Threat Level: green Handler on Duty: Manuel Pelaez

SANS ISC InfoSec Handlers Diary Blog


Sign Up for Free!   Forgot Password?
Log In or Sign Up for Free!

Microsoft patches released; H.323 vulnerabilities; Anti-virus engine vulnerabilities; Citibank anti-fraud measures

Published: 2004-01-13
Last Updated: 2004-01-14 00:07:55 UTC
by Handlers (Version: 1)
0 comment(s)
It's that time of the month... Microsoft has released 3 new patches for January.
See the following location for further details: http://www.microsoft.com/security/

1. Critical - MS04-001 - Vulnerability in Microsoft Internet Security and Acceleration Server 2000 H.323 Filter Could Allow Remote Code Execution (816458). This vulnerability allows remote compromise of your ISA server. If you run ISA Server 2000, you should apply this patch now.

2. Moderate - MS04-002 - Vulnerability in Exchange Server 2003 Could Lead to Privilege Escalation (832759). This vulnerability allows someone who has already authenticated to OWA to reach another person's mailbox. If you are affected, you should apply this patch during your next maintenance window.

3. Important - MS04-003 - Buffer Overrun in MDAC Function Could Allow Code Execution (832483). This vulnerability would allow someone on your local network to compromise Microsoft SQL server clients. The vulnerability requires the attacker to be local to your IP network, which may be difficult to accomplish. The exact set of circumstances for exploiting this vulnerability is still unknown. Best to patch client machines at the next opportunity.

-----------------------------------------------------------

Several vendor implementations of the H.323 protocol have been found to contain vulnerabilities. Many Cisco and Nortel products are affected in addition to the Microsoft ISA server (mentioned above). If you utilize VoIP (Voice over Internet Protocol) or VTC devices you may be affected. Check with your vendor for product updates or reference the following articles:

http://www.kb.cert.org/vuls/id/749342
http://xforce.iss.net/xforce/alerts/id/160
http://www.cisco.com/warp/public/707/cisco-sa-20040113-h323.shtml

While checking for your exposure to the H.323 vulnerability, you may also want to check your exposure to the SIP vulnerabilities announced in Feb. 2003 that affected multiple vendors:

http://www.cert.org/advisories/CA-2003-06.html

-----------------------------------------------------------

Two different problems with anti-virus engines have been recently reported. The first problem is specific to Symantec and Norton antivirus programs. A privilege escalation attack can be performed when the Symantec Automatic LiveUpdate is running:

http://securityresponse.symantec.com/avcenter/security/Content/2004.01.12.html

The second problem is a Denial of Service issue with multiple different virus engines related to decompression of bzip2 compressed files. When certain virus engines decompress bzip2 files prior to virus scanning, the file could grow excessively large and cause a Denial of Service of the machine (mail gateway, file server, client). The following advisory contains further information:

http://www.aerasec.de/security/advisories/txt/bzip2bomb-antivirusengines.txt

-----------------------------------------------------------

Citibank has a web page that provides information on recent e-mail fraud attempts:
http://www.citibank.com/domain/spoof/report_abuse.htm

Also, see the following site for the latest in "phishing" fraud attempts:
http://www.anti-phishing.org/
Keywords:
0 comment(s)
Diary Archives