From daniela em ccuec.unicamp.br Fri Feb 1 09:09:23 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Fri, 1 Feb 2002 09:09:23 -0200 Subject: [SECURITY-L] Windows 2000 security fixes released Message-ID: <20020201110923.GC5187@ccuec.unicamp.br> ----- Forwarded message from Nelson Murilo ----- From: Nelson Murilo Subject: [S] Windows 2000 security fixes released To: seguranca em pangeia.com.br Date: Fri, 1 Feb 2002 00:23:36 -0200 [http://news.com.com/2100-1001-826495.html] By Joe Wilcox Staff Writer, CNET News.com January 30, 2002, 2:40 PM PT Microsoft on Wednesday issued an important collection of security fixes for Windows 2000. The release of the 17MB downloadable Windows 2000 Security Rollup Package (SRP1) comes as Microsoft steps up its emphasis on security. In an e-mail to Microsoft's 47,000 employees earlier this month, Chairman Bill Gates called for putting security ahead of adding new features to products. Among the fixes: several denial-of-service and buffer-overflow patches, telnet and file-transfer protocol tweaks and authentication-error repairs, among others. SRP1 is a cumulative collection of security fixes released since Microsoft issued Windows 2000 Service Pack 2 in May. Service packs are collections of fixes and enhancements periodically released for Windows. Service Pack 3 for Windows 2000 is currently in beta testing. Given the increased emphasis on security, and the amount of time since the last service, the release of the security fixes is appropriate, say analysts. "I think it's good, but how well it's accepted depends on how much the word gets out," Technology Business Research analyst Bob Sutherland said. In October, Microsoft unveiled the Strategic Technology Protection program, for the purpose of getting out consolidated security fixes to its customers. At the same time, the company said that with the release of Service Pack 3, it would significantly beef up Windows 2000's security features and the OS's capability to receive new updates. The newer Windows XP, by contrast, already has built-in plumbing that lets the system quickly receive security and bug fixes. With the new OS, officially launched Oct. 25, Microsoft made the Windows Update feature more automatic. With older Windows versions, including 2000, people had to go out to a Web site to retrieve enhancements or fixes. With XP, updates can be retrieved automatically and installed when the user is ready. Microsoft's ability to quickly deliver timely security fixes or updates for Windows 2000 could be crucial for thousands of businesses deploying the operating system. While XP is gaining ground with consumers, businesses are holding to their Windows 2000 adoption plans. Gartner estimates that only about 16 percent of PCs sold to businesses this year will have XP; more than 40 percent are expected to pack Windows 2000. Still, Microsoft faces a host of challenges as it tries to knuckle down on security. The company has been besieged with a host of recent glitches affecting Excel and PowerPoint, secure digital content, Windows XP and Internet Explorer, among other products. But security experts and analysts praised Microsoft's newfound emphasis on security. "Microsoft's announcement they're all about security is definitely reflective of the final acknowledgement they have serious problems both internally and externally," Sutherland said. ----- End forwarded message ----- From daniela em ccuec.unicamp.br Fri Feb 1 17:10:35 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Fri, 1 Feb 2002 17:10:35 -0200 Subject: [SECURITY-L] Windows 2000 Security Rollup Package 1 (SRP1) Message-ID: <20020201191035.GB26897@ccuec.unicamp.br> ----- Forwarded message from Aldo Albuquerque - Segurança de Sistemas ----- From: Aldo Albuquerque - Segurança de Sistemas Subject: Windows 2000 Security Rollup Package 1 (SRP1) Date: Fri, 1 Feb 2002 15:19:44 -0300 Organization: C.E.S.A.R - Centro de Estudos e Sistemas Avançados do Recife Caros; Para que ainda não sabe a Microsoft lançou uma espécie de "Service Pack 2,5" que agora foi chamado de "Windows 2000 Security Rollup Package 1 (SRP1)". Este pacote inclui uma série de hotfixes pós-SP2. Já está disponível em Inglês e Português-Brasil para download. URL: http://www.microsoft.com/Windows2000/downloads/critical/q311401/download.asp Os Hotfixes incluídos nele são: Core OS: MS01-007 (Q285851): Network DDE Agent Requests Can Enable Code to Run in System Context MS01-011 (Q287397): Malformed Request to Domain Controller can Cause CPU Exhaustion MS01-013 (Q285156): Windows 2000 Event Viewer Contains Unchecked Buffer MS01-024 (Q294391): Malformed Request to Domain Controller can Cause Memory Exhaustion MS01-036 (Q299687): Function Exposed via LDAP over SSL Could Enable Passwords to be Changed MS01-041 (Q298012): Malformed RPC Request Can Cause Service Failure MS01-046 (Q252795): Access Violation in Windows 2000 IrDA? Driver Can Cause System to Restart FrontPage Server Extensions: MS01-035 (Q300477): FrontPage? Server Extension Sub-Component Contains Unchecked Buffer Hyperterminal: MS00-079 (Q276471): Hyperterminal Buffer Overflow Indexing Service: MS01-025 (Q296185): Index Server Search Function Contains Unchecked Buffer MS01-033 (Q300972): Unchecked Buffer in Index Server ISAPI Extension Could Enable Web Server Compromise Internet Explorer 5.01: MS01-051 (Q306121): Malformed Dotless IP Address Can Cause Web Page to be Handled in Intranet Zone Note: Only the fix for version 5.01 of Internet Explorer is included in the SRP, as this is the version that shipped with Windows 2000. Patches are available for other versions of IE. Internet Information Service 5.0: MS01-004 (Q285985): Malformed .HTR Request Allows Reading of File Fragments MS01-026 (Q293826): 14 May 2001 Cumulative Patch for IIS MS01-044 (Q301625): 15 August 2001 Cumulative Patch for IIS Netmeeting: MS00-077 (Q273854): Netmeeting Desktop Sharing NNTP Service: MS01-043 (Q303984): NNTP Service Contains Memory Leak SMTP Service: MS01-037 (Q302755): Authentication Error in SMTP Service Could Allow Mail Relaying Telnet Service: MS01-031 (Q299553): Predictable Name Pipes Could Enable Privilege Elevation via Telnet Terminal Service: MS01-040 (Q292435): Invalid RDP Data Can Cause Memory Leak in Terminal Services MS01-052 (Q307454): Invalid RDP Data can Cause Terminal Service Failure Patches for Windows 2000 that were delivered via security bulletins released after MS01-052. These will be included in Windows 2000 SRP2. Atenciosamente, Aldo Albuquerque - CCSA Tempest Security Technologies - http://www.tempest.com.br C.E.S.A.R. - Centro de Estudos e Sistemas Avançados do Recife - http://www.cesar.org.br --- "Software é aquilo que você xinga, Hardware é aquilo que você chuta" ----- End forwarded message ----- From daniela em ccuec.unicamp.br Fri Feb 1 17:09:46 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Fri, 1 Feb 2002 17:09:46 -0200 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20020201190946.GA26897@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 30/01/2002: ----------- Red Hat, Inc. Red Hat Security Advisory (RHSA-2002:018-10) Assunto: vulnerabilidade de seguranca no package rsync. http://www.security.unicamp.br/docs/bugs/2002/01/v69.txt Microsoft Security Bulletin (MS02-001) Assunto: Trusting Domains Do Not Verify Domain Membership of SIDs in Authorization Data. http://www.security.unicamp.br/docs/bugs/2002/01/v70.txt 31/01/2002: ----------- Anúncio de segurança do Conectiva Linux (CLA-2002:460) Assunto: Vulnerabilidade no tratamento de URLs (pacote: pine) http://www.security.unicamp.br/docs/bugs/2002/01/v71.txt Mandrake Linux Security Update Advisory (MDKSA-2002:011) Assunto: vulnerabilidade de seguranca no package gzip. http://www.security.unicamp.br/docs/bugs/2002/01/v72.txt 01/02/2002: ----------- ALERTA-CAIS: Vulnerabilidade de elevacao de privilegio em dominios confiaveis. http://www.security.unicamp.br/docs/bugs/2002/02/v1.txt Anúncio de atualização do Conectiva Linux (CLA-2002:461) Assunto: Modulo pam_limits não funciona no kernel 2.2. http://www.security.unicamp.br/docs/bugs/2002/02/v2.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Tue Feb 5 16:41:31 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Tue, 5 Feb 2002 16:41:31 -0200 Subject: [SECURITY-L] Boletins de noticias Message-ID: <20020205184131.GA19652@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticias e/ou revistas eletronicas: 30/01/2002: ----------- The SANS Weekly Security News Overview (Vol. 4, Num. 05) Fonte: SANS Institute http://www.security.unicamp.br/docs/informativos/2002/01/b15.txt 01/02/2002: ----------- LinuxSecurity Brasil Edição Especial #2002/05 Fonte: Linux Security http://www.security.unicamp.br/docs/informativos/2002/02/b2.html 04/02/2002: ----------- SecurityFocus.com Newsletter #130 Fonte: SecurityFocus.com http://www.security.unicamp.br/docs/informativos/2002/02/b1.txt -- Equipe de Seguranca em Sitemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Wed Feb 6 15:27:13 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Wed, 6 Feb 2002 15:27:13 -0200 Subject: [SECURITY-L] Boletim de noticias Message-ID: <20020206172713.GA23893@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticias e/ou revistas eletronicas: 06/02/2002: ----------- The SANS Weekly Security News Overview (Vol. 4, Num. 06) Fonte: SANS Institute http://www.security.unicamp.br/docs/informativos/2002/02/b3.txt -- Equipe de Seguranca em Sitemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Wed Feb 6 15:57:00 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Wed, 6 Feb 2002 15:57:00 -0200 Subject: [SECURITY-L] CAIS-Alerta: Termino do Horario de Verao 2001/2002 Message-ID: <20020206175700.GB28305@ccuec.unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Termino do Horario de Verao 2001/2002 To: , , Cc: Centro de Atendimento a Incidentes de Seguranca Date: Wed, 6 Feb 2002 15:51:40 -0200 (EDT) Prezados, O CAIS gostaria de alertar a todos que, de acordo com o Decreto 3.916 de 13 de setembro de 2001, o horario de verao 2001/2002 terminara' `as zero horas (00:00) do dia 17 de fevereiro de 2002. Para tanto, nos estados que participaram do horario de verao, sera' necessario *atrasar* os relogios em 1 hora. Sao eles: Rio Grande do Sul, Santa Catarina, Paraná, São Paulo, Rio de Janeiro, Espírito Santo, Minas Gerais, Goiás, Mato Grosso, Mato Grosso do Sul, Tocantins, Bahia, Sergipe, Alagoas, Pernambuco, Paraíba, Rio Grande do Norte, Ceará, Piauí, Maranhão e Distrito Federal. Nos servidores NTP, o servico deve ser reinicializado apos o ajuste automatico da hora. Isto e' necessario pois, o servico ficara' indisponivel caso seja detectada uma diferenca maior que 20 minutos entre o horario local da maquina e o horario do servidor NTP. Finalmente, ressalta-se que, em se tratando de incidentes de seguranca, a precisao dos relogios dos sistemas e' fundamental para manter a consistencia dos logs, imprescindivel nas investigacoes e identificacao de responsaveis. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key # ################################################################ ----- End forwarded message ----- From daniela em ccuec.unicamp.br Wed Feb 6 15:55:52 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Wed, 6 Feb 2002 15:55:52 -0200 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20020206175551.GA28305@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 06/02/2002: ----------- Security Advisory FreeBSD, Inc. (FreeBSD-SA-02:09) Assunto: fstatfs race condition may allow local denial of service via procfs. http://www.security.unicamp.br/docs/bugs/2002/02/v3.txt Security Advisory FreeBSD, Inc. (FreeBSD-SA-02:10) Assunto: rsync port contains remotely exploitable vulnerability. http://www.security.unicamp.br/docs/bugs/2002/02/v4.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Fri Feb 8 11:10:05 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Fri, 8 Feb 2002 11:10:05 -0200 Subject: [SECURITY-L] How to hack unbreakable Oracle servers Message-ID: <20020208131005.GA13773@ccuec.unicamp.br> ----- Forwarded message from Nelson Murilo ----- From: Nelson Murilo Subject: [S] How to hack unbreakable Oracle servers To: seguranca em pangeia.com.br Date: Fri, 8 Feb 2002 09:56:32 -0200 [http://www.theregister.co.uk/content/4/23979.html] By Thomas C Greene in Washington Posted: 07/02/2002 at 20:53 GMT Security researcher David Litchfield has identified a vast number of attacks against Oracle application servers and has written them up in a paper[1] which includes defensive strategies as well. >From this we learn, contrary to Oracle President Larry Ellison's claims, that Oracle is vulnerable to buffer overflow attacks, DoS attacks, and remote exploitation to name but a few difficulties. Litchfield willingly allows that Oracle makes the most secure product on the market, and compliments Oracle for its obvious dedication to security. But as for being unbreakable, well, we all know that nothing is. First up we have a PL/SQL buffer overrun vulnerability. This is in the Apache front end affecting Windows NT/2K, where Apache runs in the System (root) account and consequently allows code to run with full privileges. One problem is that the admin help pages are not PW protected. Thus a call to one of the pages can initiate a buffer overflow if it contains enough garbage (around 1K bytes). A quick fix would be to alter the admin path with something unique, making it difficult to guess. Next, a directory traversal is possible due to a URL decoding glitch. This would allow an attacker to move from the Web environment to read files readable to the OS. It's also possible to administer PL/SQL DADs (Database Access Descriptors) without authentication, Litchfield has discovered. An obvious goal in this case would be to add a password so the attacker can escalate his privileges. These are only the first three taken in order for illustration. There are in fact scores of attacks listed in this compendium, including authentication bypassing, path mapping, SOAP vulnerabilities, weak default paths, and terribly guessable or forcable default passwords (examples are provided -- but system/manager is our absolute favorite). Litchfield's paper should be required reading for anyone who owns or administers an unbreakable Oracle box. ----- End forwarded message ----- From daniela em ccuec.unicamp.br Fri Feb 8 11:51:21 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Fri, 8 Feb 2002 11:51:21 -0200 Subject: [SECURITY-L] =?iso-8859-1?Q?Semin=E1rios_gratuitos_ensi?= =?iso-8859-1?Q?nam_prote=E7=E3o?= contra ciberataques Message-ID: <20020208135121.GA21334@ccuec.unicamp.br> ----- Forwarded message from Giordani Rodrigues ----- From: "Giordani Rodrigues" Subject: Seminários gratuitos ensinam proteção contra ciberataques To: "Daniela Regina Barbetti" Date: Fri, 8 Feb 2002 11:38:47 -0200 X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Prezada Daniela, Publiquei uma matéria ontem sobre uma série de seminários gratuitos da Internet Security Systems (ISS) que serão apresentados em algumas cidades da América Latina, incluindo algumas das principais no Brasil. Estou enviando o texto e o link da matéria, pois achei que o assunto pudesse interessar aos participantes desta lista. Atenciosamente, Giordani Rodrigues Editor de InfoGuerra URL: http://www.infoguerra.com.br E-mail: editor em infoguerra.com.br http://www.infoguerra.com.br/infonews/viewnews.cgi?newsid1013080960,44407,/ Seminários gratuitos ensinam proteção contra ciberataques 7/2/2002 - 9:22 Redação InfoGuerra A Internet Security Systems (ISS) anunciou ontem uma série de seminários educacionais e gratuitos que se estenderão a 13 cidades da América Latina. O objetivo dos seminários é ajudar a preparar os participantes para colocarem em ação defesa antecipada contra uma grande variedade de ameaças cibernéticas e protegerem com eficiência suas infra-estruturas de Tecnologia da Informação. Batizada de "Are You Vulnerable? Wireless, Worms and Cyber Threats" ("Você está Vulnerável? Wireless, Worms e Ameaças Cibernéticas") a série de seminários falará sobre a proteção das redes wireless (sem fio), defesa eficiente contra as últimas ameaças "híbridas", incluindo os worms da Internet Code Red e Nimda, e as últimas façanhas usadas pelos que invadem as redes para ganharem acesso e controle dos sistemas. Todos os participantes receberão uma cópia gratuita do BlackICE Defender, da ISS, firewall para proteção pessoal e detecção de intrusão para os computadores desktop. A série começou em Porto Rico no dia 5 de fevereiro e continua tanto nos Estados Unidos, como na América Latina, no decorrer do mês de março. As cidades da América Latina em que os seminários serão apresentados incluem: San Juan, Porto Rico - 5 de fevereiro Cidade do México, México - 7 de fevereiro Monterrey, México - 7 de fevereiro Santo Domingo, República Dominicana - 5 de março Lima, Peru - 7 de março Florianópolis, SC, Brasil - 25 de março Porto Alegre, RS, Brasil - 25 de março Rio de Janeiro, RJ, Brasil - 26 de março Brasília, DF, Brasil - 27 de março São Paulo, SP, Brasil - 27 de março Outros países e cidades são: Buenos Aires, Argentina - 16 de julho Montevidéu, Uruguai - 17 de julho Santiago, Chile - 18 de julho Para registro e informações adicionais deve-se acessar a página www.issfeedback.com/areyouvulnerable ou ligar para 404-236-3600 (EUA). ----- End forwarded message ----- From daniela em ccuec.unicamp.br Fri Feb 8 15:40:10 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Fri, 8 Feb 2002 15:40:10 -0200 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20020208174010.GA4250@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 06/02/2002: ----------- Microsoft Security Bulletin (MS02-002) Assunto: Malformed Network Request can cause Office v. X for Mac to Fail. http://www.security.unicamp.br/docs/bugs/2002/02/v5.txt 07/02/2002: ----------- CAIS-Alerta: Negacao de Servico no Office X para Mac. http://www.security.unicamp.br/docs/bugs/2002/02/v6.txt Microsoft Security Bulletin (MS02-003) Assunto: Exchange 2000 System Attendant Incorrectly Sets Remote Registry Permissions. http://www.security.unicamp.br/docs/bugs/2002/02/v7.txt Microsoft Security Bulletin (MS02-004) Assunto: Unchecked Buffer in Telnet Server Could Lead to Arbitrary Code Execution. http://www.security.unicamp.br/docs/bugs/2002/02/v8.txt Cisco Security Advisory Assunto: Cisco Secures Access Control Server Novell Directory Service Expired/Disabled User Authentication Vulnerability. http://www.security.unicamp.br/docs/bugs/2002/02/v11.txt Mandrake Linux Security Update Advisory (MDKSA-2002:012) Assunto: vulnerabilidade de seguranca no package "groff". http://www.security.unicamp.br/docs/bugs/2002/02/v12.txt 08/02/2002: ----------- CAIS-Alerta: Vulnerabilidade no Exchange 2000 System Attendant. http://www.security.unicamp.br/docs/bugs/2002/02/v9.txt CAIS-Alerta: Buffer Overflow no Telnet Service do Windows 2000 e no Telnet Daemon (telnetd) do Microsoft Interix 2.2. http://www.security.unicamp.br/docs/bugs/2002/02/v10.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Fri Feb 8 15:45:12 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Fri, 8 Feb 2002 15:45:12 -0200 Subject: [SECURITY-L] Boletins de noticias Message-ID: <20020208174512.GA6057@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticias e/ou revistas eletronicas: 08/02/2002: ----------- LinuxSecurity Brasil Edição Especial #2002/06 Fonte: Linux Security http://www.security.unicamp.br/docs/informativos/2002/02/b4.html -- Equipe de Seguranca em Sitemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Thu Feb 14 14:58:55 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Thu, 14 Feb 2002 14:58:55 -0200 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20020214165855.GA10679@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 16/01/2002: ----------- Caldera International, Inc. Security Advisory (CSSA-2002-001.0) Assunto: Linux - OpenLDAP attribute deletion problem. http://www.security.unicamp.br/docs/bugs/2002/01/v73.txt 24/01/2002: ----------- Caldera International, Inc. Security Advisory (CSSA-2002-003.0) Assunto: Linux - Remote attack on rsync. http://www.security.unicamp.br/docs/bugs/2002/01/v75.txt 25/01/2002: ----------- Caldera International, Inc. Security Advisory (CSSA-2002-002.0) Assunto: Linux - Remote exploit against mutt http://www.security.unicamp.br/docs/bugs/2002/01/v74.txt 08/02/2002: ----------- CAIS-Alerta: Vulnerabilidade no CISCO ACS. http://www.security.unicamp.br/docs/bugs/2002/02/v13.txt 11/02/2002: ----------- Mandrake Linux Security Update Advisory (MDKSA-2002:013) Assunto: vulnerabilidade de seguranca no package "openldap". http://www.security.unicamp.br/docs/bugs/2002/02/v19.txt 12/02/2002: ----------- CERT Advisory (CA-2002-03) Assunto: Multiple Vulnerabilities in Many Implementations of the Simple Network Management Protocol (SNMP). http://www.security.unicamp.br/docs/bugs/2002/02/v14.txt SANS FLASH ALERT Assunto: Widespread SNMP Vulnerability. http://www.security.unicamp.br/docs/bugs/2002/02/v15.txt Security Advisory FreeBSD, Inc. (FreeBSD-SA-02:11) Assunto: ucd-snmp/net-snmp remotely exploitable vulnerabilities. http://www.security.unicamp.br/docs/bugs/2002/02/v16.txt Microsoft Security Bulletin (MS02-006) Assunto: Unchecked Buffer in SNMP Service Could Enable Arbitrary Code to be Run. http://www.security.unicamp.br/docs/bugs/2002/02/v17.txt Sun Microsystems, Inc. Security Bulletin (#00215) Assunto: vulnerabilidade de seguranca no daemon snmpdx. http://www.security.unicamp.br/docs/bugs/2002/02/v20.txt Update: Red Hat, Inc. Red Hat Security Advisory (RHSA-2001:163-20) Assunto: updated ucd-snmp packages available. http://www.security.unicamp.br/docs/bugs/2002/02/v21.txt Caldera International, Inc. Security Advisory (CSSA-2002-SCO.4) Assunto: Open UNIX, UnixWare 7: snmpd memory fault vulnerabilities). http://www.security.unicamp.br/docs/bugs/2002/02/v22.txt 13/02/2002: ----------- CAIS-Alerta: Multiplas Vulnerabilidades no SNMP. http://www.security.unicamp.br/docs/bugs/2002/02/v18.txt 14/02/2002: ----------- Anúncio de segurança do Conectiva Linux (CLA-2002:462) Assunto: multiplas vulnerabilidades remotas no package ucd-snmp. http://www.security.unicamp.br/docs/bugs/2002/02/v23.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Thu Feb 14 15:29:58 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Thu, 14 Feb 2002 15:29:58 -0200 Subject: [SECURITY-L] Boletins de noticias Message-ID: <20020214172958.GA27609@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticias e/ou revistas eletronicas: 11/02/2002: ----------- SANS Windows Security Digest Vol. 5 Num. 2 Fonte: SANS Institute http://www.security.unicamp.br/docs/informativos/2002/02/b5.txt SecurityFocus.com Newsletter #131 Fonte: SecurityFocus.com http://www.security.unicamp.br/docs/informativos/2002/02/b6.txt 13/02/2002: ----------- The SANS Weekly Security News Overview (Vol. 4, Num. 07) Fonte: SANS Institute http://www.security.unicamp.br/docs/informativos/2002/02/b7.txt -- Equipe de Seguranca em Sitemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Fri Feb 15 08:48:14 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Fri, 15 Feb 2002 08:48:14 -0200 Subject: [SECURITY-L] CAIS-Alerta: Patch Acumulativo para o Internet Explorer Message-ID: <20020215104814.GA13896@ccuec.unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Patch Acumulativo para o Internet Explorer To: , Cc: Centro de Atendimento a Incidentes de Seguranca Date: Thu, 14 Feb 2002 15:31:18 -0200 (EDT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta' repassando o alerta do CIAC, CIAC Bulletin M-041 Microsoft Internet Explorer Cumulative Patch, relativo ao alerta divulgado pela Microsoft, Microsoft Security Bulletin MS02-005, que trata da identificacao de seis vulnerabilidades no Internet Explorer. Uma destas vulnerabilidades permite ao atacante executar codigo remotamente no sistema cliente, podendo obter acesso ao mesmo. Ressalta-se que o patch divulgado e' acumulativo, ou seja, uma vez instalado, elimina todas as vulnerabilidades divulgadas anteriormente e que afetam o IE 5.01, 5.5 e IE 6, alem das seis tratadas neste alerta. Sistemas Afetados: Plataformas Windows com Internet Explorer 5.01 SP2, 5.5 SP1 e SP2, ou 6.0. Correcoes disponiveis: A correcao consiste na aplicacao do "11 February 2002 Cumulative Patch for IE", que pode ser obtido em: http://www.microsoft.com/windows/ie/downloads/critical/q316059/default.asp Maiores informacoes: http://www.microsoft.com/technet/security/bulletin/ms02-005.asp Identificadores do CVE: CAN-2002-0022, CAN-2002-0023, CAN-2002-0024, CAN-2002-0025, CAN-2002-0026 e CAN-2002-0027 O CAIS recomenda fortemente aos administradores de sistemas Windows que atualizem seus sistemas. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key # ################################################################ >From ciac em rumpole.ciac.org Thu Feb 14 12:14:35 2002 Date: Tue, 12 Feb 2002 17:25:42 -0800 (PST) From: CIAC Mail User To: ciac-bulletin em rumpole.ciac.org Subject: CIAC Bulletin M-041 Microsoft Internet Explorer Cumulative Patch [For Public Release] __________________________________________________________ The U.S. Department of Energy Computer Incident Advisory Center ___ __ __ _ ___ / | /_\ / \___ __|__ / \ \___ __________________________________________________________ INFORMATION BULLETIN Microsoft Internet Explorer Cumulative Patch [Microsoft Security Bulletin MS02-005] February 12, 2002 18:00 GMT Number M-041 ______________________________________________________________________________ PROBLEM: Six vulnerabilities have been found in Internet Explorer, the most serious of which allows an intruder to remotely run code on another users system. PLATFORM: Windows Platforms with Internet Explorer 5.01 SP2, 5.5 SP1 and SP2, or 6.0. DAMAGE: Depending on the vulnerability, an intruder can read or execute files on a client system and possibly get remote access to the system. SOLUTION: Apply the 11 February 2002 Cumulative Patch for Internet Explorer available on the Microsoft windowsupdate website. ______________________________________________________________________________ VULNERABILITY The risk is HIGH. Remote users can run code on a clients system ASSESSMENT: and possibly get user access on that system. ______________________________________________________________________________ LINKS: CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-041.shtml ORIGINAL BULLETIN: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ security/bulletin/MS02-005.asp PATCHES: http://windowsupdate.microsoft.com ______________________________________________________________________________ - -+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+ This message was posted through the FIRST mailing list server. Contact your team's FIRST representative to (un)subscribe, DO NOT REDISTRIBUTE BEYOND MEMBERS OF FIRST TEAMS UNLESS THE AUTHOR OF THIS MESSAGE GRANTS EXPRESS PERMISSION TO REDISTRIBUTE - -+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+ - ------------ Output from pgp ------------ Signature by unknown keyid: 0x6CCB7419 -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBPGv0bekli63F4U8VAQFc2gP+N4keuSfKjPf9YROUnrSUteWPEVR50Ji9 5ZIWSrXbU/CeXDtdwPAEdUX1NTxAhK/h66TwnBSV7n8F0AuLQCJ0hcZ7I2jGsRdU CvQJResYvxU68eSUD16ql4z5glXLz99DkGW+5cN6gEchuTGb/JVFzKsDq27WTenv wVy1ULb3MA8= =xb42 -----END PGP SIGNATURE----- ----- End forwarded message ----- From daniela em ccuec.unicamp.br Fri Feb 15 11:40:12 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Fri, 15 Feb 2002 11:40:12 -0200 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20020215134012.GA9583@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 13/02/2002: ----------- HP Support Information Digests Assuntos: HPSBUX0202-185: Sec. Vulnerability with HP AdvanceStack hubs; HPSBUX0202-184: Sec. Vulnerability in SNMP; HPSBUX0202-183: Sec. Vulnerability with setrlimit() http://www.security.unicamp.br/docs/bugs/2002/02/v25.txt HP Support Information Digests Assunto: HPSBTL0202-023: Updated telnet package available. http://www.security.unicamp.br/docs/bugs/2002/02/v26.txt 14/02/2002: ----------- CAIS-Alerta: Patch Acumulativo para o Internet Explorer http://www.security.unicamp.br/docs/bugs/2002/02/v24.txt Caldera International, Inc. Security Advisory (CSSA-2002-SCO.5) Assunto: Open UNIX, UnixWare 7: encrypted password disclosure. http://www.security.unicamp.br/docs/bugs/2002/02/v27.txt REVISED: Caldera International, Inc. Security Advisory (CSSA-2001-SCO.36.2) Assunto: Open UNIX, UnixWare 7: wu-ftpd ftpglob() vulnerability. http://www.security.unicamp.br/docs/bugs/2002/02/v28.txt HP Support Information Digests Assunto: HPSBUX0202-184: Sec. Vulnerability in SNMP (rev. 1). http://www.security.unicamp.br/docs/bugs/2002/02/v29.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Fri Feb 15 11:12:11 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Fri, 15 Feb 2002 11:12:11 -0200 Subject: [SECURITY-L] Observaoces sobre o patch acumulativo para IE + dicas sobre bugs do SNMP Message-ID: <20020215131210.GC26258@ccuec.unicamp.br> ----- Forwarded message from Giordani Rodrigues ----- From: "Giordani Rodrigues" Subject: Re: [SECURITY-L] CAIS-Alerta: Patch Acumulativo para o Internet Explorer To: "Daniela Regina Barbetti" Date: Fri, 15 Feb 2002 10:52:23 -0300 X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Prezada Daniela, Achei relevante comentar que foram constatadas algumas falhas nos patches liberados pela MS neste último pacote, o que faz com que alguns bugs não sejam corrigidos ou sejam apenas parcialmente corrigidos. Para mais detalhes, por favor, veja essa matéria: http://www.infoguerra.com.br/infonews/viewnews.cgi?newsid1013633177,42817,/ No final do texto há links para os testes. Eu fiz testes com um Win98 "patcheado" e realmente algumas ações que não deveriam acontecer continuam acontecendo depois de aplicados os patches. A matéria original da Newsbytes, citada, pode ser encontrada em http://www.newsbytes.com/news/02/174427.html Gostaria também de passar uma dica (reproduzida abaixo) sobre uma ferramenta para fazer scan em uma rede, detectar o SNMP e, de acordo com o anúncio, determinar o nível de exposição do protocolo às recentes falhas descobertas. Atenciosamente, Giordani Rodrigues Editor de InfoGuerra URL: http://www.infoguerra.com.br E-mail: editor em infoguerra.com.br Sent: Thursday, February 14, 2002 7:01 PM Subject: Security Alert! Free SNMP tool from Foundstone. New Foundstone Freeware Tool Offered to Combat Latest SNMP Vulnerabilities SNScan Accurately Detects Devices Using SNMP Available at Foundstone.com On February 12, 2002, CERT issued a warning regarding a vulnerability in the Simple Network Management Protocol (SNMP) that could allow an outsider to gain control of their systems. More than 200 popular products are built on the protocol. On February 13, 2002 the R&D Labs at Foundstone, Inc., the premier provider of security assessments and vulnerability protection, announced SNScan, a freeware tool developed entirely by Foundstone, to quickly and accurately detect SNMP- (Simple Network Management Protocol) enabled devices on a network. SNScan can effectively determine the level of exposure to SNMP- related vulnerabilities across any network. Once these devices have been identified, an administrator can determine whether to fix the SNMP service, disable SNMP or implement filters to restrict access. Recent SNMP vulnerabilities range from allowing host administrative access to Denial of Service (DoS) attacks. "SNMP is the main protocol used to manage network devices at large corporations. There are potentially millions of systems on the Internet and within companies that are vulnerable," said Stuart McClure, CTO of Foundstone. "SNScan is based on our flagship technology, FoundScan, known in the industry to give the most accurate information possible. Considering the number of devices vulnerable, accuracy is going to be the most important feature in combating this vulnerability." SNScan is available as a freeware tool for download from the Foundstone corporate Web site, at . To get to SNScan, click Vulnerability Alert on the right and select Scanners in the Free Tools section. For more information regarding Foundstone's FoundScan Vulnerability Management solution, visit . Or contact Rob Stevens at 1-877-91-FOUND If you wish to be excluded from future Foundstone announcements, please reply to this e-mail with only the single word UNSUBSCRIBE in the subject line. ----- Original Message ----- From: "Daniela Regina Barbetti" To: Cc: Sent: Friday, February 15, 2002 7:48 AM Subject: [SECURITY-L] CAIS-Alerta: Patch Acumulativo para o Internet Explorer > ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- > > From: Centro de Atendimento a Incidentes de Seguranca > Subject: CAIS-Alerta: Patch Acumulativo para o Internet Explorer > To: , > Cc: Centro de Atendimento a Incidentes de Seguranca > Date: Thu, 14 Feb 2002 15:31:18 -0200 (EDT) > > -----BEGIN PGP SIGNED MESSAGE----- > > > Prezados, > > O CAIS esta' repassando o alerta do CIAC, CIAC Bulletin M-041 Microsoft > Internet Explorer Cumulative Patch, relativo ao alerta divulgado pela > Microsoft, Microsoft Security Bulletin MS02-005, que trata da > identificacao de seis vulnerabilidades no Internet Explorer. > > Uma destas vulnerabilidades permite ao atacante executar codigo > remotamente no sistema cliente, podendo obter acesso ao mesmo. > > Ressalta-se que o patch divulgado e' acumulativo, ou seja, uma vez > instalado, elimina todas as vulnerabilidades divulgadas anteriormente e > que afetam o IE 5.01, 5.5 e IE 6, alem das seis tratadas neste alerta. > > Sistemas Afetados: > > Plataformas Windows com Internet Explorer 5.01 SP2, > 5.5 SP1 e SP2, ou 6.0. > > Correcoes disponiveis: > > A correcao consiste na aplicacao do "11 February 2002 Cumulative Patch > for IE", que pode ser obtido em: > > http://www.microsoft.com/windows/ie/downloads/critical/q316059/default.asp > > Maiores informacoes: > > http://www.microsoft.com/technet/security/bulletin/ms02-005.asp > > Identificadores do CVE: CAN-2002-0022, CAN-2002-0023, CAN-2002-0024, > CAN-2002-0025, CAN-2002-0026 e CAN-2002-0027 > > > O CAIS recomenda fortemente aos administradores de sistemas Windows que > atualizem seus sistemas. > > > Atenciosamente, > > > > ################################################################ > # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP # > # # > # cais em cais.rnp.br http://www.cais.rnp.br # > # Tel. 019-37873300 Fax. 019-37873301 # > # Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key # > ################################################################ > > > >From ciac em rumpole.ciac.org Thu Feb 14 12:14:35 2002 > Date: Tue, 12 Feb 2002 17:25:42 -0800 (PST) > From: CIAC Mail User > To: ciac-bulletin em rumpole.ciac.org > Subject: CIAC Bulletin M-041 Microsoft Internet Explorer Cumulative Patch > > [For Public Release] > __________________________________________________________ > > The U.S. Department of Energy > Computer Incident Advisory Center > ___ __ __ _ ___ > / | /_\ / > \___ __|__ / \ \___ > __________________________________________________________ > > INFORMATION BULLETIN > > Microsoft Internet Explorer Cumulative Patch > [Microsoft Security Bulletin MS02-005] > > February 12, 2002 18:00 GMT Number M-041 > ____________________________________________________________________________ __ > PROBLEM: Six vulnerabilities have been found in Internet Explorer, the > most serious of which allows an intruder to remotely run code > on another users system. > PLATFORM: Windows Platforms with Internet Explorer 5.01 SP2, 5.5 SP1 and > SP2, or 6.0. > DAMAGE: Depending on the vulnerability, an intruder can read or execute > files on a client system and possibly get remote access to the > system. > SOLUTION: Apply the 11 February 2002 Cumulative Patch for Internet > Explorer available on the Microsoft windowsupdate website. > ____________________________________________________________________________ __ > VULNERABILITY The risk is HIGH. Remote users can run code on a clients system > ASSESSMENT: and possibly get user access on that system. > ____________________________________________________________________________ __ > LINKS: > CIAC BULLETIN: http://www.ciac.org/ciac/bulletins/m-041.shtml > ORIGINAL BULLETIN: > http://www.microsoft.com/technet/treeview/default.asp?url=/technet/ > security/bulletin/MS02-005.asp > PATCHES: http://windowsupdate.microsoft.com > ____________________________________________________________________________ __ > > > - -+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+ > This message was posted through the FIRST mailing list server. > Contact your team's FIRST representative to (un)subscribe, > > DO NOT REDISTRIBUTE BEYOND MEMBERS OF FIRST TEAMS UNLESS THE AUTHOR OF > THIS MESSAGE GRANTS EXPRESS PERMISSION TO REDISTRIBUTE > - -+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+#+--+ > - ------------ Output from pgp ------------ > Signature by unknown keyid: 0x6CCB7419 > > > > > > > > > > > -----BEGIN PGP SIGNATURE----- > Version: PGPfreeware 5.0i for non-commercial use > Charset: noconv > > iQCVAwUBPGv0bekli63F4U8VAQFc2gP+N4keuSfKjPf9YROUnrSUteWPEVR50Ji9 > 5ZIWSrXbU/CeXDtdwPAEdUX1NTxAhK/h66TwnBSV7n8F0AuLQCJ0hcZ7I2jGsRdU > CvQJResYvxU68eSUD16ql4z5glXLz99DkGW+5cN6gEchuTGb/JVFzKsDq27WTenv > wVy1ULb3MA8= > =xb42 > -----END PGP SIGNATURE----- > > > > ----- End forwarded message ----- From daniela em ccuec.unicamp.br Wed Feb 20 16:42:35 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Wed, 20 Feb 2002 16:42:35 -0300 Subject: [SECURITY-L] [sans@sans.org: Important Router Audit Tool and Benchmark Web Briefing] Message-ID: <20020220194235.GA847@ccuec.unicamp.br> ----- Forwarded message from The SANS Institute ----- From: The SANS Institute Subject: Important Router Audit Tool and Benchmark Web Briefing To: Daniela Regina Barbetti (SD312664) Date: Sat, 16 Feb 2002 6:55:03 -0700 (MST) You are invited to a web briefing unveiling the ... ...second most important security announcement about Cisco routers (so far) this year! Please forward this invitation to each of your network administrators who have responsibility for managing Cisco routers. Date: February 20, 2002 Time: 1 PM EST (1800 UTC) If you use Cisco Routers in your company, you won't want to miss this briefing. SANS and the Center for Internet Security bring you George Jones and the Router Audit Tool and Benchmark. The Router Audit Tool checks security settings in the configurations of your Cisco IOS routers. It reports the problems it finds and gives each router an overall score. It also points you to the precise methods of fixing the problems. In other words it plays the role of a top flight router security expert. The Benchmark is based on the US National Security Agency Router Security Configuration Guide, and provides the basis for the "best practice" configuration rules and defines a minimum security baseline for all routers running IOS 11 or 12. All who register in advance will get access to George's slides and will receive a private password to get into the web broadcast. Time for questions will also be included. Go to http://sans.digisle.tv/audiocast_022002/brief.htm to register for this special event. PS If you haven't tried the free SNMP self-testing tool to learn which systems may be running SNMP -- and therefore are subject to the critical vulnerability announced this week, get a description and instructions on downloading a copy by emailing snmptool em sans.org. It works on Windows but tests all kinds of devices. The current version is limited to 10,000 systems per scan. ----- End forwarded message ----- From daniela em ccuec.unicamp.br Wed Feb 20 17:05:03 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Wed, 20 Feb 2002 17:05:03 -0300 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20020220200503.GA9700@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 15/02/2002: ----------- Version 2.0: Microsoft Security Bulletin (MS02-006) Assunto: Unchecked Buffer in SNMP Service Could Enable Arbitrary Code to be Run. http://www.security.unicamp.br/docs/bugs/2002/02/v30.txt Mandrake Linux Security Update Advisory (MDKSA-2002:014) Assunto: multiplas vulnerabilidades no SMNP. http://www.security.unicamp.br/docs/bugs/2002/02/v33.txt Mandrake Linux Security Update Advisory (MDKSA-2002:015) Assunto: vulnerabilidade de seguranca no package "cups". http://www.security.unicamp.br/docs/bugs/2002/02/v34.txt 16/02/2002: ----------- REVISED: Caldera International, Inc. Security Advisory (CSSA-2001-SCO.5.1) Assunto: Open UNIX, UnixWare 7, OpenServer: encrypted password disclosure. http://www.security.unicamp.br/docs/bugs/2002/02/v35.txt 18/02/2002: ----------- Anúncio de segurança do Conectiva Linux (CLA-2002:463) Assunto: Vulnerabilidade local no pacote uucp. http://www.security.unicamp.br/docs/bugs/2002/02/v32.txt 20/02/2002: ----------- SANS Institute: Important Router Audit Tool and Benchmark Web Briefing http://www.security.unicamp.br/docs/bugs/2002/02/v31.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Thu Feb 21 15:23:20 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Thu, 21 Feb 2002 15:23:20 -0300 Subject: [SECURITY-L] Windows security scanner in the works Message-ID: <20020221182319.GB7825@ccuec.unicamp.br> ----- Forwarded message from Jacomo Dimmit Boca Piccolini ----- From: Jacomo Dimmit Boca Piccolini Subject: [S] Windows security scanner in the works To: Date: Thu, 21 Feb 2002 10:56:02 -0300 (EST) Noticias - Centro de Atendimento a Incidentes de Seguranca (CAIS/RNP) --------------------------------------------------------------------- [fonte:http://news.com.com/2100-1001-841770.html?legacy=cnet&tag=pt.rss..feed.ne_8868487] Windows security scanner in the works By Robert Lemos Staff Writer, CNET News.com February 20, 2002, 6:00 PM PT SAN JOSE, Calif.--As part of a push to regain the public trust, Microsoft plans to release a wizardlike program to help home software users and network administrators protect their computer systems from outside attack. Called the Baseline Security Advisor, the program will scan Windows computers for unpatched programs, weak passwords and vulnerabilities in the operating system and in several Microsoft products. "Our goal is to allow (home) users to check their own machines," said Jason Shaw, lead product manager for Microsoft. "Company administrators can also use it to check their entire network." Although Microsoft has not yet released the product, the software titan showed off an early version of the scanner at its booth at the RSA Conference 2002 here. Shaw said the program will be available for free download from Microsoft's Web site in March. The scanner is the latest move by the software giant to beef up Windows security. Microsoft was stung by a series of embarrassing flaws in 2001 that demonstrated how vulnerable some of the company's products were to outside attack. In mid-January, Chairman Bill Gates wrote a memo exhorting the company's employees to smack bugs to earn customers' trust in Microsoft software. While other companies have come out with scanners, none has the reach of Microsoft. Many other scanners are also designed to sniff out vulnerabilities in other software. "It won't matter what we do now and in the future if people don't trust computers," Craig Mundie, Microsoft vice president and chief technical officer for advanced strategies and policy, said during a Wednesday afternoon keynote address. "This is not a new initiative at the company; there has been a lot of people at it for a long time." Microsoft has trained more than 9,000 of its programmers and developers in secure coding techniques since last fall, Mundie said. The company has also had outside security consultants pick through the source code for Windows, the .Net Web services framework and .Net server. "For all of us, this cycle really has no end," Mundie said. "Programmers today are still human beings, and despite training them, it is difficult to get them to look to the future." Sometimes the effort to better secure against attack makes it difficult for software users to take full advantage of the software they receive. For example, Microsoft's latest operating system, Windows XP, includes the company's Web server software, IIS 5.1. Unlike past versions, the Web server is turned off by default, protecting the software user from potential security problems posed by a Web server. The new Microsoft Baseline Security Advisor (MBSA) adds user education and an additional check for Windows users who want to ensure that their systems are up-to-date on patches from Microsoft, are using good password policy, and are aware of any insecure settings. Unlike many vulnerability scanners, the MBSA doesn't take the role of an attacker and look for vulnerabilities. Instead, the scanner acts as an expert administrator looking for problems on the Microsoft security checklist. The MBSA downloads a 700KB vulnerability and patch database from Microsoft that the company has created in Extensible Markup Language, or XML. XML is a popular Web standard by which businesses can easily exchange data between employees, customers, partners and suppliers. The software giant intends to maintain the database and provide the software for free. Considering that Microsoft has a group studying the feasibility of diving headfirst into the security marketplace, a full-featured service may also be in the works. ----- End forwarded message ----- From daniela em ccuec.unicamp.br Thu Feb 21 15:09:44 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Thu, 21 Feb 2002 15:09:44 -0300 Subject: [SECURITY-L] Boletins de noticias Message-ID: <20020221180944.GA7825@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticias e/ou revistas eletronicas: 15/02/2002: ----------- The SANS Weekly Security News Overview (Vol. 4, Num. 08) Fonte: SANS Institute http://www.security.unicamp.br/docs/informativos/2002/02/b10.html 19/02/2002: ----------- SecurityFocus.com Newsletter #132 Fonte: SecurityFocus.com http://www.security.unicamp.br/docs/informativos/2002/02/b8.txt 20/02/2002: ----------- The SANS Weekly Security News Overview (Vol. 4, Num. 08) Fonte: SANS Institute http://www.security.unicamp.br/docs/informativos/2002/02/b9.txt -- Equipe de Seguranca em Sitemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Thu Feb 21 17:16:03 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Thu, 21 Feb 2002 17:16:03 -0300 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20020221201602.GA20125@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 20/02/2002: ----------- Microsoft Security Bulletin (MS02-007) Assunto: SQL Server Remote Data Source Function Contain Unchecked Buffers. http://www.security.unicamp.br/docs/bugs/2002/02/v36.txt 21/02/2002: ----------- Security Advisory FreeBSD, Inc. (FreeBSD-SA-02:12) Assunto: multiple security vulnerabilities in squid port. http://www.security.unicamp.br/docs/bugs/2002/02/v37.txt Squid Proxy Cache Security Update Advisory (SQUID-2002:1) Assunto: multiplas vulnerabilidades de seguranca no Squid-2.x up to and including 2.4.STABLE3. http://www.security.unicamp.br/docs/bugs/2002/02/v38.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Mon Feb 25 11:24:47 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Mon, 25 Feb 2002 11:24:47 -0300 Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidade remota no Servidor SQL Message-ID: <20020225142447.GA16846@ccuec.unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Vulnerabilidade remota no Servidor SQL To: , Date: Fri, 22 Feb 2002 15:10:48 -0300 (EST) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta' repassando o alerta da Microsoft, Microsoft Security Bulletin MS02-007, relacionado `a capacidade do SQL em realizar conexoes remotas. A vulnerabilidade identificada permite a um atacante causar uma interrupcao no SQL Server ou mesmo conseguir que codigo malicioso seja executado no servidor. Sistemas Afetados: Microsoft SQL Server 7.0 Microsoft SQL Server 2000 Correcoes disponiveis: . SQL Server 7.0: http://support.microsoft.com/support/misc/kblookup.asp?id=Q318268 . SQL Server 2000: http://support.microsoft.com/support/misc/kblookup.asp?id=Q316333 Identificador do CVE: CAN-2002-0056 (http://cve.mitre.org) Maiores informacoes: http://www.microsoft.com/technet/security/bulletin/MS02-007.asp O CAIS recomenda fortemente aos administradores de sistemas Windows que atualizem seus sistemas em virtude da gravidade desta vulnerabilidade. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key # ################################################################ - ---------------------------------------------------------------------- Title: SQL Server Remote Data Source Function Contain Unchecked Buffers Date: 20 February 2002 Software: Microsoft SQL Server Impact: Run code of attacker's choice on server Max Risk: Moderate Bulletin: MS02-007 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-007.asp. - ---------------------------------------------------------------------- Issue: ====== One of the features of Structured Query Language (SQL) in SQL Server 7.0 and 2000 is the ability to connect to remote data sources. One capability of this feature is the ability to use "ad hoc" connections to connect to remote data sources without setting up a linked server for less-often used data-sources. This is made possible through the use of OLE DB providers, which are low-level data source providers. This capability is made possible by invoking the OLE DB provider directly by name in a query to connect to the remote data source. An unchecked buffer exists in the handling of OLE DB provider names in ad hoc connections. A buffer overrun could occur as a result and could be used to either cause the SQL Server service to fail, or to cause code to run in the security context of the SQL Server. SQL Server can be configured to run in various security contexts, and by default runs as a domain user. The precise privileges the attacker could gain would depend on the specific security context that the service runs in. An attacker could exploit this vulnerability in one of two ways. They could attempt to load and execute a database query that calls one of the affected functions. Conversely, if a web-site or other database front-end were configured to access and process arbitrary queries, it could be possible for an attacker to provide inputs that would cause the query to call one of the functions in question with the appropriate malformed parameters. Mitigating Factors: ==================== - The effect of exploiting the vulnerability would depend on the specific configuration of the SQL Server service. SQL Server can be configured to run in a security context chosen by the administrator. By default, this context is as a domain user. If the rule of least privilege has been followed, it would minimize the amount of damage an attacker could achieve. - Both vectors for exploiting the vulnerability could be blocked by following best practices. Specifically, untrusted users should not be able to load and execute queries of their choice on a database server. In addition, publicly accessible database queries should filter all inputs prior to processing. Risk Rating: ============ - Internet systems: Moderate - Intranet systems: Moderate - Client systems: Moderate Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms02-007.asp for information on obtaining this patch. - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ******************************************************************* You have received this e-mail bulletin as a result of your subscription to the Microsoft Product Security Notification Service. For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. To cancel your subscription, click on the following link mailto:1_26065_2BE60FCA-5EED-4C3F-8390-E11E2B14D589_BR em Newsletters.Microsoft.com?subject=UNSUBSCRIBE to create an unsubscribe e-mail. To stop all e-mail newsletters from microsoft.com, click on the following link mailto:2_26065_2BE60FCA-5EED-4C3F-8390-E11E2B14D589_BR em Newsletters.Microsoft.com?subject=STOPMAIL to create an unsubscribe e-mail. You can manage all your Microsoft.com communication preferences from http://www.microsoft.com/misc/unsubscribe.htm For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. - ------------ Output from pgp ------------ Good signature made 2002-02-21 00:59 GMT by key: 2048 bits, Key ID 3103F52B, Created 2000-01-22 "Microsoft Security Response Center " WARNING: The signing key is not trusted to belong to: Microsoft Security Response Center -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBPHaJ2+kli63F4U8VAQFWzwQAmHlZGSC8h135q4Ld3Oq3Hx/A2cqsE3WK /uJ3DQlDa1THyVvSlPihL9QkhN5rFhjgqDVyo0sllFYj3rwU8I8LnLwq8plWBj/9 rN9d4Io+QL2zUAN8a6uz2RRinWP3ET7D28M4v6qqJ+1yxm1FEzuQby+fx/xoZdCS m3YRZ2BC/5k= =yoSc -----END PGP SIGNATURE----- ----- End forwarded message ----- From daniela em ccuec.unicamp.br Mon Feb 25 11:26:58 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Mon, 25 Feb 2002 11:26:58 -0300 Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidade remota no Controle XMLHTTP Message-ID: <20020225142658.GB16846@ccuec.unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Vulnerabilidade remota no Controle XMLHTTP To: , Date: Fri, 22 Feb 2002 15:42:44 -0300 (EST) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta' repassando o alerta da Microsoft, Microsoft Security Bulletin MS02-008, tratando de uma vulnerabilidade que pode ser explorada remotamente e permitir o acesso a arquivos locais. O Microsoft XML Core Services (MSXML) inclue controles XMLHTTP ActiveX que permitem que paginas web, que foram renderizadas no navegador, enviem e recebam dados XML atraves de operacoes HTML, tais como: POST, GET e PUT. Esta vulnerabilidade pode ser explorada da seguinte maneira: se um usuario visita a pagina do atacante, ele e' redirecionado a uma outra pagina web com conteudo malicioso e que eventualmente pode permitir ao atacante ler dados confidenciais do sistema de tal usuario. Valem todas as tecnicas de engenharia social para fazer o usuario navegar nas paginas dos atacantes. . Esta vulnerabilidade somente pode ser explorada a partir de um website. . Nao e' possivel explorar esta vulnerabilidade atraves de email em formato HTML. . Para que seja possivel a leitura dos dados, e' preciso que o atacante saiba de antemao o nome e o path completo do arquivo. No entanto, o CAIS lembra que muitos arquivos de sistema encontram-se em diretorios padroes. . Esta vulnerabilidade nao permite que arquivos sejam adicionados, alterados ou removidos. Sistemas Afetados: . Microsoft XML Core Services versions 2.6, 3.0, and 4.0 Uma versao vulneravel do XML Core Services esta' presente nos seguintes produtos: . Microsoft Windows XP . Microsoft Internet Explorer 6.0 . Microsoft SQL Server 2000 Correcoes disponiveis: Microsoft XML Core Services http://www.microsoft.com/Windowsupdate Identificador do CVE: CAN-2002-0057 (veja http://cve.mitre.org) Maiores informacoes: http://www.microsoft.com/technet/security/bulletin/MS02-008.asp O CAIS recomenda fortemente aos administradores de sistemas Windows que atualizem seus sistemas em virtude da gravidade desta vulnerabilidade. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key # ################################################################ - ---------------------------------------------------------------------- Title: XMLHTTP Control Can Allow Access to Local Files Date: 21 February 2002 Software: Microsoft XML Core Services Impact: Information disclosure Max Risk: Critical Bulletin: MS02-008 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-008.asp. - ---------------------------------------------------------------------- Issue: ====== Microsoft XML Core Services (MSXML) includes the XMLHTTP ActiveX control, which allows web pages rendering in the browser to send or receive XML data via HTTP operations such as POST, GET, and PUT. The control provides security measures designed to restrict web pages so they can only use the control to request data from remote data sources. A flaw exists in how the XMLHTTP control applies IE security zone settings to a redirected data stream returned in response to a request for data from a web site. A vulnerability results because an attacker could seek to exploit this flaw and specify a data source that is on the user's local system. The attacker could then use this to return information from the local system to the attacker's web site. An attacker would have to entice the user to a site under his control to exploit this vulnerability. It cannot be exploited by HTML email. In addition, the attacker would have to know the full path and file name of any file he would attempt to read. Finally, this vulnerability does not give an attacker any ability to add, change or delete data. Mitigating Factors: ==================== - The vulnerability can only be exploited via a web site. It would not be possible to exploit this vulnerability via HTML mail. - The attacker would need to know the full path and file name of a file in order to read it. - The vulnerability does not provide any ability to add, change, or delete files. Risk Rating: ============ - Internet systems: Moderate - Intranet systems: Moderate - Client systems: Critical Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms02-008.asp for information on obtaining this patch. - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ******************************************************************* You have received this e-mail bulletin as a result of your subscription to the Microsoft Product Security Notification Service. For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. To cancel your subscription, click on the following link mailto:1_26138_2BE60FCA-5EED-4C3F-8390-E11E2B14D589_BR em Newsletters.Microsoft.com?subject=UNSUBSCRIBE to create an unsubscribe e-mail. To stop all e-mail newsletters from microsoft.com, click on the following link mailto:2_26138_2BE60FCA-5EED-4C3F-8390-E11E2B14D589_BR em Newsletters.Microsoft.com?subject=STOPMAIL to create an unsubscribe e-mail. You can manage all your Microsoft.com communication preferences from http://www.microsoft.com/misc/unsubscribe.htm For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. - ------------ Output from pgp ------------ Good signature made 2002-02-22 00:26 GMT by key: 2048 bits, Key ID 3103F52B, Created 2000-01-22 "Microsoft Security Response Center " WARNING: The signing key is not trusted to belong to: Microsoft Security Response Center -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBPHaRMukli63F4U8VAQHJKAP8DF0SApZGLCEIR/JWWYTcchN/Ts3YHLCW zXdFdNQkJamHfqcpjNcMJr+6mv0eFFNWQqGR619i22NAPkDBXq22O1PWwepoZKDS hpTVD6EqWB/EOj+CoGhM3JxCrZFzdHkLECVbIW8vIBw88SfRZmi4xSaUbX3mJYhZ s0NQzNLnJIo= =UY1d -----END PGP SIGNATURE----- ----- End forwarded message ----- From daniela em ccuec.unicamp.br Mon Feb 25 11:49:04 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Mon, 25 Feb 2002 11:49:04 -0300 Subject: [SECURITY-L] CAIS-Alerta: Falha do VBScript no Internet Explorer Message-ID: <20020225144903.GC16846@ccuec.unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Falha do VBScript no Internet Explorer To: , Date: Fri, 22 Feb 2002 16:04:10 -0300 (EST) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta' repassando o alerta da Microsoft, Microsoft Security Bulletin MS02-009, tratando de uma falha do VBScript no IE que permite o acesso a arquivos locais atraves de paginas web. Um atacante pode tentar explorar esta vulnerabilidade com a construcao de uma pagina web com codigo HTML malicioso. Esta pagina web pode ser disponibilizado em um servidor web controlado pelo atacante ou simplesmente ser enviada para o usuario por email. Valem todas as tecnicas de engenharia social para fazer o usuario visitar inocentemente dito website ou para que ele leia o e-mail com conteudo malicioso. . A vulnerabilidade somente permite a leitura de arquivos. Nao pode ser utilizada para cirar, remover, modificar ou executar arquivos. . A vulnerabilidade somente permite que um atacante leia arquivos que podem ser abertos por um navegador, como imagens, arquivos html e arquivos texto. Arquivos do Word nao podem ser abertos. . O atacante necessita especificar o nome e a localizacao dos arquivos para que possam ser abertos. . O ataque utilizando email sera' impedido se o usuario estiver utilizando algum dos seguintes produtos: Outlook 98 ou 2000 com o Outlook Email Security Update instalado; Outlook 2002; ou Outlook Express 6. Sistemas Afetados: . Microsoft Internet Explorer 5.01 . Microsoft Internet Explorer 5.5 . Microsoft Internet Explorer 6.0 Correcoes disponiveis: . http://www.microsoft.com/Windowsupdate Identificador do CVE: CAN-2002-0052 (http://cve.mitre.org) Maiores informacoes: http://www.microsoft.com/technet/security/bulletin/MS02-009.asp O CAIS recomenda fortemente aos administradores de sistemas Windows que atualizem seus sistemas em virtude da gravidade desta vulnerabilidade. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key # ################################################################ - ---------------------------------------------------------------------- Title: Incorrect VBScript Handling in IE can Allow Web Pages to Read Local Files Date: 21 February 2002 Software: Internet Explorer Impact: Information Disclosure Max Risk: Critical Bulletin: MS02-009 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-009.asp. - - - ---------------------------------------------------------------------- Issue: ====== Frames are used in Internet Explorer to provide for a fuller browsing experience. By design, scripts in the frame of one site or domain should be prohibited from accessing the content of frames in another site or domain. However, a flaw exists in how VBScript is handled in IE relating to validating cross-domain access. This flaw can allow scripts of one domain to access the contents of another domain in a frame. A malicious user could exploit this vulnerability by using scripting to extract the contents of frames in other domains, then sending that content back to their web site. This would enable the attacker to view files on the user's local machine or capture the contents of third-party web sites the user visited after leaving the attacker's site. The latter scenario could, in the worst case, enable the attacker to learn personal information like user names, passwords, or credit card information. In both cases, the user would either have to go to a site under the attacker's control or view an HTML email sent by the attacker. In addition, the attacker would have to know the exact name and location of any files on the user's system. Further, the attacker could only gain access to files that can be displayed in a browser window, such as text files, HTML files, or image files. Mitigating Factors: ==================== - The vulnerability could only be used to view files. It could not be used to create, delete, modify or execute them. - The vulnerability would only allow an attacker to read files that can be opened in a browser window, such as image files, HTML files and text files. Other file types, such as binary files, executable files, Word documents, and so forth, could not be read. - The attacker would need to specify the exact name and location of the file in order to read it. - The email-borne attack scenario would be blocked if the user were using any of the following: Outlook 98 or 2000 with the Outlook Email Security Update installed; Outlook 2002; or Outlook Express 6. Risk Rating: ============ - Internet systems: Moderate - Intranet systems: Moderate - Client systems: Critical Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms02-009.asp for information on obtaining this patch. Acknowledgment: =============== - Zentai Peter Aron, Ivy Hungary Ltd (http://w3.ivy.hu/) - - - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ******************************************************************* You have received this e-mail bulletin as a result of your subscription to the Microsoft Product Security Notification Service. For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. To cancel your subscription, click on the following link mailto:1_26139_2BE60FCA-5EED-4C3F-8390-E11E2B14D589_BR em Newsletters.Microsoft.com?subject=UNSUBSCRIBE to create an unsubscribe e-mail. To stop all e-mail newsletters from microsoft.com, click on the following link mailto:2_26139_2BE60FCA-5EED-4C3F-8390-E11E2B14D589_BR em Newsletters.Microsoft.com?subject=STOPMAIL to create an unsubscribe e-mail. You can manage all your Microsoft.com communication preferences from http://www.microsoft.com/misc/unsubscribe.htm For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. - ------------ Output from pgp ------------ Good signature made 2002-02-22 00:29 GMT by key: 2048 bits, Key ID 3103F52B, Created 2000-01-22 "Microsoft Security Response Center " WARNING: The signing key is not trusted to belong to: Microsoft Security Response Center -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBPHaWMukli63F4U8VAQGigAQAuCZpzx1biplWqqAMaiFincXhITlP4utl fEKHk/rdHoMotU2Z0amK3MwjE30TOgxMTXUx0Lf7b2KjdHXs8/2ZWgfA7qv53+mJ O6T6ER4QXvOmWJ+aNd6IhiVanHPdZTIGPRCq8V3/Wl99d31peHPitRi2klmBqhD9 fMgbmiuFrG4= =szS/ -----END PGP SIGNATURE----- ----- End forwarded message ----- From daniela em ccuec.unicamp.br Mon Feb 25 11:49:42 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Mon, 25 Feb 2002 11:49:42 -0300 Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidade remota no Microsoft Commerce Server 2000 Message-ID: <20020225144942.GD16846@ccuec.unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Vulnerabilidade remota no Microsoft Commerce Server 2000 To: , Date: Fri, 22 Feb 2002 17:24:31 -0300 (EST) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta' repassando o alerta da Microsoft, Microsoft Security Bulletin MS02-010, tratando de uma falha no filtro ISAPI que pode permitir o acesso remoto ao Microsoft Commerce Server 2000. O Commerce Server 2000 instala um arquivo .dll com um filtro ISAPI que permite ao servidor prover funcionalidades adicionais em resposta a eventos no servidor. Este filtro, chamado AuthFilter, prove suporte a uma serie de metodos de autenticacao. O Commerce Server 2000 pode ser configurado para utilizar outros metodos de autenticacao. A vulnerabilidade ocorre devido a uma falha no filtro AuthFilter que contem um buffer nao verificado em uma secao do codigo que lida com alguns tipos de requisicoes de autenticacao. Um atacante pode enviar dados de autenticacao que pode causar uma interrupcao no processo do Commerce Server ou permitir que codigo arbritario seja executado no contexto de seguranca do processo do Commerce Server. O processo roda com privilegios de LocalSystem, o que permite ao atacante o controle completo do servidor. Sistemas Afetados: . Microsoft Commerce Server 2000 Correcoes disponiveis: . Microsoft Commerce Server 2000 http://www.microsoft.com/Downloads/Release.asp?ReleaseID=36683 Maiores informacoes: http://www.microsoft.com/technet/security/bulletin/MS02-010.asp Identificador do CVE: CAN-2002-0050 (http://cve.mitre.org) O CAIS recomenda fortemente aos administradores de sistemas Windows que atualizem seus sistemas em virtude da gravidade desta vulnerabilidade. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA / RNP # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel em: http://www.cais.rnp.br/cais-pgp.key # ################################################################ - ---------------------------------------------------------------------- Title: Unchecked Buffer in ISAPI Filter Could Allow Commerce Server Compromise Date: 21 February 2002 Software: Commerce Server 2000 Impact: Run code of attacker's choice. Max Risk: Critical Bulletin: MS02-010 Microsoft encourages customers to review the Security Bulletin at: http://www.microsoft.com/technet/security/bulletin/MS02-010.asp. - ---------------------------------------------------------------------- Issue: ====== By default, Commerce Server 2000 installs a .dll with an ISAPI filter that allows the server to provide extended functionality in response to events on the server. This filter, called AuthFilter, provides support for a variety of authentication methods. Commerce Server 2000 can also be configured to use other authentication methods. A security vulnerability results because AuthFilter contains an unchecked buffer in a section of code that handles certain types of authentication requests. An attacker who provided authentication data that overran the buffer could cause the Commerce Server process to fail, or could run code in the security context of the Commerce Server process. The process runs with LocalSystem privileges, so exploiting the vulnerability would give the attacker complete control of the server. Mitigating Factors: ==================== - Although Commerce Server 2000 does rely on IIS for its base web services, the AuthFilter ISAPI filter is only available as part of Commerce Server. Customers using IIS are at no risk from this vulnerability. - The URLScan tool, if deployed using the default ruleset for Commerce Server, would make it difficult if not impossible for an attacker to exploit the vulnerability to run code, by significantly limiting the types of data that could be included in an URL. It would, however, still be possible to conduct denial of service attacks. - An attacker's ability to extend control from a compromised web server to other machines would depend heavily on the specific configuration of the network. Best practices recommend that the network architecture account for the inherent high-risk that machines in an uncontrolled environment, like the Internet, face by minimizing overall exposure though measures like DMZ's, operating with minimal services and isolating contact with internal networks. Steps like this can limit overall exposure and impede an attacker's ability to broaden the scope of a possible compromise. - While the ISAPI filter is installed by default, it is not loaded on any web site by default. It must be enabled through the Commerce Server Administration Console in the Microsoft Management Console (MMC). Risk Rating: ============ - Internet systems: Critical - Intranet systems: Critical - Client systems: None Patch Availability: =================== - A patch is available to fix this vulnerability. Please read the Security Bulletin at http://www.microsoft.com/technet/security/bulletin/ms02-010.asp for information on obtaining this patch. - --------------------------------------------------------------------- THE INFORMATION PROVIDED IN THE MICROSOFT KNOWLEDGE BASE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY. ******************************************************************* You have received this e-mail bulletin as a result of your subscription to the Microsoft Product Security Notification Service. For more information on this service, please visit http://www.microsoft.com/technet/security/notify.asp. To verify the digital signature on this bulletin, please download our PGP key at http://www.microsoft.com/technet/security/notify.asp. To cancel your subscription, click on the following link mailto:1_26140_2BE60FCA-5EED-4C3F-8390-E11E2B14D589_BR em Newsletters.Microsoft.com?subject=UNSUBSCRIBE to create an unsubscribe e-mail. To stop all e-mail newsletters from microsoft.com, click on the following link mailto:2_26140_2BE60FCA-5EED-4C3F-8390-E11E2B14D589_BR em Newsletters.Microsoft.com?subject=STOPMAIL to create an unsubscribe e-mail. You can manage all your Microsoft.com communication preferences from http://www.microsoft.com/misc/unsubscribe.htm For security-related information about Microsoft products, please visit the Microsoft Security Advisor web site at http://www.microsoft.com/security. - ------------ Output from pgp ------------ Good signature made 2002-02-22 00:30 GMT by key: 2048 bits, Key ID 3103F52B, Created 2000-01-22 "Microsoft Security Response Center " WARNING: The signing key is not trusted to belong to: Microsoft Security Response Center -----BEGIN PGP SIGNATURE----- Version: PGPfreeware 5.0i for non-commercial use Charset: noconv iQCVAwUBPHapB+kli63F4U8VAQFpBAP/biSFAbCeH3e7jpKvG5nbMNZ/hpwTdm9a GF6QvmIl2sOwqXXsYxOIfwXfGSuqRrygcm22heeny0dirbL64J9+pPzlW1YVPX9W gio0hwvYY0jNsnmehwqrOmW73/bzwCbYpIxj6rgUR/8XWxW2aHg6igRS9MW6etev sN57o9BUgbE= =3Snj -----END PGP SIGNATURE----- ----- End forwarded message ----- From daniela em ccuec.unicamp.br Mon Feb 25 16:09:17 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Mon, 25 Feb 2002 16:09:17 -0300 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20020225190917.GA2999@ccuec.unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 19/02/2002: ----------- Red Hat, Inc. Red Hat Security Advisory (RHSA-2002:020-05) Assunto: vulnerabilidade de seguranca no package "ncurses4". http://www.security.unicamp.br/docs/bugs/2002/02/v49.txt 21/02/2002: ----------- Microsoft Security Bulletin (MS02-008) Assunto: XMLHTTP Control Can Allow Access to Local Files. http://www.security.unicamp.br/docs/bugs/2002/02/v39.txt Microsoft Security Bulletin (MS02-009) Assunto: Incorrect VBScript Handling in IE can Allow Web Pages to Read Local Files. http://www.security.unicamp.br/docs/bugs/2002/02/v40.txt Microsoft Security Bulletin (MS02-010) Assunto: Unchecked Buffer in ISAPI Filter Could Allow Commerce Server Compromise. http://www.security.unicamp.br/docs/bugs/2002/02/v41.txt Caldera International, Inc. Security Advisory (CSSA-2002-004.0) Assunto: Linux - Various security problems in ucd-snmp. http://www.security.unicamp.br/docs/bugs/2002/02/v48.txt 22/02/2002: ----------- CAIS-Alerta: Vulnerabilidade remota no Servidor SQL http://www.security.unicamp.br/docs/bugs/2002/02/v42.txt CAIS-Alerta: Vulnerabilidade remota no Controle XMLHTTP http://www.security.unicamp.br/docs/bugs/2002/02/v43.txt CAIS-Alerta: Falha do VBScript no Internet Explorer http://www.security.unicamp.br/docs/bugs/2002/02/v44.txt CAIS-PUB: SANS/FBI Top 20 em Portugues http://www.security.unicamp.br/docs/bugs/2002/02/v45.txt CAIS-Alerta: Vulnerabilidade remota no Microsoft Commerce Server 2000 http://www.security.unicamp.br/docs/bugs/2002/02/v46.txt Caldera International, Inc. Security Advisory (CSSA-2002-004.0) Assunto: Linux - Various security problems in ucd-snmp. http://www.security.unicamp.br/docs/bugs/2002/02/v47.txt Trustix Secure Linux Bugfix Advisory #2002-0031 Assunto: vulnerabilidade de seguranca no squid. http://www.security.unicamp.br/docs/bugs/2002/02/v50.txt 25/02/2002: ----------- CAIS-Alerta: Multiplas Vulnerabilidades no SQUID http://www.security.unicamp.br/docs/bugs/2002/02/v51.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From daniela em ccuec.unicamp.br Tue Feb 26 11:29:26 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Tue, 26 Feb 2002 11:29:26 -0300 Subject: [SECURITY-L] Noticias CAIS: OIS vai =?iso-8859-1?Q?cria?= =?iso-8859-1?Q?r_padr=F5es_para_seguran=E7a?= na web Message-ID: <20020226142926.GC9015@ccuec.unicamp.br> ----- Forwarded message from Jacomo Dimmit Boca Piccolini ----- From: Jacomo Dimmit Boca Piccolini Subject: [S] Noticias CAIS: OIS vai criar padrões para segurança na web To: Date: Tue, 26 Feb 2002 08:18:07 -0300 (EST) Noticias - Centro de Atendimento a Incidentes de Seguranca (CAIS/RNP) --------------------------------------------------------------------- [fonte:http://www2.uol.com.br/info/aberto/infonews/022002/25022002-19.shl] OIS vai criar padrões para segurança na web Segunda-feira, 25 de fevereiro de 2002 - 17h39 SÃO JOSÉ (Reuters) - Algumas das maiores empresas de tecnologia se reuniram para formar a Organization for Internet Security (OIS) - Organização para Segurança da Internet. A entidade pretende estabelecer os padrões de procedimento dos especialistas na hora de alertar empresas e usuários sobre falhas de segurança e vírus. A iniciativa surgiu por parte de empresas como a Microsoft. Ela se queixa de que os especialistas de segurança não dão tempo suficiente para que as companhias corrijam as falhas antes de tornar o problema público. Do outro lado, os especialistas dizem que as corporações demoram muito a tomar providências a respeito dos problemas de segurança, e que tornar o problema público é uma forma de proteger os usuários. Vírus como o Nimda e o Code Red, que atacavam servidores com sistemas da Microsoft, causaram prejuízos de cerca de 12 bilhões de dólares no ano passado, de acordo com a Computer Economics, empresa independente de pesquisa em segurança. Além da Microsoft, fazem parte da OIS: IBM, Oracle, HP, Sun Microsystems, Compaq Computer, Silicon Graphics, Cisco Systems, Symantec, Network Associates, Internet Security Systems, BindView, Foundstone, Guardent e AtStake. Um porta-voz do grupo disse que as filiações à OIS não estão finalizadas. Além da formalização da aliança, um grupo de gerentes de rede será formado para definir os padrões em casos de falhas de segurança. Na quarta-feira passada, uma proposta foi enviada à Internet Engineering Task Force (Força de Engenharia da Internet) pelas empresas MITRE e AtStake. De acordo com a proposta, as empresas teriam 10 dias para responder aos alertas de segurança e 30 dias para solucionar o problema. A formação da aliança chega num momento em que a Microsoft está tentando melhorar sua imagem de vulnerabilidade em relação à segurança, já que seus produtos são os que apresentam maiores falhas. Em janeiro, Bill Gates, chairman da companhia, enviou um memorando aos 47 mil funcionários da Microsoft pedindo prioridade à questão da segurança, cunhando um novo termo, a Computação Confiável (Trustworthy Computing), que ele diz ser fundamental para o sucesso da estratégia .NET de serviços integrados de internet. A companhia reconhece que seus problemas de segurança são frequentes, mas diz que a popularidade de seus produtos os faz alvo dos hackers. A empresa costuma alegar também que há uma escolha inevitável entre produzir um software superseguro ou um programa fácil de usar. ----- End forwarded message ----- From daniela em ccuec.unicamp.br Tue Feb 26 11:26:30 2002 From: daniela em ccuec.unicamp.br (Daniela Regina Barbetti) Date: Tue, 26 Feb 2002 11:26:30 -0300 Subject: [SECURITY-L] Noticias CAIS: Spams 'inteligentes' podem ser usados em ataques DoS Message-ID: <20020226142630.GB9015@ccuec.unicamp.br> ----- Forwarded message from Jacomo Dimmit Boca Piccolini ----- From: Jacomo Dimmit Boca Piccolini Subject: [S] Noticias CAIS: Spams 'inteligentes' podem ser usados em ataques DoS To: Date: Mon, 25 Feb 2002 17:43:08 -0300 (EST) Noticias - Centro de Atendimento a Incidentes de Seguranca (CAIS/RNP) --------------------------------------------------------------------- [fonte:http://www.terra.com.br/informatica/2002/02/25/013.htm] Spams 'inteligentes' podem ser usados em ataques DoS Segunda, 25 de fevereiro de 2002, 16h22 As propagandas não solicitadas (spam) que chegam todos os dias às caixas postais podem ser consideradas apenas inoportunas? Pergunte aos usuários do serviço WorldNet, pertencente à gigante das telecomunicações AT&T. Um ataque de spam chegou a interromper a entrega dos e-mails para milhares de usuários norte-americanos do serviço WorldNet no começo desta semana. Na ocasião, a empresa tentou combater um verdadeiro dilúvio de mensagens de marketing endereçadas a seus consumidores, conforme relatou a MSNBC. "É um sinal dos tempos", afirmou a Brightmail Inc., empresa especializada na filtragem de e-mails. De acordo com a empresa, o volume de lixo decolou nos últimos 12 meses e agora representa 20% de todos os e-mails que trafegam na Internet. O serviço de e-mail da AT&T foi interrompido na segunda e na terça-feira, segundo a porta-voz da empresa, Janet Wyles. Alguns usuários reclamaram que os e-mails estavam levando mais do que um dia inteiro para chegar ao destino, mas Wyles assegurou que nenhum e-mail foi perdido e que o serviço já foi normalizado. A AT&T utiliza os serviços da Brightmail para emboscar os spams por meio de filtros especiais, que impedem que o lixo chegue aos e-mails de usuários do serviço WorldNet. Conforme declarou o porta-voz da Brightmail, Francois Lavaste, um "marketeiro" não identificado sobrecarregou com mensagens o sistema de filtros, reduzindo a velocidade de entrega de todas as mensagens. "Esse ato foi o efeito colateral de um combate apenas remediado à prática do spam", disse. "Provou que o spam pode ser utilizado também em ataques, como o Denial of Service (DoS)". O incidente é apenas o mais recente capítulo no jogo de gato-e-rato entre os provedores de Internet e os "marketeiros" virtuais. Mas o ocorrido nesta semana parece ter ocasionado um aumento nas apostas. Lavaste disse que não consegue lembrar de outro caso em que um grande provedor teve seus serviços interrompidos por um dia ou mais, graças ao spam. "Os ataques por spam estão em elevação, com um aumento de cerca de 46% desde novembro. A Brightmail estima que, um ano atrás, mensagens não solicitadas somavam cerca de 10% entre todos os e-mails. Este cálculo, atualmente, está em 20%. E temos exemplos de empresas ou provedores em que mais de 60% do tráfego de mensagens é composto por spams", declarou. Mas a Brightmail não é a voz solitária que sugere um aumento no fluxo do spam. Bill Campbell, que gerencia o provedor Internet Celestial Software, percebeu um aumento dramático de mensagens não solicitadas, principalmente as enviadas ou transmitidas por meio de computadores localizados na Ásia. Jim Gregory, gerente de serviços e de segurança da Slingshot Communications Inc., afirmou que o tempo que gastam caçando os spammers, indivíduos que degradam o acesso à Internet, poderia ser melhor utilizado na ampliação da qualidade dos serviços prestados aos consumidores. Tom Geller, diretor executivo da Fundação SpamCon, acredita que os spammers estão ficando mais espertos. Por exemplo, em uma nova forma de ataque, mensagens não solicitadas que eram, inicialmente, desconsideradas ou descartadas pelos provedores tem sido programadas para "sofrer mutações" e tentar de novo. As mensagens repetidamente mudam o endereço de e-mail até conseguirem chegar a um nome válido. "Elas ficam tentando milhares e milhões de vezes", disse. "Não ficarei surpreso se continuarmos a ver mais dessas coisas". Enquanto Lavaste observa que a diminuição de velocidade na entrega dos e-mails resultantes da prática de spam não é tão comum para os grandes provedores, Geller acredita que as empresas e provedores menores estão lidando com esse problema há anos. "É provavelmente mais comum do que parece", disse Geller. Em alguns casos, o spam direcionado aos usuários de determinado provedor sobrecarregam o servidor de e-mail. Em outros casos, os spammers falsificam o endereço do remetente. Assim, as mensagens rejeitadas são reenviadas ao consumidor que, inocentemente, buscava ser removido da lista. Um dilúvio de mensagens rejeitadas também pode danificar um servidor de e-mails. "Todo provedor de serviços Internet está passando por esta situação", finalizou Geller. ----- End forwarded message -----