TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 INTERNET THREAT UPDATE for 02-08-2002 ISS X-Force Internet Threat Intelligence Center www.iss.net - Click on the AlertCon button for more information. ****************************************************** ALERTCON 1 Projected: AlertCon 1 ****************************************************** ALERTCON 1 - AlertCon 1 reflects the malicious, determined, global, 24 x 7 attacks experienced by all networks MICROSOFT: An unchecked buffer in telnet server could lead to arbitrary code execution. This affects telnet service in Microsoft Windows 2000 and the Telnet Daemon in Microsoft Interix 2.2. The services are not installed by default and would have to have been started by the administrator. The impact is that if exploited, it could result in a Denial of Service attack or the attacker could possibly run code of his/her choice. The risk is deemed moderate. MICROSOFT: The Microsoft Exchange System Attendant is one of the core services in Microsoft Exchange. It performs a variety of functions related to the on-going maintenance of the Exchange system. There is a flaw in how the System Attendant makes Registry configuration changes. This flaw could allow an unprivileged user to remotely access configuration information on the server. The flaw does not grant any abilities beyond the ability to connect remotely. CISCO: Specific versions of Cisco Secure Authentication Control Server (ACS) allows authentication of users that have been explicitly disabled or expired in the Novell Directory Services (NDS). There is a software patch that may be applied, and software upgrades will also address this problem. This vulnerability results in a failure to adequately enforce authentication criteria, and users that should be prevented from using services are permitted to authenticate, regardless of their status in the NDS server. X-FORCE SECURITY ALERT: A vulnerability exists in BlackICE Defender and BlackICE Agent as well as RealSecure Server sensors on Windows 2000 or Windows XP that can allow a denial of service. VIRUSES/WORMS: W32/Klez-G attempts to disable several anti-virus products and delete some anti-virus related files. The worm attempts to exploit a MIME vulnerability in some versions of Microsoft Outlook, Microsoft Outlook Express, and Internet Explorer to allow the executable file to run automatically without the user double-clicking on the attachment. ****************************************************** RECOMMENDATIONS ****************************************************** Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-004.asp and http://www.microsoft.com/technet/security/bulletin/MS02-003.asp The Cisco patch for this vulnerability can be downloaded from the following location if you are logged in with a valid CCO user account: http://www.cisco.com/pcgi-bin/tablebuild.pl/cs-acs-win X-Force Security Alert: Internet Security Systems is developing a patch for this vulnerability. ISS has posted a workaround. BlackICE Defender customers can install Defender updates by clicking on the "Tools" menu, and then the "Download Updates" button. Corporate users of BlackICE Agent can install updates centrally using the ICEcap Management Console, or manually on individual systems. http://www.iss.net/security_center/alerts/advise109.php http://www.iss.net/security_center/static/8058.php For a W32/Klez-G solution, Microsoft has issued a patch that secures against this vulnerability that can be downloaded from: http://www.microsoft.com/technet/security/bulletin/MS01-027.asp For information on other viruses and worms, please see: https://gtoc.iss.net/secure/viruses.php ****************************************************** FACTOID: Richard A. Clarke, who in October took on the new job of White House cyberspace security adviser, successfully lobbied for an increase from $2.7 billion in fiscal year 2002 to $4 billion in 2003 for government-computer security. ***************************************************** NEWS: Cybersecurity a Top Priority: http://www.washtech.com/news/regulation/15061-1.html For additional poignant articles of interest: https://gtoc.iss.net/inthenews.php ***************************************************** ATTACK SIGNATURE RANKING - global IDS, midnight - midnight, previous Day, % of total ***************************************************** Unauthorized Access Attempt 45.22% Protocol Decode 32.71% Denial Of Service 15.36% Suspicious Activity 04.56% Pre-Attack Probe 02.07% Back Door 00.07% ***************************************************** TOP TEN ATTACK DESTINATION PORTS - global IDS, midnight - midnight, previous day, % of top ten (ports found at) http://www.networkice.com/Advice/Exploits/Ports/default.htm ***************************************************** 80 (http) 77.95% 21 (ftp) 10.94% 25 (smtp) 04.20% 515 (lp,lpr,printer) 02.04% 161 (SNMP) 01.70% 139 (NetBIOS) 01.23% 443 (ssl) 00.78% 68 (bootpd/dhcp) 00.49% 1028 (unassigned) 00.36% 69 (tftp) 00.31% ****************************************************** BACKGROUND, COPYRIGHT NOTICE, and DISCLAIMER ****************************************************** Background. We provide this information in the spirit of PDD 63 to help security professionals wage the war against Internet threats more effectively. Information in this update derived primarily from global, real time, 24 x 7 IDS feeds, ISS X-Force R&D Team research, and professional liaison. Other sources as noted. AlertCon 1 reflects the global, malicious, determined, 24 x 7 attacks experienced by all networks. AlertCon 2 means increased vigilance/action recommended due to a specific threat or concern. AlertCon 3 means increased attacks against specific targets or vulnerabilities on a scale that is unusually high, action required. AlertCon 4 reflects an Internet emergency for a target or group of targets whose business continuity may depend on some sort of immediate, decisive action. All summaries cover 24 hours the previous workday, GMT. Monday summaries may cover some weekend activity. Copyright 2001 Internet Security Systems, Inc. Permission is granted for the redistribution of the Internet Threat Update electronically. It is not to be sold or edited in any way without express consent of ISS. Refer comments or questions to: [EMAIL PROTECTED] or [EMAIL PROTECTED] Disclaimer: This information is subject to change without notice. Use of this information constitutes acceptance for use in an 'as is' condition. There are no warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. No other use authorized. FOIA Exemption 4. Patrick Gray Manager, X-Force Internet Threat Intelligence Center Internet Security Systems 6303 Barfield Road Atlanta, GA 30328 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0 iQA/AwUBPGQBNJG41ROSQPncEQIm6QCgkfEkKsCXH2w3ddWMAtaLR0THtVQAnjIN mJkh0MKNNBRuQ4p6Jt3Rylvs =X+yJ -----END PGP SIGNATURE-----
