reboot in normal mode and reconnect to the network.
Install an antivirus and update to the latest antivirus definitions.
Make sure you have firewall software running, because part of SoBig's job is to connect to its master server and try to install a program that would create a back door into your system.
If you have not yet been infected, follow steps 17 and 18 and add these simple rules
Run Outlook with the preview pane closed. Visually scan the subject lines and look for red flags like:
"Details"
"Thank You"
"A Wicked Screen Saver"
SoBig e-mails can come from friends, because you're likely on each other's contact lists in Outlook. If you see an e-mail from a contact that's unexpected or has a telltale subject line, do not open or respond to it.
Never open any attachment from an unknown sender, and think twice before opening unexpected ones from friends or business contacts.
There's some more excellent information as well as removal instructions and even cleaning tools at these sources:
University of Virginia: http://www.itc.virginia.edu/desktop/virus/results.php3?virusID=76
NAI: http://vil.nai.com/vil/content/Print100561.htm
Symantec: http://www.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html#removalinstructions
TrendMicro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.F
TrendMicro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.F&VSect=T
BitDefender: http://www.bitdefender.com/html/virusinfo.php?menu_id=1&v_id=152
McAfee: http://msn.mcafee.com/virusInfo/default.asp?id=description&virus_k=100561&affid=102
Central Command: http://www.centralcommand.com
http://www.pcmag.com/print_article/0,3048,a=55015,00.asp
If you or someone you know (or on your network) is infected, here's the manual process for recovering and for preventing SoBig from spreading to other users:
Unplug your computer from the network.
Boot the computer, then hit the F8 key to activate the text-only boot menu; choose Safe mode.
Wait until the boot process completes.
Open Task Manager by pressing Ctrl+Alt+Del and select the Processes tab.
Find and Highlight Winppr32.exe in the Processes tab.
To kill Winppr32.exe, click the End Process button at the bottom of the Processes tab window.
Click the Start button and select Find or Search from the menu. Search All files and Folders for the file Winppr32.exe on all local drives.
Delete all files named Winppr32.exe from the search window.
Repeat steps 7 and 8 for this file Winstt32.dat
Repeat steps 7 and 8 for this file: Winstf32.dll
Got to the Start menu, select Run and type in RegEdit to run the Registry Editor.
From the menu, select Edit/Find to search for this string: WINPPR32.EXE /sinc. Check only the Data box.
Select the Registry Key in the right-hand pane and Edit/Delete from the menu.
Press F3 to find and delete additional keys with values containing WINPPR32.EXE /sinc
Close Registry Editor.
Reboot in normal mode and reconnect to the network.
Install an antivirus and update to the latest antivirus definitions.
Make sure you have firewall software running, because part of SoBig's job is to connect to its master server and try to install a program that would create a back door into your system.
If you have not yet been infected, follow steps 17 and 18 and add these simple rules
Run Outlook with the preview pane closed. Visually scan the subject lines and look for red flags like:
"Details"
"Thank You"
"A Wicked Screen Saver"
SoBig e-mails can come from friends, because you're likely on each other's contact lists in Outlook. If you see an e-mail from a contact that's unexpected or has a telltale subject line, do not open or respond to it.
Never open any attachment from an unknown sender, and think twice before opening unexpected ones from friends or business contacts.
There's some more excellent information as well as removal instructions and even cleaning tools at these sources:
University of Virginia: http://www.itc.virginia.edu/desktop/virus/results.php3?virusID=76
NAI: http://vil.nai.com/vil/content/Print100561.htm
Symantec: http://www.symantec.com/avcenter/venc/data/w32.sobig.f@mm.html#removalinstructions
TrendMicro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.F
TrendMicro: http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_SOBIG.F&VSect=T
BitDefender: http://www.bitdefender.com/html/virusinfo.php?menu_id=1&v_id=152
McAfee: http://msn.mcafee.com/virusInfo/default.asp?id=description&virus_k=100561&affid=102
Central Command: http://www.centralcommand.com
http://www.pcmag.com/print_article/0,3048,a=55015,00.asp
SoBig Virus Breaks Speed Records
By Dennis Fisher
So far, SoBig.
The virus that has been rampaging through corporate networks and bringing mail servers to their figurative knees all week is now officially the most prolific piece of malware ever, at least by one measure. MessageLabs Inc., an e-mail security company based in New York, said it saw more copies of SoBig.F in its first 24 hours of life than it has of any other virus in a comparable period. Ever.
That's no mean feat, considering some of the digital refuse that has hit the Internet in the past couple of years. Viruses such as Klez, Melissa and the Love Bug all caused their fair share of damage and each was at one time or another considered to be as bad as it gets. But this most recent incarnation of SoBig has taken the title, at least for now.
http://www.eweek.com/article2/0,3959,1227345,00.asp
By Dennis Fisher
So far, SoBig.
The virus that has been rampaging through corporate networks and bringing mail servers to their figurative knees all week is now officially the most prolific piece of malware ever, at least by one measure. MessageLabs Inc., an e-mail security company based in New York, said it saw more copies of SoBig.F in its first 24 hours of life than it has of any other virus in a comparable period. Ever.
That's no mean feat, considering some of the digital refuse that has hit the Internet in the past couple of years. Viruses such as Klez, Melissa and the Love Bug all caused their fair share of damage and each was at one time or another considered to be as bad as it gets. But this most recent incarnation of SoBig has taken the title, at least for now.
http://www.eweek.com/article2/0,3959,1227345,00.asp
Subscribe to:
Posts (Atom)
Posts
