CastleCops® - Windows, Unix Hit By Critical Security Vulnerabilities

By Mitch Wagner

Security administrators have been kept hopping this week with a series of vulnerabilities and patches for Microsoft and Unix systems.

In the latest events on Wednesday, Microsoft announced a vulnerability in Windows, the second Windows problem announced by Redmond this week that could allow attackers to take over a target system.

Earlier this week, Microsoft announced a vulnerability that could allow hackers to take over a Windows 2000 system. Unlike most of the regular procession of security vulnerabilities announced in enterprise software, the Windows 2000 hole had actually been exploited. Web servers run by the U.S. Army and others were attacked. Later in the week, Microsoft warned that its patch to fix the vulnerability could itself freeze up systems running Windows 2000 Service Pack 2. The company recommended users update their operating systems with later Windows 2000 patches.

Also on Wednesday, the Computer Emergency Response Team (CERT) advised of a security hole that could allow attackers to take over users of systems running Unix and Unix-like OSs including BSD, IBM AIX, and Sun Solaris, using network code written by Sun. Other vendors were investigating the flaw.

The latest Windows security problem is a buffer overrun vulnerability affecting Windows XP, Windows 2000, Windows NT 4.0 Terminal Server Edition, Windows NT 4.0, Windows Me, Windows 98 Second Edition, and Windows 98. The flaw affects the Windows Script Engine for JScript; an attacker could exploit the vulnerability by constructing a Web page that executes code of the attacker's choice with the user's privileges. The Web page could be hosted on a Web site or sent directly to the use in e-mail.

Microsoft recommends users immediately install its patch for the flaw, which Microsoft rates as critical. Users can also disable active scripting, install the current Outlook E-mail Security Update, and restrict Web visits only to trusted sites. Further information and the patch code is available from the Microsoft Web site.

The Unix problem, also a buffer overflow vulnerability, affects the Sun Microsystems XDR library, used in other vendors' operating systems as well. The eXternal Data Representation libraries allow systems to send data between systems processes, typically over a network connection, and commonly used in Remote Procedure Call (RPC) implementations. CERT recommends systems administrators apply patches from their vendors; more information, pointers, and patches are available from the CERT Web site.

The constant procession of security patches from enterprise vendors puts enterprise security managers in a Catch-22: it's impossible to keep up, and impossibly dangerous to fall behind. David Perry, global director of education at enterprise security vendor Trend Micro, said he expects security services -- such as the service introduced by his company earlier this year -- will step in to help users manage security. These services will replace and incorporate traditional standalone products like antivirus software, Perry said.

"We're transforming to a world where you're not just getting a pattern file from your antivirus companies, you're getting policies and advisories and leveraged expertise," Perry said. "You hire someone who does these things for you."

That's the solution for large enterprises. Small enterprises, Mom-and-Pop businesses, and home users will look to Internet service providers to offer security services, which is important to large enterprises because small-enterprise systems and home users generally have sloppier security policies, and become vectors for transmitting viruses. Users connect to corporate networks from personal systems, spreading viruses.

Perry also questioned the media's pattern of publicizing security holes as soon as they are discovered, which provides pointers to hackers on where to look for vulnerabilities, as well as an incentive to gain notoriety in the hacker community.

"It becomes a self-fulfilling prophecy of a sort," Perry said.

Source


	2002-2008 � Computer Cops LLC dba CastleCops®. All rights reserved. Acceptable Use Policy. Use signifies your agreement. 164ppm 0.189s (0.01s) Making cybercriminals unhappy since 2002*