[ISN] Security UPDATE--Combined Attack Methods--June 30, 2004

InfoSec News isn at c4i.org
Thu Jul 1 07:31:39 EDT 2004

==== This Issue Sponsored By ====

Windows & .NET Magazine

10 Things Hackers Don't Want You To Know


1. In Focus: Combined Attack Methods

2. Security News and Features
   - Recent Security Vulnerabilities
   - News: Vulnerable IIS Sites and IE Users Under Attack
   - News: AOL Engineer Charged with Selling Screen Names to Spammer
   - News: MasterCard and NameProtect Team to Stop Phishing

3. Instant Poll

4. Security Toolkit
   - FAQ
   - Featured Thread

5. New and Improved
   - Monitoring Software Bundle Reduces Prices


==== Sponsor: Windows & .NET Magazine ====
   Get 2 Sample Issues of Windows & .NET Magazine!
   Every issue of Windows & .NET Magazine includes intelligent,
impartial, and independent coverage of security, Active Directory,
Exchange, scripting, and much more. Our expert authors deliver how-to
articles and product evaluations that will help you do your job
better. Try two, no-risk sample issues today, and find out why 100,000
IT professionals rely on Windows & .NET Magazine each month!


==== 1. In Focus: Combined Attack Methods ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net

The June 16 Security UPDATE includes a link to the news story "New IE
Flaws Might Allow Code Injection," which describes a relatively new
attack method being used by both intruders and purveyors of suspicious
or malicious software to infest systems that use Microsoft Internet
Explorer (IE). Jelmer Kuperus said that the attack uses Javascript,
iframes, PHP, and timing techniques to gain access to the trusted
intranet zone on a user's system. According to Kuperus, the exploit
also "uses several known vulnerabilities and two previously unknown
vulnerabilities." One of the vulnerabilities, for which no patch
exists, involves ActiveX Data Objects (ADO).

Through this attack method that uses multiple vulnerabilities, many
people's systems (possibly even the systems of some of you readers)
have become infected with various sorts of software, most of which is
annoying, if not outright dangerous. For example, nefarious entities
have installed adware that generates an endless stream of pop-up
windows on users' systems. That's the lighter side of the problem

As you can learn by reading the news story "Vulnerable IIS Sites and
IE Users Under Attack" below, yet another factor was added to the mix
last week, this time involving Microsoft IIS. Using the IIS
vulnerability described in Microsoft Security Bulletin MS04-011
(Security Update for Microsoft Windows) on systems that haven't yet
been updated with a patch that's been available since mid-April,
intruders can inject Javascript into a server's Web pages. The
Javascript then uses a technique similar to the one I described above
to get IE to download Trojan horse software onto an unsuspecting
user's systems. The Trojan horse program then gathers ("phishes")
log-on and financial information.

So now instead of intruders having to establish their own Web sites to
host malicious Javascript code, they're penetrating unpatched IIS
systems around the Internet that host legitimate Web sites. As Bugtraq
mailing list moderator David Amhad points out in a June 25 posting,
these combined vulnerabilities have "no dependence on version or
memory layout or any other such messy factors, firewalls are totally
irrelevant and VPNs become basically a free ride in, [and] the browser
doesn't end up crashing (i.e., the victim remains blissfully unaware
that they've been owned)." These combined vulnerabilities have the
potential to become devastating.

Some preventive steps are obvious, and some aren't so obvious,
depending on the user or administrator. Obviously, loading the IIS
patch MS04-011 on your servers will stop intruders from manipulating
the servers' Web pages into hosting malicious code. Turning off
scripting in the IE security zones will also protect users to a
certain extent. But in countless scenarios, turning scripting off just
isn't possible. And sometimes scripting is essential to a Web site's
usability. Many of you probably already know how to improve security
in IE, but in case you don't, Microsoft has some recommendations that
you can read at the following URL:

One workaround if you can't turn off scripting is to disable ADO
databases (ADODB) in IE. Drew Copley of eEye Digital Security wrote a
simple registry script that does this very thing and one that undoes
the changes. He also wrote an executable program that disables and
re-enables ADODB. You can download the scripts and executable program
at the eEye Web site.

Another way of protecting IE systems against ADODB attacks is to use
PivX Solutions' Qwik-Fix, which protects IE against a variety of
intrusion methods. Recently, the company made available a version of
Qwik-Fix for enterprise environments. I don't know of any other tool
that provides the same sort of functionality.


==== Sponsor: 10 Things Hackers Don't Want You To Know ====
   Do you think all hackers use the same techniques to break into your
network? Do you think they all guess your passwords? Do you think that
an unpatched vulnerability is the only way to compromise your domain
controllers? In this free web seminar, you will learn about the 10
(actually 14) things that very successful hackers will do to
compromise your network. You will learn how hackers use these
techniques, and how to prevent them. The techniques may surprise you,
but your network health will improve greatly once you understand them.
Sign up now!


==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these discoveries

News: Vulnerable IIS Sites and IE Users Under Attack
   A new form of attack is spreading over the Internet. The attack
affects unpatched Microsoft IIS systems, which then attack unprotected
Microsoft Internet Explorer (IE) systems.

News: AOL Engineer Charged with Selling Screen Names to Spammer
   Jason Smathers, an America Online (AOL) engineer, has been arrested
and charged with stealing tens of millions of AOL screen names (email
addresses) and selling them. Sean Dunaway, who purchased the addresses
from Smathers, has also been charged. He is accused of sending spam to
AOL customers and selling the list of AOL screen names to other

News: MasterCard and NameProtect Team to Stop Phishing
   MasterCard International and NameProtect announced a partnership in
which NameProtect will provide its services to MasterCard to help stop
phishing scams and illegal credit card use.


==== Announcements ====
   (from Windows & .NET Magazine and its partners)

Free eBook--"The Expert's Guide for Exchange 2003: Preparing for,
Moving to, and Supporting Exchange Server 2003"
   This eBook will educate Exchange administrators and systems
managers about how to best approach the migration and overall
management of an Exchange 2003 environment. The book will focus on
core issues such as configuration management, accounting, and
monitoring performance with an eye toward migration, consolidation,
security, and management.

Now the Windows & .NET Magazine Network VIP Web Site/Super CD Really
Does Have It All!
   Our VIP Web site/Super CD subscribers are used to getting online
access to all of our publications, plus a print subscription to
Windows & .NET Magazine and exclusive access to our banner-free VIP
Web site. But now we've added even more content from the archives of
SQL Server Magazine! You won't find a more complete and comprehensive
resource anywhere--check it out!


==== 3. Instant Poll ====

Results of Previous Poll
   The voting has closed in the Windows & .NET Magazine Network
Security Web page nonscientific Instant Poll for the question, "Where
are your wireless Access Points (APs)?" Here are the results from the
59 votes.
   - 42% Inside the border firewall
   - 24% Outside the border firewall
   - 34% Between the border firewall and an internal firewall

New Instant Poll
   The next Instant Poll question is, "Which Web browser does your
company currently use for Internet (as opposed to intranet) browsing?"
Go to the Security Administrator Web site and submit your vote for:
   - Microsoft Internet Explorer (IE)
   - Mozilla
   - Firefox
   - Opera
   - Other

==== 4. Security Toolkit ====
FAQ: How Can I Enable a Connection to a Machine over RDP and Through a
   by John Savill, http://www.winnetmag.com/windowsnt20002003faq

A. RDP operates over TCP port 3389. To enable connectivity to any
machine on the network through a firewall, open this port on the
firewall. To connect to a particular system on the LAN, configure port
forwarding on the firewall to send traffic from port 3389 to that

Featured Thread: Running Multiple Antivirus Scanners
   (Three message in this thread)
   A reader wants to know whether running two different antivirus
software packages on a network at the same time is a good idea. If
yes, why? If no, why not? Lend a hand or read the responses:


==== Events Central ====
   (A complete Web and live events directory brought to you by Windows
& .NET Magazine: http://www.winnetmag.com/events )

Get Smart! Evaluate Your Options in the Entry-Level Server Market
   Comparing the options in the server market, including the decision
to purchase an OEM-supplied server versus building your own, can be a
daunting task. This free Web seminar provides an introduction to
entry-level servers, evaluates the current market of entry-level
servers, and assesses the value of vendor-supplied service and
support. Register now!


==== 5. New and Improved ====
   by Jason Bovberg, products at winnetmag.com

Monitoring Software Bundle Reduces Prices
   GFI Software launched the GFI LANguard Security Event Log Monitor
(SELM) and GFI Network Server Monitor bundle. Customers can now
purchase GFI LANguard SELM 5.0 and GFI Network Server Monitor 5.5
together at a reduced price. GFI LANguard SELM performs networkwide
event-log monitoring to alert you to important security events
immediately, whereas GFI Network Server Monitor automatically detects
network and server problems. The bundled software lets you monitor 10
servers through GFI LANguard SELM and unlimited servers through GFI
Network Server Monitor for $1295 (as opposed to $1649 without the
bundle pricing). Complete bundle pricing information is available at
GFI's Web site.

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a Windows & .NET Magazine T-shirt if we write about the
product in a future Windows & .NET Magazine What's Hot column. Send
your product suggestions with information about how the product has
helped you to whatshot at winnetmag.com.


==== Sponsored Links ====

   Comparison Paper: The Argent Guardian Easily Beats Out MOM

   CommVault - Free White Paper: Managing the Infinite Inbox

VERITAS Software
   VERITAS White Paper: Reclaim 30% of Your Windows Storage Space Now!


Editor's note: Share Your Security Discoveries and Get $100
   Share your security-related discoveries, comments, or problems and
solutions in the Security Administrator print newsletter's Reader to
Reader column. Email your contributions (500 words or less) to
r2rsecadmin at winnetmag.com. If we print your submission, you'll get
$100. We edit submissions for style, grammar, and length.


==== Contact Us ====

About the newsletter -- letters at winnetmag.com
About technical questions -- http://www.winnetmag.com/forums
About product news -- products at winnetmag.com
About your subscription -- securityupdate at winnetmag.com
About sponsoring Security UPDATE -- emedia_opps at winnetmag.com


This email newsletter is brought to you by Windows & .NET Magazine,
the leading publication for IT professionals deploying Windows and
related technologies. Subscribe today.

You received this email message because you asked to receive
additional information about products and services from the Windows &
.NET Magazine Network. To unsubscribe, send an email message to
mailto:Security-UPDATE_Unsub at list.winnetmag.com. Thank you!

View the Windows & .NET Magazine privacy policy at

Windows & .NET Magazine, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2004, Penton Media, Inc. All rights reserved.

More information about the ISN mailing list