TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 INTERNET THREAT UPDATE for 02-07-2002 ISS X-Force Internet Threat Intelligence Center www.iss.net - Click on 'Current Internet Threat' for more information. ****************************************************** ALERTCON 1 Projected: AlertCon 1 ****************************************************** ALERTCON 1 - AlertCon 1 reflects the malicious, determined, global, 24 x 7 attacks experienced by all networks MICROSOFT: A vulnerability has been discovered in Windows NT 4.0 and 2000 in the 'trust' functions of domains that may allow a privileged escalation through an error in the verification of the trusting domain's Security Identifiers (SID) not being required. ORACLE: There are multiple buffer overflows in the PL/SQL module for Oracle Application Server running on Apache web servers that allow the execution of arbitrary code. A non-overflow DoS also exists. X-FORCE SECURITY ALERT: A vulnerability exists in BlackICE Defender and BlackICE Agent as well as RealSecure Server sensors on Windows 2000 or Windows XP that can allow a denial of service. LOTUS DOMINO: A vulnerability exists that allows a malicious user to bring down the Web server. VIRUSES/WORMS: WM97/Comical-A is a mass mailing email worm. It consists of three components: a Word macro file, a Visual Basic script and a Windows executable. These three components are detected as WM97/Comical-A, VBS/Comical-A and W32/Comical-A respectively. ****************************************************** RECOMMENDATIONS ****************************************************** Microsoft Security Rollup patches which also cover the 'trust' function vulnerability are available for NT 4.0 as well as Windows 2000 running service pack 2: http://support.microsoft.com/default.aspx?scid=kb;en-us;Q299444&ID=299 444%20target=%20blank http://www.microsoft.com/windows2000/downloads/critical/q311401/defaul t.asp Oracle: Protection against the remote compromise should include: Removal of any access to the listener port of 1521 from the Internet, and remove the PLSExtproc functionality from the listener configuration files. Oracle customers should install the patch currently available: http://metalink.oracle.com X-Force Security Alert: Internet Security Systems is developing a patch for this vulnerability. ISS has posted a workaround. BlackICE Defender customers can install Defender updates by clicking on the "Tools" menu, and then the "Download Updates" button. Corporate users of BlackICE Agent can install updates centrally using the ICEcap Management Console, or manually on individual systems. http://www.iss.net/security_center/alerts/advise109.php http://www.iss.net/security_center/static/8058.php Lotus Domino: Regarding the Web server vulnerabilities, the vendor has provided an upgrade that is immune to this threat. http://notes.net/qmrdown.nsf For information on the Comical Worm, please see: http://www.sophos.com/virusinfo/analyses/wm97comicala.html For information on other viruses and worms, please see: https://gtoc.iss.net/secure/viruses.php ****************************************************** FACTOID: According to Dataquest, Inc. the worldwide security software market is expected to reach $4.3 billion in 2002, an 18 percent increase over revenue of $3.6 billion in 2001. "Enterprises are looking particularly at defensive security technologies such as antivirus software, intrusions detection systems and firewalls," said Colleen Graham, industry analyst for Gartner Dataquest's Software Industry Research group. "Technologies such as biometrics and other forms of authentication are also getting a great deal of attention, but because of the high cost of rolling out such technologies, mass adoption of these products will not occur before 2003." ***************************************************** NEWS: You Can Surf, but You Can't Hide: http://www.nytimes.com/2002/02/07/technology/circuits/07HERE.html 'Rogue trader' has met FBI - lawyer: http://www.ananova.com/news/story/sm_514839.html?menu= Report: More than 50 percent of U.S. on Internet http://www.cnn.com/2002/TECH/internet/02/06/internet.use/index.html ***************************************************** ATTACK SIGNATURE RANKING - global IDS, midnight - midnight, previous Day, % of total ***************************************************** Unauthorized Access Attempt 58.48% Protocol Decode 25.88% Denial Of Service 09.25% Suspicious Activity 04.76% Pre-Attack Probe 01.60% Back Door 00.04% ***************************************************** TOP TEN ATTACK DESTINATION PORTS - global IDS, midnight - midnight, previous day, % of top ten (ports found at) http://www.networkice.com/Advice/Exploits/Ports/default.htm ***************************************************** 80 (http) 69.77% 21 (ftp) 24.56% 25 (smtp) 02.57% 139 (NetBIOS) 00.74% 515 (lp,lpr,printer) 00.60% 443 (ssl) 00.52% 22 (ssh) 00.45% 68 (bootpd/dhcp) 00.29% 69 (tftp) 00.29% 1028 (unassigned) 00.20% ****************************************************** BACKGROUND, COPYRIGHT NOTICE, and DISCLAIMER ****************************************************** Background. We provide this information in the spirit of PDD 63 to help security professionals wage the war against Internet threats more effectively. Information in this update derived primarily from global, real time, 24 x 7 IDS feeds, ISS X-Force R&D Team research, and professional liaison. Other sources as noted. AlertCon 1 reflects the global, malicious, determined, 24 x 7 attacks experienced by all networks. AlertCon 2 means increased vigilance/action recommended due to a specific threat or concern. AlertCon 3 means increased attacks against specific targets or vulnerabilities on a scale that is unusually high, action required. AlertCon 4 reflects an Internet emergency for a target or group of targets whose business continuity may depend on some sort of immediate, decisive action. All summaries cover 24 hours the previous workday, GMT. Monday summaries may cover some weekend activity. Copyright 2001 Internet Security Systems, Inc. Permission is granted for the redistribution of the Internet Threat Update electronically. It is not to be sold or edited in any way without express consent of ISS. Refer comments or questions to: [EMAIL PROTECTED] or [EMAIL PROTECTED] Disclaimer: This information is subject to change without notice. Use of this information constitutes acceptance for use in an 'as is' condition. There are no warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. No other use authorized. FOIA Exemption 4. Patrick Gray Manager, X-Force Internet Threat Intelligence Center Internet Security Systems 6303 Barfield Road Atlanta, GA 30328 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPGKDw5G41ROSQPncEQI90wCgtGzrOrVFwz/Et0CGlMP5o7Z3clAAoPCX v6uM/cNtSZbyzDSzYf+TkiT8 =W/fJ -----END PGP SIGNATURE-----
