Pelle Braendgaard: Advisories

New IIS Patches from Microsoft

Microsoft yesterday released a new set of Patches for IIS. The patch and the security holes it fixes are described here. While you're at it you might want to run the IIS Lockdown tool, which checks for common (read default) insecure configurations. I do hope they make this part of the standard setup procedure in future versions.

A quick intro to Buffer Overflows Attacks

Robert Vamosi over at ZDNet provides a great little not too technical introduction to buffer overflow attacks. You might use this to explain buffer overflow attacks to nontech personell etc.

While we're on the subject of MS holes...

I'm not going to be covering these IE holes regularly as they are already heavily published elsewhere and MS are doing a pretty good job now a days at getting them out to users. But a couple of new problems are now covered by their latest IE Cumilative Patch. If you are using any IE5 or up on your machine or as part of the standard windows build in your company, you probably should install the patch.

I'm not blaming MS for these holes, as I've said they've started to do a pretty good job. They did have some stupid ones in the past, but we can work with them now. In a complex piece of software like IE6, which consists of many different subcomponents its hard to find all of the problems up front.

That said, these problems together with last years email panics, should help to underline why we need to protect our systems more than ever. The default approach I see many places is that companies panic and shut down net traffic all together. Thats not good for the business, the employees or the customers of the company. We are all part of the net now, and we should embrace that fact as an opportunity rather than a threat. What that does call for though is well thought out business applications and procedures.

Local Security Vulnerability in Windows NT and Windows 2000

DebPloit uses a hole in the NT/2000 debugging subsystem and allows ANY user
with ANY privileges (even Guest and Restricted user) to execute processes in
the security context of an administrator or a local system (SYSTEM) account.
In other words, any person who have an access to the local computer can
became an administrator and do everything he/she wants. [Bugtraq]

This could obviously be an issue anywhere where NT Servers are used. I've verified it and it appears to work. The Authors of the exploit have an intermediate fix as well untill MS comes out with a bugfix. The source is available for the fix, so you might want to check it and compile it yourself. The risk of installing a third party fix like this might be even greater than the hole itself. You call the punches.

Solaris 6 Scan Results

This test was against Solaris 6 on a Sparc 5 platform. Solaris 6 was installed with all default services (such as Telnet, RPC and FTP), scanned then again scanned after the cluster patch was applied.
With the cluster patch, this revealed little change from the default scan, similar to what we observed with Solaris 8. Perhaps we can now say that SUN looks at security differently from how NESSUS or we see it? See the detailed scan results. [The Security Writers Guild]

Yet more proof that you can't just use the default installation for anything. Check the detailed scan results for analysis of Solaris 8, Windows 2k and XP out of the box installs.

FrontPage Bug Opens Microsoft Sites To Attackers

Microsoft released a bulletin and patch for the buffer overflow flaw, which allows attackers to run code of their choice on a vulnerable server, on Jun. 21, 2001. [News Bytes]

I did have to chuckle a bit after reading this. A couple of MS sites were defaced because they'd left an old unpatched version of the Front Page extensions on the server. The moral of the story is, get rid of anything that your are not using. If you happen to be using the Front Page extensions (not recommended) please keep an eye on security patches.

Hacker speaks out on security basics

Security holes exist in just about every application, but preventing an attack can be remarkably simple, says an expert hacker.

"It's simple," says Rain Forest Puppy. "Don't feel you have to...take it from Microsoft, just figure out what services lead to security risks and turn them off."

[ZDNet][Security Focus]

This is basically what my whole approach is about. At the simplest level of a security analysis identify all the required services, modules etc on your systems. Shut off everything else. Most App Servers now a days have so many modules that most people just leave them running by default. I'd also like to add, that it might be a good idea to change any default passwords. Even on Dev machines.