Threat Level: green Handler on Duty: Didier Stevens

SANS ISC: InfoSec Handlers Diary Blog - Internet Storm Center Diary 2005-05-21 InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft time (cont.); Firefox exploits; PAWS exploit; port 445

Published: 2005-05-21
Last Updated: 2005-05-22 00:03:53 UTC
by Swa Frantzen (Version: 1)
0 comment(s)
Late Edition

Microsoft time (continued)



Just a quick update from . According to the Microsoft help system the protocol used is NTP and as such most likely your ISP already has a well connected NTP server for you. Please consider looking up how it is named (often it is ntp.<yourISP>.<tld>) and synchronize from that one. The decrease in network delay and the decrease in possibility for asymmetric routing and all the consequences on stability of the time on your machine(s) will be in your advantage, even after time.windows.com returns to service.

The NIST also maintains a
of which time.nist.gov is only one, you can use the others as well.

Considering how NTP normally works, you might also consider to install a more complete NTP implementation so that you can configure multiple servers for the client to choose from and not become dependent on just one server.

We received multiple suggestions to use pool.ntp.org's ntp servers (which can be set to your region/country). Bob Grabowsky suggested this URL:
http://ntp.isc.org/bin/view/Servers/NTPPoolServers

Firefox 1.0.3 exploits released



K-Otik/FrSIRT has released 3 exploits against Firefox 1.0.3; If you haven't upgraded to 1.0.4, this is yet another good reason to do so without delay.

in a your preferred flavor. For a description of the problems, Mozilla has following URLs:

http://www.mozilla.org/security/announce/mfsa2005-44.html
http://www.mozilla.org/security/announce/mfsa2005-43.html

PAWS Exploit released



The same folks from France released also an attacking TCP connections under certain conditions. Those of us having critical infrastructure relying on the persistence of TCP connections should check with their supplier.

References: CAN-2005-0356

rBot.NT - port 445



iDEFENSE has been reporting on a spike in port 445 activity linked to rBot.NT .
The data for at Dshield currently cannot correlate with that analysis. The peak you see around the 13th is not related nor to be taken seriously in this respect.
Keep an eye out for the evolution in the next few day though.

--

Swa Frantzen
Keywords:
0 comment(s)
Diary Archives