I am alive and well, but haven’t had the extra time or energy to blog anything as of late.
Maybe I’l pick things back up in 2008………..or maybe it’s time for things to change here a little.
If you are running Microsoft DNS services this may be of interest to you.
http://www.microsoft.com/technet/security/advisory/935964.mspx
Rinbot has been seen exploiting this vulnerability so even if the DNS servers are not facing the internet it may be a good time to implement the Registry workaround that disables managment of Microsoft via RPC as noted in the above article.
I know a lot of smaller IT shops run DNS on their domain controllers, and if that gets compromised then it’s game over.
Since late March I’ve been following news on the Windows animated cursor vulnerability.
Basically the code that Windows uses to parse those annoying .ani cursors is vulnerable to attack if somebody maliciously crafts an .ani cursor file.
I’ve seen a lot of people mis-understand the scope of the problem claiming they don’t use custom cursors.
The truth of the matter is that if you use internet explorer to browse the web, or any variant of Outlook to view e-mail (even in the preview pane) then cursors with the exploit can be embedded within the html code and you are vulnerable.
To make things worse the exploit has made it into the metasploit framework so anybody can point, click and exploit the vulnerability.
Admirably Microsoft did release an early patch on Tuesday April 3rd that resolves the issue.
(They almost never release patches unless it is the 2nd tuesday of the month)
If you haven’t installed it yet I reccomend you do so now. I’ve seen 9 or 10 in the wild instances of the exploit being embedded within web content directed towards some of my userbase at work over the last couple days and things are only going to get worse.
SANS is reporting a remote root vulnerability in the Solaris implementation of Telnet. Linkage can be found here. If you’ve got telnet on solaris facing the internet fix it NOW!
If you get the time, or are looking to rapdily deploy a open source Snort based IDS solution a friend of mine has a nice IDS solution out there.
Hardcore IDS was created to make installing an Open Source IDS as simple as possible while providing a complete and secure IDS solution.
Hardcore IDS builds a secured GNU/Linux operating system using Fedora Core 4 with Snort 2.6 and Aanval series 2 as an optional front-end to monitor your network for attacks and vulnerabilities.
Support for other GNU/Linux distributions is planned.
You can setup Hardcore IDS on one host or many. There are three install types that you can use depending on your rollout of your IDS solution; Sensor, Console and Console+Sensor.
Included in the setup of Hardcore IDS are the Snort and Bleeding Edge Snort rules.
slipnet.org
If you have not done so it is time to install MS06-040.
The proof of concept exploit has been added to the metasploit framework, and it is speculated that a new blaster or sasser like worm that utilizes this exploit will be released very soon.
POC code for MS06-034, MS06-035, and MS06-036 has been spotted on the net. If you have not already applied the July updates, now would be a good time to do so.
There has been a lot of buzz regarding Virtual Machine Based Rootkits. They have the potential to render conventional methods of detecing malware and rootkits useless.
Interesting read, I would highly reccomend it.
Microsoft released a patch for the IE vulnerability on patch Tuesday.
I have firsthand seen spyware, that included a rootkit installed onto a system without this patch. How?….. By simply browsing to a trusted site that had been compromised where an attacker had embedded the code. This vulnerability is being used to install some super nasty malware. If you thought cool web search was bad, then this is even worse. Think about it, 0-day exploit installs malware, malware disables the big 12 AV vendors AV software and installs a rootkit. If you do a process list, or check any of the startup entries in windows it’s clean. If you do a netstat, it hides it’s network connections. Malware hides, you feel safe, yet it’s still there. You boot into safe mode to remove malware, and go into a command prompt and try to force delete the malware, but it closes your command prompt. You boot from a windows cd trying to get to it; however it changes NTFS permissions in a way that you can’t get to it. This isn’t specualtion, I ran across some 0-day malware that did all of those things. I had to use a R/W linux boot disc to remove the rootkit to restore the system. (then I grabbed all criticial files from the hdd, backed them up and wiped it out anyways just because it’s better to be safe than sorry). To make a long story short, you should be using an alternate browser, or have all your latest windows patches installed.
There is a unpatched vulnerability in Internet Explorer that is being used by various malicious websites to install Spyware and remote control “bot” software to computers of unsuspecting victims. While Microsoft has not yet released a patch, Eeye has released a temporary workaround to the vulnerability. You can download the temporary patch here. Please note that this patch is unsupported, and carries no warranty.