From security em unicamp.br Tue Jan 6 09:17:42 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Tue, 6 Jan 2004 09:17:42 -0200 Subject: [SECURITY-L] LanXado PostgreSQL 7.4.1 Message-ID: <20040106111742.GA85443@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: LanXado PostgreSQL 7.4.1 To: security em unicamp.br Date: Mon, 5 Jan 2004 09:15:58 -0300 (ART) Lançado PostgreSQL 7.4.1 Após 4 semanas do lançamento da versão 7.4 do SGBD PostgreSQL, como sempre acontece, diversos bugs foram identificados. Esta versão 7.4.1 foi lançada justamente com o intuito de corrigir estes bugs identificados nas últimas 4 semanas. Recomenda-se a atualização. Gerentes e Administradores de informática deveriam levar em consideração a seguinte questão : Qual equivalente comercial ao PostgreSQL corrige bugs com esta velocidade ? Maiores informações em : http://www.postgresql.org/ Fonte: NoticiasLinux.com.br ______________________________________________________________________ Conheça a nova central de informações anti-spam do Yahoo! Mail: http://www.yahoo.com.br/antispam ----- End forwarded message ----- From security em unicamp.br Tue Jan 6 09:19:27 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Tue, 6 Jan 2004 09:19:27 -0200 Subject: [SECURITY-L] VXrus se auto-envia a cada cinco minutos pelo MSN Messenger Message-ID: <20040106111926.GB85443@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: VXrus se auto-envia a cada cinco minutos pelo MSN Messenger To: security em unicamp.br Date: Mon, 5 Jan 2004 12:08:28 -0300 (ART) 02/01/2004 - 16h47 Vírus se auto-envia a cada cinco minutos pelo MSN Messenger da Folha Online http://www1.folha.uol.com.br/folha/informatica/ult124u14855.shtml O novo vírus W32/Jitux.A ataca computadores ligados à rede do MSN Messenger, software de mensagens instantâneas da Microsoft. A praga chega pelo aplicativo de bate-papo através do link para uma página na internet. Uma vez executado, o Jitux instala o arquivo Jituxramon.exe, que se encarrega de espalhar a praga a cada cinco minutos através de mensagens para todos os contatos do MSN Messenger. De acordo com a empresa de antivírus Panda Software, o vírus não tem efeitos destrutivos nem altera as configurações do sistema. A praga é escrita em Visual Basic e roda no Windows 95, 98, Me, NT, 2000 e XP. Mensagens instantâneas O Jitux.A não é o primeiro vírus escrito especificamente para se disseminar por redes de programas de mensagens instantâneas. Especialistas em segurança há algum tempo alertam que as redes de comunicação instantânea serão o principal alvo dos criadores de vírus, principalmente por causa de sua crescente popularidade entre os internautas. Um relatório divulgado recentemente pela Symantec indica que 19 dos 50 vírus mais ativos durante o primeiro semestre de 2003 tinham como alvo as tecnologias de mensagens instantâneas e redes P2P (peer-to-peer) --usadas para a troca e compartilhamento de arquivos. O número é 400% superior ao registrado no mesmo período de 2002. Com agências internacionais ______________________________________________________________________ Conheça a nova central de informações anti-spam do Yahoo! Mail: http://www.yahoo.com.br/antispam ----- End forwarded message ----- From security em unicamp.br Tue Jan 6 09:20:33 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Tue, 6 Jan 2004 09:20:33 -0200 Subject: [SECURITY-L] Nova vulnerabilidade afetando kernel 2.2, 2.4 e 2.6 Message-ID: <20040106112033.GC85443@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: Nova vulnerabilidade afetando kernel 2.2, 2.4 e 2.6 To: security em unicamp.br Date: Mon, 5 Jan 2004 12:11:41 -0300 (ART) Nova vulnerabilidade afetando kernel 2.2, 2.4 e 2.6 Enviado em: Monday, January 05 @ 11:21:10 EDT Uma nova vulnerabilidade afetando as versões 2.2, 2.4 e 2.6 do kernel Linux foi anunciada por Paul Starzetz e Wojciech Purczynski... A vulnerabilidade está relacionada ao gerenciamento de memória pelo system call mremap(2)... Apesar de não ser trivial, a exploração pode levar à escalada de privilégio localmente ou à execução de comandos arbitrários... Algumas distribuições já estão liberando atualizações... Leia o advisory completo logo abaixo... Synopsis: Linux kernel do_mremap local privilege escalation vulnerability Product: Linux kernel Version: 2.2, 2.4 and 2.6 series Vendor: http://www.kernel.org/ URL: http://isec.pl/vulnerabilities/isec-0012-mremap.txt CVE: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CAN-2003-0985 Author: Paul Starzetz , Wojciech Purczynski Date: January 5, 2004 Issue: ====== A critical security vulnerability has been found in the Linux kernel memory management code in mremap(2) system call due to incorrect bound checks. Details: ======== The mremap system call provides functionality of resizing (shrinking or growing) as well as moving across process's addressable space of exist­ ing virtual memory areas (VMAs) or any of its parts. A typical VMA covers at least one memory page (which is exactly 4kB on the i386 architecture). An incorrect bound check discovered inside the do_mremap() kernel code performing remapping of a virtual memory area may lead to creation of a virtual memory area of 0 bytes length. The problem bases on the general mremap flaw that remapping of 2 pages from inside a VMA creates a memory hole of only one page in length but an additional VMA of two pages. In the case of a zero sized remapping request no VMA hole is created but an additional VMA descriptor of 0 bytes in length is created. Such a malicious virtual memory area may disrupt the operation of other parts of the kernel memory management subroutines finally leading to un­ expected behavior. A typical process's memory layout showing invalid VMA created with mremap system call: 08048000-0804c000 r-xp 00000000 03:05 959142 /tmp/test 0804c000-0804d000 rw-p 00003000 03:05 959142 /tmp/test 0804d000-0804e000 rwxp 00000000 00:00 0 40000000-40014000 r-xp 00000000 03:05 1544523 /lib/ld-2.3.2.so 40014000-40015000 rw-p 00013000 03:05 1544523 /lib/ld-2.3.2.so 40015000-40016000 rw-p 00000000 00:00 0 4002c000-40158000 r-xp 00000000 03:05 1544529 /lib/libc.so.6 40158000-4015d000 rw-p 0012b000 03:05 1544529 /lib/libc.so.6 4015d000-4015f000 rw-p 00000000 00:00 0 [*] 60000000-60000000 rwxp 00000000 00:00 0 bfffe000-c0000000 rwxp fffff000 00:00 0 The broken VMA in the above example has been marked with a [*]. Impact: ======= Since no special privileges are required to use the mremap(2) system call any process may misuse its unexpected behavior to disrupt the ker­ nel memory management subsystem. Proper exploitation of this vulnerabil­ ity may lead to local privilege escalation including execution of arbi­ trary code with kernel level access. Proof-of-concept exploit code has been created and successfully tested giving UID 0 shell on vulnerable systems. The exploitability of the discovered vulnerability is possible, although not a trivial one. We have identified at least two different attack vec­ tors for the 2.4 kernel series. All users are encouraged to patch all vulnerable systems as soon as appropriate vendor patches are released. Credits: ======== Paul Starzetz has identified the vulnerability and performed further research. COPYING, DISTRIBUTION, AND MODIFICATION OF INFORMATION PRESENTED HERE IS ALLOWED ONLY WITH EXPRESS PERMISSION OF ONE OF THE AUTHORS. Disclaimer: =========== This document and all the information it contains are provided "as is", for educational purposes only, without warranty of any kind, whether ex­ press or implied. The authors reserve the right not to be responsible for the topicality, correctness, completeness or quality of the information provided in this document. Liability claims regarding damage caused by the use of any information provided, including any kind of information which is in­ complete or incorrect, will therefore be rejected. - -- Paul Starzetz iSEC Security Research http://isec.pl/ Fonte: http://www.linuxsecurity.com.br/article.php?sid=8150&mode=thread&order=0 ______________________________________________________________________ Conheça a nova central de informações anti-spam do Yahoo! Mail: http://www.yahoo.com.br/antispam ----- End forwarded message ----- From security em unicamp.br Tue Jan 6 09:21:28 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Tue, 6 Jan 2004 09:21:28 -0200 Subject: [SECURITY-L] LanXado o Snort 2.1.0 Message-ID: <20040106112123.GD85443@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: LanXado o Snort 2.1.0 To: security em unicamp.br Date: Mon, 5 Jan 2004 12:14:09 -0300 (ART) Lançado o Snort 2.1.0 Enviado em: Monday, January 05 @ 10:38:49 EDT Uma nova versão do Snort foi recentemente anunciada, corrigindo alguns problemas da 2.0.6 e introduzindo novidades como um novo detector de portscans, um novo preprocessador http, PCRE (Perl Compat Regular Expressions) e outras diversas novidades... Site: http://www.snort.org Download: http://www.snort.org/dl/snort-2.1.0.tar.gz Fonte: http://www.linuxsecurity.com.br/article.php?sid=8145&mode=thread&order=0 ______________________________________________________________________ Conheça a nova central de informações anti-spam do Yahoo! Mail: http://www.yahoo.com.br/antispam ----- End forwarded message ----- From security em unicamp.br Tue Jan 6 09:22:59 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Tue, 6 Jan 2004 09:22:59 -0200 Subject: [SECURITY-L] Golpistas atacam clientes do Banco do Brasil Message-ID: <20040106112259.GE85443@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: Golpistas atacam clientes do Banco do Brasil To: security em unicamp.br Date: Mon, 5 Jan 2004 14:55:37 -0300 (ART) Segunda, 5 de janeiro de 2004, 14h00 Golpistas atacam clientes do Banco do Brasil http://informatica.terra.com.br/interna/0,,OI247285-EI2403,00.html Clientes do Banco do Brasil pensaram que começariam 2004 com uma notícia aparentemente agradável: teriam direito a prêmios de seguro, bastando apenas fornecer o número da conta corrente e a senha para garantir seu recebimento. Na verdade, trata-se de mais um golpe de criminosos virtuais. Em um comunicado aos seus usuários, o Banco do Brasil informou que vem sendo vítima de muitos golpes via Internet, conforme a Globo News. Assim, a instituição pede aos clientes que verifiquem suas contas, para ver se houve alguma alteração ou transação desconhecida. Em caso de dúvida ou de constatar a existência de transações estranhas, o cliente deve entrar em contato pelo número 0800-610500 e comunicar ao banco. ______________________________________________________________________ Conheça a nova central de informações anti-spam do Yahoo! Mail: http://www.yahoo.com.br/antispam ----- End forwarded message ----- From security em unicamp.br Tue Jan 6 09:42:05 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Tue, 6 Jan 2004 09:42:05 -0200 Subject: [SECURITY-L] PrevisXes de seguranXa para 2004 Message-ID: <20040106114205.GF85443@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: PrevisXes de seguranXa para 2004 To: security em unicamp.br Date: Mon, 5 Jan 2004 16:59:06 -0300 (ART) Previsões de segurança para 2004 Peter H. Gregory, Computerworld (EUA) 05/01/2004 15:46 http://pcworld.terra.com.br/AdPortalV3/adCmsDocumentoShow.aspx?documento=8204923&Area=975000 Em 2004, profissionais de segurança da informação vão lidar com o lado escuro do comportamento humano, mas as companhias também vão aumentar o controle em suas redes e infra-estruturas de computação, principalmente os sistemas voltados para usuários finais. A seguir, algumas previsões sobre o que esperar para segurança da informação em 2004. P.o..n.t.u,a.ç,ã,0 a,o a,c..a.s.0 Os chatos que enviam spam aumentam a criatividade para passar pelos filtros anti-spam. Com técnicas de p.o..n.t.u,a.ç,ã,0 a,o a,c..a.s.0 (ops, pontuação ao acaso), fica quase impossível bloquear e-mails indesejados ao filtrar palavras-chave. Para complicar, os spammers mandam mensagens em imagens sem texto legível para o filtro anti-spam. Além disso, eles enviam spam em formatos codificados, como Base64, para tentar enganar os filtros de palavras-chave, e usam endereços IP sem nomes de domínio associados. Tudo isso junto é um desafio para os vendedores de programas contra spam e uma frustração para os usuários. Muitas organizações sofrem o problema diretamente, com perdas na produtividade e custos de processamento relacionados ao spam. Por consequência, gerentes de tecnologia e segurança são os encarregados para resolver o problema nas corporações, já que é um assunto relacionado ao gerenciamento de conteúdo. Filtros de acesso à internet Falando em produtividade, grandes corporações começam a lidar com gerenciamento e filtragem de acesso à Web pelos seus funcionários, baseados em três justificativas: produtividade, segurança e responsabilidade legal (já que começam a surgir processos por assédio sexual de funcionários que se encontraram com colegas de escritório que viam pornografia no trabalho). Gerenciamento de desktop Corporações começam a limitar a capacidade de instalar software e fazer outras mudanças nas configurações de seus computadores. O Windows 2000 tem essa capacidade, mas graças ao uso de Windows 95 e 98, os usuários estão acostumados a serem "donos" dos seus computadores e notebooks, podendo mudar configurações do sistema e instalar, atualizar ou remover software. Apesar de pouco popular, é um modo da equipe de tecnologia tomar controle do ambiente de computadores. E o que isso tem a ver com segurança? Liberdade, mesmo que controlada, pode trazer vulnerabilidades e as mudanças podem trazer problemas como vírus e worms para o desktop. Firewalls pessoais Graças ao Blaster, Nachi e outros worms, o software de firewall pessoal finalmente chega ao computador do usuário final. Laptops corporativos também, já que, ao estarem desprotegidos, podem ser contaminados em conexões domésticas dos empregados. Gerentes sênior que querem manter seus empregos evitando uma repetição de 2003 estão financiando o desenvolvimento de firewalls especiais para empresas. Agora vamos torcer para que os programas barrem o que for necessário e mantenham o computador funcionando. Vazamento de metadados Ferramentas que modificam metadados (mudam o histórico, escondem textos e apagam informações, memorandos internos e tudo mais) terão um uso bem extenso. Em 2004 ou 2005, a Microsoft complementará seus softwares - como Word, Excel, PowerPoint - com uma função de modificação avançada. Flash Drives USB Uma ou mais grandes companhias tentará banir o uso de flash drives USB em suas dependências argumentando que empregados inescrupulosos estão usando o artefato para roubar informações. O resultado será publicidade negativa e constrangedora para uma política simplesmente ineficiente. De fato, isso é um problema para empresas. Muitas começarão a entender que o problema não está na tecnologia e sim nas pessoas! Quebrando o Wi-Fi Haverá, no mínimo, uma quebra bem noticiada da rede Wi-Fi de uma grande empresa. A causa do ataque poderá ser tanto pela rede ter uma proteção pela equipe de tecnologia mas era fracamente protegida, como por pontos de acessos vagabundos instalados sem autorização por algum funcionário. Assim, o incidente jogará luz numa questão ainda muito negligenciada, a vulnerabilidade, e forçará as empresas a fazerem algo. Bluetooth As mesmas pessoas que hackeiam computadores, mandam spams, fazem antenas Wi-Fi com latas de batatas Pringles e dirigem mal descobrirão o Bluetooth e começaram a fazer experimentos com as funcionalidades da tecnologia. A publicidade negativa vai mandar o Bluetooth de volta às pranchetas. Algo disso lhe soa familiar? Hackers conseguirão construir antenas Bluetooth de largo acesso a partir de embalagens de batons? E como se chamará o Bluetooth hackeado? "Bluejacking"? Por que alguém iria praticar atos a apenas alguns metros deu sua potencial vítima? Pessoas com muito tempo livre certamente descobrirão algumas respostas para essas perguntas, tenha certeza. Hackeando celulares Os telefones são cada vez mais pequenos terminais wireless de dados com sistemas operacionais levíssmos. Nós estamos construindo uma outra monocultura, dessa vez em aparelho quase gratuitos que, em alguns anos, ultrapassarão o número de PC. Talvez em 2004 veremos mais ataques com códigos que os outros anos. Incidentes com mensagens instantâneas Serviços de mensagens instatâneas providos pela America Online, MSN e Yahoo! passaram a ser largamente usados dentro de grandes empresas, cujos departamentos de TI não conheçam a amplitude do uso de mensagens instantâneas e talvez não consigam pará-los. Na maioria dos casos, os responsáveis não têm controle centralizado sobre o que vai nas mensagens. Mas a maior preocupação é justamente o fato que as mensagens estão indo e vindo pela Internet sem nenhuma encriptação. Qualquer quebra-códigos pode ver claramente todas as mensagens trocadas. Imagino que haverá no mínimo um grande incidente largamente noticiado em que um hacker publicará informações sigilosas de uma grande companhia trocadas via mensagens instantâneas. Defesa organizada O FBI e o Serviço Secreto Americano fizeram avanços tremendos em suas habilidades para rastrear e prender cibercriminosos. Parcerias entre entidades públicas e particulares, como a InfraGard, irá acelerar a evolução. Quem está no lado bom da segurança tem muito interesse que esses esforços apresentem sucesso. Crime Organizado Já estamos vendo situações como essa no Leste Europeu, na América do Sul e no Sudeste da Ásia: quadrilhas de hackers extorquem dinheiro de webmasters e provedores de Internet que são incapazes de se defenderem dos ataques pesados. Infelizmente, nós temos certeza que haverá um aumento nesse tipo de atividade. Hackear pessoas e serviços exigindo "dinheiro para proteção" e outros tipos de trapaças digitais se tornarão um grande negócio no novo ano, junto ao tráfico de drogas e fraudes de cartão de crédito. Algum dia, em 2004 ou mais tarde, veremos linguagens e decisões padrões incorporadas em muitos tratados entre países que procuram identificar e prender cibercriminosos. Hoje é muito fácil a esses indivíduos se esconderem em países que não têm uma legislação preparada para condená-los. Tempo menor para exploração Esse é um termo que se refere à quantidade de tempo (antes medido em quadrimestres e hoje em dias e horas) que hackers precisam para formatar worms e vírus ultra-resistentes que exploram vulnerabilidades de segurança anunciadas recentemente pela Microsoft e outras empresas fornecedoras de software. Sem brincadeira, você provavelmente deve estar pensando que todo mundo já sabe disso. Mas eu coloquei esse item logo após o de Crime Organizado por uma razão. Eu duvido que a Microsoft tenha reconhecido isso quando anunciou seu Programa de Recompensas Contra Virus. A empresa está apenas distribuindo dinheiro para empatar o jogo. Resumo Existem três temas que espero que você tenha entendido antes de ter chegado a esse parágrafo. Primeiro: não é necessário uma boa idéia para conectar algo à Internet só por que você pode. Segundo: quando uma nova tecnologia chegar, tenha certeza que, geralmente, seus desenvolvedores fizeram um trabalho precário na segurança do sistema, mas todos nós aplaudimos e o adotamos do mesmo jeito. E terceiro: quando uma tecnologia é disponível para boas coisas, existe sempre alguém que descobre como fazer coisas ruins que nenhum de nós nunca pensou com ela. ______________________________________________________________________ Conheça a nova central de informações anti-spam do Yahoo! Mail: http://www.yahoo.com.br/antispam ----- End forwarded message ----- From security em unicamp.br Tue Jan 6 09:44:36 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Tue, 6 Jan 2004 09:44:36 -0200 Subject: [SECURITY-L] Syscheck 0.2 Message-ID: <20040106114436.GG85443@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: Syscheck 0.2 To: security em unicamp.br Date: Mon, 5 Jan 2004 21:20:46 -0300 (ART) Syscheck 0.2 Enviado em Segunda, 05 de janeiro 2004 as 19:31:50 Versao nova do syscheck disponivel. Essa versao 0.2 esta muito melhor, com algumas correcoes e novas opcoes. O syscheck eh um checador de integridade de arquivos (tipo tripwire) onde o "banco de dados" com os md5sums podem ficar armazenados remotamente (acessivel via http), permitindo-se criar um ambiente facilmente escalavel e simples de monitorar, mesmo em uma rede com varios sistemas Unix. Outra vantagem do Syscheck eh que ele permite que os diretorios sejam monitorados recursivamente ... Download do Programa: http://www.ossec.net/syscheck/files/syscheck-0.2.tar.gz Um guia passo-a-passo de instalacao e mais informacoes em: http://www.ossec.net/syscheck Fonte: http://www.underlinux.com.br/modules.php?name=News&file=article&sid=2261 ______________________________________________________________________ Conheça a nova central de informações anti-spam do Yahoo! Mail: http://www.yahoo.com.br/antispam ----- End forwarded message ----- From security em unicamp.br Tue Jan 6 09:46:12 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Tue, 6 Jan 2004 09:46:12 -0200 Subject: [SECURITY-L] LanXada nova versXo do StealthWall - versXo 1.2.1 Message-ID: <20040106114612.GH85443@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: LanXada nova versXo do StealthWall - versXo 1.2.1 To: security em unicamp.br Date: Mon, 5 Jan 2004 21:19:11 -0300 (ART) Lançada nova versão do StealthWall - versão 1.2.1 Enviado em Segunda, 05 de janeiro 2004 as 21:48:46 "O StealthWall trata-se de um firewall transparente que sem a Stack TCP, torna-se literalmente invisível. O mais interessante é que o mesmo roda direto do CD e em dez minutos você o tem funcionando. Esta nova versão vem com: mrtg, sshd, sadoor. Detecta todo o hardware e inicia tudo necessario para o SteathWall funcionar no boot, necessitando apenas que o Administrador entre com as regras de Firewall. HOWTO em http://www.honeypot.com.br/repositorio/stealthwall/stealthwall.txt DOWNLOAD em http://www.honeypot.com.br/repositorio/stealthwall/StealthWall-v.1.2.1.iso Fonte: http://www.underlinux.com.br/modules.php?name=News&file=article&sid=2263 ______________________________________________________________________ Conheça a nova central de informações anti-spam do Yahoo! Mail: http://www.yahoo.com.br/antispam ----- End forwarded message ----- From security em unicamp.br Tue Jan 6 12:17:56 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Tue, 6 Jan 2004 12:17:56 -0200 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20040106141751.GA87559@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 31/12/2003 ---------- Mandrake Linux Security Update Advisory (MDKSA-2003:095-1) Assunto: Vulnerabilidade de Seguranca no pacote proftpd http://www.security.unicamp.br/docs/bugs/2003/12/v75.txt @RISK Assunto: The Consensus Security Vulnerability Alert Vol. 2 No. 53 http://www.security.unicamp.br/docs/bugs/2003/12/v74.txt 30/12/2003 ---------- Centro de Atendimento a Incidentes de Seguranca - CAIS Assunto: Vulnerabilidade remota no Sendmail http://www.security.unicamp.br/docs/bugs/2003/12/v73.txt Debian Security Advisory (DSA 405-1) Assunto: missing privelige release in xsok http://www.security.unicamp.br/docs/bugs/2003/12/v72.txt 29/12/2003 ---------- GENTOO LINUX SECURITY ANNOUNCEMENT(200312-08) Assunto: dev-util/cvs http://www.security.unicamp.br/docs/bugs/2003/12/v71.txt 24/12/2003 ---------- @RISK Assunto: The Consensus Security Vulnerability Alert Vol. 2 No. 52 http://www.security.unicamp.br/docs/bugs/2003/12/v70.txt 22/12/2003 ---------- Nesumin - nesumin em softhome.net Assunto: An arbitrary file could be deleted on Local Disk from Remote in Opera 7 for Windows. http://www.security.unicamp.br/docs/bugs/2003/12/v69.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Tue Jan 6 12:19:07 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Tue, 6 Jan 2004 12:19:07 -0200 Subject: [SECURITY-L] Boletim de Noticias Message-ID: <20040106141906.GB87559@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticia e/ou revistas eletronicas: 30/12/2003 ---------- SecurityFocus Newsletter #229 Fonte: SecurityFocus http://www.security.unicamp.br/docs/informativos/2003/12/b11.txt SANS NewsBites Vol. 5 Num. 52 Fonte: SANS http://www.security.unicamp.br/docs/informativos/2003/12/b10.txt 29/12/2003 ---------- SANS Training and GIAC Certification Update 17 Fonte: SANS http://www.security.unicamp.br/docs/informativos/2003/12/b9.txt 23/12/2003 ---------- SANS NewsBites Vol. 5 Num. 51 Fonte: SANS http://www.security.unicamp.br/docs/informativos/2003/12/b8.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Wed Jan 7 16:27:45 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Wed, 7 Jan 2004 16:27:45 -0200 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20040107182745.GA32938@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 6/1/2004 -------- Debian Security Advisory (DSA 413-1) Assunto: mising boundary check in kernel-source-2.4.18 and kernel-image-2.4.18-1-i386 http://www.security.unicamp.br/docs/bugs/2004/01/v19.txt CONECTIVA LINUX SECURITY ANNOUNCEMENT (CLA-2004:800 - lftp) Assunto: Buffer overflow vulnerability in lftp http://www.security.unicamp.br/docs/bugs/2004/01/v18.txt ANUNCIO DE SEGURANCA DO CONECTIVA LINUX (CLA-2004:800 - lftp) Assunto: Vulnerabilidade de buffer overflow in lftp http://www.security.unicamp.br/docs/bugs/2004/01/v17.txt 5/1/2004 -------- Update Notification (FEDORA-2003-046 - kernel) Assunto: Vulnerabilidade de Seguranca no Kernel http://www.security.unicamp.br/docs/bugs/2004/01/v16.txt Debian Security Advisory (DSA 412-1) Assunto: buffer overflows in nd package http://www.security.unicamp.br/docs/bugs/2004/01/v15.txt Debian Security Advisory (DSA 411-1) Assunto: format string vulnerability in mpg321 http://www.security.unicamp.br/docs/bugs/2004/01/v14.txt Debian Security Advisory (DSA 410-1) Assunto: Vulnerabilidade de Seguranca no pacote libnids http://www.security.unicamp.br/docs/bugs/2004/01/v13.txt Debian Security Advisory (DSA 409-1) Assunto: denial of service in bind package http://www.security.unicamp.br/docs/bugs/2004/01/v12.txt Immunix Secured OS Security Advisory (IMNX-2004-73-001-01) Assunto: Vulnerabilidade de Seguranca no kernel http://www.security.unicamp.br/docs/bugs/2004/01/v11.txt SUSE Security Announcement (SuSE-SA:2004:001) Assunto: local system compromise in Linux Kernel http://www.security.unicamp.br/docs/bugs/2004/01/v10.txt Trustix Secure Linux Security Advisory (#2004-0001) Assunto: mremap fix in kernel http://www.security.unicamp.br/docs/bugs/2004/01/v9.txt CONECTIVA LINUX SECURITY ANNOUNCEMENT(CLA-2004:799) Assunto: Fix for two vulnerabilities in kernel http://www.security.unicamp.br/docs/bugs/2004/01/v8.txt ANUNCIO DE SEGURANCA DO CONECTIVA LINUX (CLA-2004:799) Assunto: Correcao para duas vulnerabilidades no kernel http://www.security.unicamp.br/docs/bugs/2004/01/v7.txt Debian Security Advisory (DSA 408-1) Assunto: integer overflow in screen package http://www.security.unicamp.br/docs/bugs/2004/01/v6.txt Guardian Digital Security Advisory (ESA-2004010n-001) Assunto: Vulnerabilidade de Seguranca no kernel http://www.security.unicamp.br/docs/bugs/2004/01/v5.txt Red Hat Security Advisory (RHSA-2003:417-01) Assunto: Updated kernel resolves security vulnerability http://www.security.unicamp.br/docs/bugs/2004/01/v4.txt Debian Security Advisory (DSA 407-1) Assunto: buffer overflows in ethereal http://www.security.unicamp.br/docs/bugs/2004/01/v3.txt Debian Security Advisory (DSA 406-1) Assunto: buffer overflow in lftp http://www.security.unicamp.br/docs/bugs/2004/01/v2.txt 3/1/2004 -------- Security Corporation Security Advisory (SCSA-025) Assunto: Invision Power Board SQL Injection Vulnerability http://www.security.unicamp.br/docs/bugs/2004/01/v1.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Thu Jan 8 10:19:49 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Thu, 8 Jan 2004 10:19:49 -0200 Subject: [SECURITY-L] Boletim de Noticias Message-ID: <20040108121948.GA77885@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticia e/ou revistas eletronicas: 7/1/2004 -------- SANS NewsBites Vol. 6 Num. 1 Fonte: SANS http://www.security.unicamp.br/docs/informativos/2004/01/b4.txt 5/1/2004 -------- SecurityFocus Newsletter #230 Fonte: SecurityFocus http://www.security.unicamp.br/docs/informativos/2004/01/b3.txt The SANS Institute (SANS Complimentary Webcasts in January) Fonte: SANS http://www.security.unicamp.br/docs/informativos/2004/01/b2.txt Modulo Security News No.323 : Retrospectiva 2003 - Parte 2 Fonte: Modulo Security http://www.security.unicamp.br/docs/informativos/2004/01/b1.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Thu Jan 8 10:59:03 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Thu, 8 Jan 2004 10:59:03 -0200 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20040108125902.GA77981@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 7/1/2004 -------- CONECTIVA LINUX SECURITY ANNOUNCEMENT (CLA-2004:801) Assunto: Fix for ethereal vulnerabilities http://www.security.unicamp.br/docs/bugs/2004/01/v28.txt ANUNCIO DE SEGURANCA DO CONECTIVA LINUX (CLA-2004:801) Assunto: Correcao para vulnerabilidades do Ethereal http://www.security.unicamp.br/docs/bugs/2004/01/v27.txt Red Hat Security Advisory (RHSA-2004:001-01) Assunto: Updated Ethereal packages fix security issues http://www.security.unicamp.br/docs/bugs/2004/01/v26.txt Fedora Security Update Notification (FEDORA-2003-047) Assunto: Updated kernel resolves security vulnerability http://www.security.unicamp.br/docs/bugs/2004/01/v25.txt Debian Security Advisory (DSA 417-1) Assunto: New Linux 2.4.18 packages fix local root exploit http://www.security.unicamp.br/docs/bugs/2004/01/v24.txt Slackware Security (SSA:2004-006-01) Assunto: Kernel security update http://www.security.unicamp.br/docs/bugs/2004/01/v23.txt 6/1/2004 -------- Debian Security Advisory (DSA 416-1 - fsp) Assunto: New fsp packages fix buffer overflow, directory traversal http://www.security.unicamp.br/docs/bugs/2004/01/v22.txt Debian Security Advisory (DSA 415-1 - zebra) Assunto: New zebra packages fix denial of service http://www.security.unicamp.br/docs/bugs/2004/01/v21.txt Debian Security Advisory (DSA 414-1) Assunto: New jabber packages fix denial of service http://www.security.unicamp.br/docs/bugs/2004/01/v20.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Thu Jan 8 10:59:53 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Thu, 8 Jan 2004 10:59:53 -0200 Subject: [SECURITY-L] Microsoft encerra suporte ao Windows 98 e 98SE Message-ID: <20040108125948.GB77981@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: Microsoft encerra suporte ao Windows 98 e 98SE To: security em unicamp.br Date: Tue, 6 Jan 2004 10:49:54 -0300 (ART) Terça, 6 de janeiro de 2004, 09h19 Microsoft encerra suporte ao Windows 98 e 98SE http://informatica.terra.com.br/interna/0,,OI247846-EI553,00.html A partir desta data, suporte técnico só poderá ser conseguido através da documentação oficial disponível no site da Microsoft, que continuará acessível até pelo menos 30 de Junho de 2006. A empresa recomenda que usuários do Windows 98 migrem para novas versões do sistema operacional, como o Windows XP (para desktops) ou o novo Windows Server 2003 (para servidores). A decisão afetará 27% dos usuários da Internet, segundo o Google Zeitgeist, serviço que monitora tendências e padrões na Internet. Além de bugs não corrigidos, estes usuários também estarão à mercê de eventuais falhas de segurança ainda desconhecidas, que poderiam ser usadas para a criação de novos worms e vírus, que afetariam um número considerável de máquinas. Aos que não pretendem atualizar seus sistemas e querem continuar se mantendo seguros, valem os conselhos de sempre: um software de Firewall, que impede que outros computadores se conectem ao seu via Internet, e um antivírus atualizado ajudam a prevenir muitas dores de cabeça. ______________________________________________________________________ Conheça a nova central de informações anti-spam do Yahoo! Mail: http://www.yahoo.com.br/antispam ----- End forwarded message ----- From security em unicamp.br Thu Jan 8 11:01:53 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Thu, 8 Jan 2004 11:01:53 -0200 Subject: [SECURITY-L] grsecurity 1.9.13 para Linux 2.4.24 Message-ID: <20040108130148.GC77981@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: grsecurity 1.9.13 para Linux 2.4.24 To: security em unicamp.br Date: Tue, 6 Jan 2004 11:02:18 -0300 (ART) grsecurity 1.9.13 para Linux 2.4.24 Enviado em: Tuesday, January 06 @ 09:43:55 EDT grsecurity é um completo sistema de segurança para o Linux 2.4, possuindo como características proteção a buffer overflow, auditoria de kernel, um sistema avançado de controle de acesso (ACL) e muitas outras que permitem a você restringir acesso de seus usuários ou ainda oferecer segurança adicional a sua rede... http://www.grsecurity.net Fonte: http://www.linuxsecurity.com.br/article.php?sid=8156&mode=thread&order=0 ______________________________________________________________________ Conheça a nova central de informações anti-spam do Yahoo! Mail: http://www.yahoo.com.br/antispam ----- End forwarded message ----- From security em unicamp.br Thu Jan 8 11:03:46 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Thu, 8 Jan 2004 11:03:46 -0200 Subject: [SECURITY-L] AOL prepara ferramenta de combate a spyware Message-ID: <20040108130345.GD77981@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: AOL prepara ferramenta de combate a spyware To: security em unicamp.br Date: Wed, 7 Jan 2004 19:25:11 -0300 (ART) Quarta, 7 de janeiro de 2004, 18h30 AOL prepara ferramenta de combate a spyware http://informatica.terra.com.br/interna/0,,OI248960-EI553,00.html A America Online vai lançar nas próximas semanas uma ferramenta que ajuda os usuários de seu serviço de Internet a detectar e apagar "spywares" que secretamente acompanham os hábitos de navegação de internautas e que podem gerar roubo de identidade. Os preparativos da AOL acontecem em um momento em que o serviço de Internet da Microsoft, MSN, desenvolve uma função de segurança contra spyware. A AOL está usando tecnologia da companhia Aluria Software. A nova função de segurança estará disponível quando a companhia anunciar o lançamento do AOL 9.0, atualização do software de acesso a seu serviço, nas próximas semanas, afirmou o porta-voz da gigante da Internet, Andrew Weinstein, à Reuters. O MSN expande esta semana a disponibilidade de software contra spyware para novos usuários. A tecnologia é fornecida pela Network Associates, disse um porta-voz da Microsoft. Provedores de Internet afirmam que o spyware é o maior problema não diagnosticado da Web, semelhante ao spam em magnitude. Um estudo conduzido ano passado pela Aliança Nacional de Cibersegurança dos Estados Unidos descobriu que 91% dos usuários de acesso em banda larga à Internet têm spyware em seus computadores domésticos. Além disso, na maioria dos casos, os programas se instalaram secretamente via serviços de troca de arquivos. Programas spyware estão se espalhando rapidamente à medida que companhias procuram maneiras para recolher informações de internautas para usarem em campanhas de marketing dirigido. Apesar da maioria dos spywares não representarem riscos de segurança, novos programas que registram os toques no teclado podem entregar dados pessoais como números de cartões de crédito e de conta corrente a golpistas. ______________________________________________________________________ Conheça a nova central de informações anti-spam do Yahoo! Mail: http://www.yahoo.com.br/antispam ----- End forwarded message ----- From security em unicamp.br Thu Jan 8 16:44:16 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Thu, 8 Jan 2004 16:44:16 -0200 Subject: [SECURITY-L] Managing Linux Security Effectively in 2004 Message-ID: <20040108184415.GA78918@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: Managing Linux Security Effectively in 2004 To: security em unicamp.br Date: Thu, 8 Jan 2004 14:02:22 -0300 (ART) Managing Linux Security Effectively in 2004 Enviado em: Thursday, January 08 @ 11:03:31 EDT Artigo de Benjamin D. Thomas para a LinuxSecurity.com, examinando o processo de como gerenciar corretamente a segurança de seu sistema Linux em 2004... http://www.linuxsecurity.com/feature_stories/feature_story-157.html Fonte: http://www.linuxsecurity.com.br/article.php?sid=8170&mode=thread&order=0 ______________________________________________________________________ Conheça a nova central de informações anti-spam do Yahoo! Mail: http://www.yahoo.com.br/antispam ----- End forwarded message ----- From security em unicamp.br Fri Jan 9 10:30:20 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Fri, 9 Jan 2004 10:30:20 -0200 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20040109123020.GC24185@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 9/1/2004 -------- @RISK Assunto: The Consensus Security Vulnerability Alert Vol. 3 No. 1 http://www.security.unicamp.br/docs/bugs/2004/01/v35.txt 8/1/2004 -------- Mandrake Linux Security Update Advisory (MDKSA-2004:001) Assunto: Vulnerabilidade de Seguranca no kernel http://www.security.unicamp.br/docs/bugs/2004/01/v34.txt ANUNCIO DE ATUALIZACAO DO CONECTIVA LINUX (CLA-2004:802) Assunto: Atualizacaoo para protocolo MSN http://www.security.unicamp.br/docs/bugs/2004/01/v33.txt Cisco Security Advisory Assunto: Cisco Personal Assistant User Password Bypass) http://www.security.unicamp.br/docs/bugs/2004/01/v32.txt OpenPKG Security Advisory (OpenPKG-SA-2004.001) Assunto: remote code execution in inn http://www.security.unicamp.br/docs/bugs/2004/01/v31.txt Debian Security Advisory (DSA 418-1) Assunto: privilege leak in vbox3 http://www.security.unicamp.br/docs/bugs/2004/01/v30.txt 7/1/2004 -------- SGI Security Advisory Assunto: SGI Advanced Linux Environment security update #8 http://www.security.unicamp.br/docs/bugs/2004/01/v29.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Mon Jan 12 10:39:54 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Mon, 12 Jan 2004 10:39:54 -0200 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20040112123954.GA340@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 9/1/2004 -------- ANUNCIO DE ATUALIZACAO DO CONECTIVA LINUX (CLA-2004:803) Assunto: Falha de segmentação com grupos grandes no pacote nss_ldap http://www.security.unicamp.br/docs/bugs/2004/01/v48.txt Debian Security Advisory (DSA 417-2) Assunto: New Linux 2.4.18 packages fix local root exploit (alpha) http://www.security.unicamp.br/docs/bugs/2004/01/v47.txt Debian Security Advisory (DSA 419-1) Assunto: New phpgroupware packages fix unintended PHP execution and SQL injection http://www.security.unicamp.br/docs/bugs/2004/01/v46.txt Slackware Security Team (SSA:2004-008-01 - kernel) Assunto: Vulnerabilidade de Seguranca no Kernel http://www.security.unicamp.br/docs/bugs/2004/01/v45.txt 8/1/2004 -------- Mandrake Linux Security Update Advisory (MDKSA-2004:001) Assunto: Vulnerabilidade de Seguranca no Kernel http://www.security.unicamp.br/docs/bugs/2004/01/v43.txt ANUNCIO DE ATUALIZACAO DO CONECTIVA LINUX (CLA-2004:802) Assunto: Atualizacao para protocolo MSN http://www.security.unicamp.br/docs/bugs/2004/01/v42.txt Cisco Security Advisory (47765) Assunto: Cisco Personal Assistant User Password Bypass Vulnerability http://www.security.unicamp.br/docs/bugs/2004/01/v41.txt OpenPKG Security Advisory (OpenPKG-SA-2004.001) Assunto: Vulnerabilidade de Seguranca no inn http://www.security.unicamp.br/docs/bugs/2004/01/v40.txt Fedora Update Notification (FEDORA-2003-005) Assunto: Fedora Core 1 Update in php-4.3.4-1.1 http://www.security.unicamp.br/docs/bugs/2004/01/v39.txt Fedora Update Notification (FEDORA-2003-004) Assunto: Fedora Core 1 Update in httpd-2.0.48-1.2 http://www.security.unicamp.br/docs/bugs/2004/01/v38.txt Debian Security Advisory (DSA 418-1) Assunto: privilege leak in vbox3 http://www.security.unicamp.br/docs/bugs/2004/01/v37.txt 7/1/2004 -------- SGI Security Advisory (20040101-01-U) Assunto: SGI Advanced Linux Environment security update #8 http://www.security.unicamp.br/docs/bugs/2004/01/v36.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Tue Jan 13 11:09:42 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Tue, 13 Jan 2004 11:09:42 -0200 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20040113130942.GA46565@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 12/1/2004 -------- SmoothWall Project Security Advisory (SWP-2004:001) Assunto: Updates for SmoothWall Express to correct local vulnerabilities in Linux kernel. http://www.security.unicamp.br/docs/bugs/2004/01/v53.txt Debian Security Advisory (DSA 421-1) Assunto: password expiration in mod-auth-shadow http://www.security.unicamp.br/docs/bugs/2004/01/v52.txt Red Hat Security Advisory (RHSA-2004:003-01) Assunto: Updated CVS packages fix minor security issue http://www.security.unicamp.br/docs/bugs/2004/01/v51.txt Fedora Update Notification (FEDORA-2003-045) Assunto: Fedora Core 1 Update glibc http://www.security.unicamp.br/docs/bugs/2004/01/v50.txt Debian Security Advisory (DSA 420-1) Assunto: improperly sanitised input in jitterbug http://www.security.unicamp.br/docs/bugs/2004/01/v49.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Tue Jan 13 12:06:04 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Tue, 13 Jan 2004 12:06:04 -0200 Subject: [SECURITY-L] Boletim de Noticias Message-ID: <20040113140604.GA46641@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticia e/ou revistas eletronicas: 12/1/2004 --------- SecurityFocus Newsletter #231 Fonte: SecurityFocus http://www.security.unicamp.br/docs/informativos/2004/01/b7.txt SecurityFocus Microsoft Newsletter #171 Fonte: SecurityFocus http://www.security.unicamp.br/docs/informativos/2004/01/b6.txt No.324 : Crimes de informatica na mira da Justica brasileira Fonte: SANS http://www.security.unicamp.br/docs/informativos/2004/01/b5.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Tue Jan 13 14:55:38 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Tue, 13 Jan 2004 14:55:38 -0200 Subject: [SECURITY-L] FreeBSD 5.2 Liberado Message-ID: <20040113165537.GA46837@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: FreeBSD 5.2 Liberado To: security em unicamp.br Date: Tue, 13 Jan 2004 12:37:17 -0300 (ART) FreeBSD 5.2 Liberado Enviado em Terça, 13 de janeiro 2004 as 00:47:19 Entre as novidades estão: - Suporte ao novo AMD Athlon64 e Opteron - Gnome 2.4 e KDE 3.1 - Novos drivers para IDE, SATA, e 802.11a/b/g Download em : http://www.freebsd.org/doc/en_US.ISO8859-1/books/handbook/mirrors-ftp.html Release note : ftp://ftp.freebsd.org/pub/FreeBSD/releases/i386/5.2-RELEASE/RELNOTES.HTM Anuncio Oficial: http://www.freebsd.org/releases/5.2R/announce.html Enviado por scorpion Fonte: http://www.underlinux.com.br/modules.php?name=News&file=article&sid=2289 ______________________________________________________________________ Conheça a nova central de informações anti-spam do Yahoo! Mail: http://www.yahoo.com.br/antispam ----- End forwarded message ----- From security em unicamp.br Wed Jan 14 10:12:48 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Wed, 14 Jan 2004 10:12:48 -0200 Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidades nos filtros H.323 do Microsoft ISA Server 2000 (816458) Message-ID: <20040114121247.GA93269@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Vulnerabilidades nos filtros H.323 do Microsoft ISA Server 2000 (816458) To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Tue, 13 Jan 2004 18:11:14 -0200 (BRDT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta' repassando o alerta divulgado pela Microsoft, "Microsoft Security Bulletin MS04-001: Vulnerability in Microsoft Internet Security and Acceleration Server 2000 H.323 Filter Could Allow Remote Code Execution (816458)", que trata da identificacao de uma vulnerabilidade nos filtros H.323 do Microsoft ISA Server 2000 que pode ser explorada remotamente permitindo a um atacante a execucao de codigo arbitrario. Os filtros H.323 sao filtros de aplicacao que o ISA Server 2000 utiliza para monitorar e controlar o trafego de pacotes usando o protocolo H.323. Este protocolo e' utilizado em telefonia sobre IP para transferir comunicacoes de audio e video. A vulnerabilidade afeta o Microsoft Firewall Service, parte do ISA Server 2000. O atacante que explora esta vulnerabilidade pode executar codigo malicioso no contexto do Firewall Service, o que poderia permitir o controle total do sistema. Sistemas Afetados: . Microsoft Internet Security and Acceleration Server 2000 . Microsoft Small Business Server 2000 . Microsoft Small Business Server 2003 Sistemas nao Afetados: . Microsoft Proxy Server 2.0 Correcoes disponiveis: A correção consiste na aplicação do patch recomendado pela Microsoft e disponível em: . Microsoft Internet Security and Acceleration Server 2000 http://www.microsoft.com/downloads/details.aspx?FamilyId=CBE42990-4156-4E1D-9ACB-4CD449D9599B&displaylang=en . Microsoft Small Business Server 2000 http://www.microsoft.com/downloads/details.aspx?FamilyId=CBE42990-4156-4E1D-9ACB-4CD449D9599B&displaylang=en . Microsoft Small Business Server 2003 http://www.microsoft.com/downloads/details.aspx?FamilyId=CBE42990-4156-4E1D-9ACB-4CD449D9599B&displaylang=en Maiores informacoes: http://www.microsoft.com/technet/security/bulletin/MS04-001.asp Identificadores do CVE: CAN-2003-0819, (http://cve.mitre.org) O CAIS recomenda aos administradores de plataformas Microsoft que mantenham seus sistemas e aplicativos sempre atualizados. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ Microsoft Security Bulletin MS04-001 Vulnerability in Microsoft Internet Security and Acceleration Server 2000 H.323 Filter Could Allow Remote Code Execution (816458) Issued: January 13, 2004 Version: 1.0 Summary Impact of vulnerability: Remote Code Execution Maximum Severity Rating: Critical Recommendation: Customers should install the security update immediately Update Replacement: None Caveats: None Tested Software and Security Update Download Locations: Affected Software: * Microsoft Internet Security and Acceleration Server 2000 - Download the update * Microsoft Small Business Server 2000 (which includes Microsoft Internet Security and Acceleration Server 2000) ? Download the Update * Microsoft Small Business Server 2003 (which includes Microsoft Internet Security and Acceleration Server 2000) ? Download the Update Non Affected Software: * Microsoft Proxy Server 2.0 The software listed above has been tested to determine if the versions are affected. Other versions either no longer include security patch support or may not be affected. Please review the Microsoft Support Lifecycle Web site to determine the support lifecycle for your product and version. Technical Details Technical description: A security vulnerability exists in the H.323 filter for Microsoft Internet Security and Acceleration Server 2000 that could allow an attacker to overflow a buffer in the Microsoft Firewall Service in Microsoft Internet Security and Acceleration Server 2000. An attacker who successfully exploited this vulnerability could try to run code of their choice in the security context of the Microsoft Firewall Service. This would give the attacker complete control over the system. The H.323 filter is enabled by default on servers running ISA Server 2000 computers that are installed in integrated or firewall mode. Mitigating factors: * ISA Servers running in cache mode are not vulnerable because the Microsoft Firewall Service is disabled by default * Users can prevent the risk of attack by disabling the H.323 filter Severity Rating: Microsoft Internet Security and Acceleration Server 2000 Critical The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: CAN-2003-0819 Workarounds Microsoft has tested the following workarounds. These workarounds will not correct the underlying vulnerability however they help block known attack vectors. Workarounds may cause a reduction in functionality in some cases ? in such situations this is identified below. 1. Disable the H.323 filter. To disable the H.323 filter, follow these steps: 1. Open ISA management tool. Expand the Extensions container, expand the Application Filters container. 2. Select the H.323 Filter and then click Disable. 3. Restart the Microsoft Firewall Service Windows Components. Impact of workaround: If the H.323 filter is disabled, H.323 traffic is blocked by the Microsoft Firewall Service. This stops any applications that use the H.323 protocol for Internet Protocol (IP) telephony or data collaboration from communicating through the ISA Sever. If H.323 traffic is not on the network with the ISA Server, disabling this filter and other unused filters is recommended for enhanced security and performance. 2. Block TCP port 1720 at a perimeter or gateway router. By default the H.323 filter listens on external Transmission Control Protocol (TCP) port 1720. Blocking this port at a perimeter router will help to protect the ISA Server from an Internet-based attack. Note: Clicking to clear the Allow Incoming Calls check box on the Call Control tab of the H.323 filter settings does not configure the filter to stop listening on the external TCP port 1720 and is not an effective workaround. This behavior has been changed in this Security Update and is documented additionally in the ?Frequently Asked Questions? section of this security bulletin. Impact of workaround: If port 1720 traffic is blocked, applications that use the H.323 protocol for IP telephony or data collaboration can no longer be able to communicate over the Internet. Frequently Asked Questions What is the scope of the vulnerability? This is a buffer overflow vulnerability. An attacker who successfully exploited this vulnerability could cause code to run in the security context of the Microsoft Firewall Service on ISA Server 2000. An attacker who successfully exploited this vulnerability could also gain complete control over the system. What causes the vulnerability? This vulnerability results because of the way that the H.323 filter checks the boundaries on specially crafted H.323 traffic. What is the H.323 Filter? The H.323 filter is an application filter that ISA Server 2000 uses to monitor and control traffic using H.323 and T.120 protocols. The H.323 protocol is used in IP telephony applications to transfer audio and video communications. The T.120 protocol is used in IP telephony applications to transfer data such as whiteboard, file transfer, or remote desktop data. The H.323 filter is enabled by default on ISA Server 2000. What is the Microsoft Firewall Service? ISA Server?s Microsoft Firewall Service allows Internet applications to perform as if they were directly connected to the Internet. These services redirect the necessary communications functions to an ISA Server, establishing a communication path from the internal application to the Internet through the server computer. The service eliminates the need for a specific gateway for each protocol, such as Simple Mail Transfer Protocol (SMTP), Telnet, File Transfer Protocol (FTP), or H.323 protocol. What might an attacker use the vulnerability to do? An attacker who successfully exploited this vulnerability could cause code to run in the security context of the Microsoft Firewall Service on ISA Server 2000. An attacker who successfully exploited this vulnerability could gain complete control over the system. Does this update contain any other security changes? Yes. The update also corrects an issue with the Call Control tab of the H.323 filter setting. Before this update if you clicked to clear the Allow Incoming Calls check box in the Call Control tab of the H.323 filter settings, the filter would not be configured to stop listening on the external TCP port 1720. This update corrects this problem. After the update, clicking to select this option correctly configures the filter to stop listening on the external TCP port 1720. The Microsoft Firewall Service must be restarted for this setting to take effect. If the network that the H.323 filter is helping to protect intends to use only outgoing H.323 traffic, it is recommended that you disable Allow Incoming Calls to enhance security. What does the update do? The update removes the vulnerability by modifying the way that the H.323 filter validates H.323 traffic. I have installed the H.323 Gatekeeper Service. Is the H.323 Gatekeeper Service vulnerable? No. The H.323 Gatekeeper Service does not contain the vulnerability that is associated with this update. However, if the H.323 Gatekeeper Service has been installed on the system, an updated version of gksvc.dll will be installed with this update. The H.323 Gatekeeper Service is not installed by default. If I install the H.323 Gatekeeper Service after I apply this update, do I need to re-apply the update? Yes. If setup components are re-installed, all updates should be re-applied. Security Update Information Prerequisites This security update requires ISA Server Service Pack 1 (SP1). For additional information about how to obtain the latest ISA Server service pack, click the following article number to view the article in the Microsoft Knowledge Base: 313139 How to Obtain the Latest Internet Security and Acceleration Server Service Pack Inclusion in future service packs: The fix for this issue will be included in ISA Server 2000 Service Pack 2. Installation Information This security update supports the following Setup switches: - -? : Show the list of installation switches. /q : Use Quiet mode (no user interaction). - -UHF : Remove hotfix number (where is the number of the hotfix). - -nostart : Do not start the stopped services Deployment Information To install the security update without any user intervention, use the following command line: ISA2000-KB816458-x86.exe -q Restart Requirement You do not have to restart your computer after you apply this update. The ISA services are restarted when applying this update. Removal Information To remove this update, use the Add or Remove Programs tool in Control Panel. To do so, click ISA Server 2000 Updates, click Change, click ISA Hot Fix 291, and then click Remove File Information The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. Date Time Version Size File Name 16-Dec-2003 17:16 3.0.1200.291 140,560 Gksvc.dll X86 16-Dec-2003 17:16 3.0.1200.291 209,168 H323asn1.dll X86 16-Dec-2003 17:16 3.0.1200.291 86,800 H323fltr.dll X86 Note: Gksvc.dll will only be installed if the H.323 Gatekeeper Service is installed on the ISA Server. If the H.323 Gatekeeper Service is not installed, gksvc.dll will not be installed and will not exist on the system. This service is not installed by default. The English version of this fix can be used for all languages of the product. Verifying Update Installation You may be able to verify the files that this security update installed by reviewing the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Fpc\Hotfixes\SP1\291 Acknowledgments Microsoft thanks the following for working with us to help protect customers: * The UK National Infrastructure Security Co-ordination Centre (NISCC) for reporting the issue described in MS04-001. Obtaining other security updates: Updates for other security issues are available from the following locations: * Security updates are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". * Updates for consumer platforms are available from the WindowsUpdate Web site. Support: * Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY for customers in the U.S. and Canada. There is no charge for support calls that are associated with security updates. * International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates. Information on how to contact Microsoft support is available at the International Support Web Site. Security Resources: * The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. * Microsoft Software Update Services * Microsoft Baseline Security Analyzer (MBSA): Please view Knowledge Base Article 306460 for list of security updates that have detection limitations with the MBSA tool. * Windows Update * Windows Update Catalog: Please view Knowledge Base Article 323166 for more information on the Windows Update Catalog. * Office Update Systems Management Server (SMS): Systems Management Server can provide assistance deploying this security update. For information about Systems Management Server visit the SMS Web Site. SMS also provides several additional tools to assist administrators in the deployment of security updates such as the SMS 2.0 Software Update Services Feature Pack and the SMS 2.0 Administration Feature Pack. The SMS 2.0 Software Update Services Feature Pack utilizes the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin remediation. Some software updates may require administrative rights following a restart of the computer Note: The inventory capabilities of the SMS 2.0 Software Update Services Feature Pack may be used for targeting updates to specific computers, and the SMS 2.0 Administration Feature Pack?s Elevated Rights Deployment Tool can be used for installation. This provides optimal deployment for updates that require explicit targeting using Systems Management Server and administrative rights after the computer has been restarted. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: * V1.0 (January 13, 2004): Bulletin published -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBQARQ7+kli63F4U8VAQGW6wP/TPEXGPtL5mIdHyzQ6FiPuE7jHf8oZnPF d9ixK/OORYztzV11V+AZdZ6+SkVqlJTGsZM3xNtPLABQuICqJP0QNRiyR2bAXFwD MZgb94+RlU8B7kDrjZg9EQ8gffkpSXz4dXJzRtx/qKYC8BwLFOaHcVmu5cT5cqGO 224TXXTOkJ0= =xwQ4 -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Jan 14 10:13:12 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Wed, 14 Jan 2004 10:13:12 -0200 Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidades nos componentes MDAC (832483) Message-ID: <20040114121312.GB93269@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Vulnerabilidades nos componentes MDAC (832483) To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Tue, 13 Jan 2004 18:25:31 -0200 (BRDT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta' repassando o alerta divulgado pela Microsoft, "Microsoft Security Bulletin MS04-003: Buffer Overrun in MDAC Function Could Allow Code Execution (832483)", que trata da identificacao de uma vulnerabilidade nos componentes MDAC, de acesso a base de dados, que pode ser explorada remotamente permitindo a um atacante a execucao de codigo arbitrario. Quando um programa cliente precisa verificar na rede a lista de servidores de banco de dados SQL disponiveis, ele envia um pacote broadcast requisitando esta lista para toda a rede local. Um atacante pode entao construir um pacote de retorno que explora a vulnerabilidade mencionada, executando codigo malicioso no contexto de seguranca do programa cliente que originou a requisicao. Sistemas Afetados: . Microsoft Data Access Components 2.5 (incluido com Microsoft Windows 2000) . Microsoft Data Access Components 2.6 (incluido com Microsoft SQL Server 2000) . Microsoft Data Access Components 2.7 (incluido com Microsoft Windows XP) . Microsoft Data Access Components 2.8 (incluido com Microsoft Windows Server 2003) . Microsoft Data Access Components 2.8 (incluido com Windows Server 2003 64-Bit) Correcoes disponiveis: A correcao consiste na aplicacao do patch recomendado pela Microsoft e disponivel em: . Microsoft Data Access Components 2.5 http://www.microsoft.com/downloads/details.aspx?FamilyId=39472EE8-C14A-47B4-BFCC-87988E062D91&displaylang=en . Microsoft Data Access Components 2.6 http://www.microsoft.com/downloads/details.aspx?FamilyId=39472EE8-C14A-47B4-BFCC-87988E062D91&displaylang=en . Microsoft Data Access Components 2.7 http://www.microsoft.com/downloads/details.aspx?FamilyId=39472EE8-C14A-47B4-BFCC-87988E062D91&displaylang=en . Microsoft Data Access Components 2.8 (incluido com Microsoft Windows Server 2003) http://www.microsoft.com/downloads/details.aspx?FamilyId=39472EE8-C14A-47B4-BFCC-87988E062D91&displaylang=en . Microsoft Data Access Components 2.8 (incluido com Windows Server 2003 64-Bit) http://www.microsoft.com/downloads/details.aspx?FamilyId=1D93D9E4-2B22-4595-B8C5-643824857EC0&displaylang=en Maiores informacoes: http://www.microsoft.com/technet/security/bulletin/MS04-003.asp Identificadores do CVE: CAN-2003-0903, (http://cve.mitre.org) O CAIS recomenda aos administradores de plataformas Microsoft que mantenham seus sistemas e aplicativos sempre atualizados. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ Microsoft Security Bulletin MS04-003 Buffer Overrun in MDAC Function Could Allow Code Execution (832483) Issued: January 13, 2004 Version: 1.0 Summary Who should read this document: Customers who are using Microsoft® Windows® Impact of vulnerability: Remote code execution Maximum Severity Rating: Important Recommendation: Customers should install this security update at their earliest opportunity. Security Update Replacement: This update replaces the one that is provided in Microsoft Security Bulletin MS03-033. Caveats: None Tested Software and Security Update Download Locations: Affected Software: * Microsoft Data Access Components 2.5 (included with Microsoft Windows 2000) * Microsoft Data Access Components 2.6 (included with Microsoft SQL Server 2000) * Microsoft Data Access Components 2.7 (included with Microsoft Windows XP) * Microsoft Data Access Components 2.8 (included with Microsoft Windows Server 2003) Note The same update applies to all these versions of MDAC - Download the Update * Microsoft Data Access Components 2.8 (included with Windows Server 2003 64-Bit Edition) - Download the Update The software listed above has been tested to determine if the versions are affected. Other versions either no longer include security patch support or may not be affected. Please review the Microsoft Support Lifecycle Web site to determine the support lifecycle for your product and version. Technical Details Technical description: Microsoft Data Access Components (MDAC) is a collection of components that provides the underlying functionality for a number of database operations, such as connecting to remote databases and returning data to a client. When a client system on a network tries to see a list of computers that are running SQL Server and that reside on the network, it sends a broadcast request to all the devices that are on the network. Because of a vulnerability in a specific MDAC component, an attacker could respond to this request with a specially-crafted packet that could cause a buffer overflow. An attacker who successfully exploited this vulnerability could gain the same level of privileges over the system as the program that initiated the broadcast request. The actions an attacker could carry out would be dependent on the permissions under which the program using MDAC ran. If the program ran with limited privileges, an attacker would be limited accordingly; however, if the program ran under the local system context, the attacker would have the same level of permissions. Since the original version of MDAC on your system may have changed from updates available on the Microsoft Web site, we recommend using the following tool to determine the version of MDAC you have on your system: Microsoft Knowledge Base article 301202 "HOW TO: Check for MDAC Version" discusses this tool and explains how to use it. Also, Microsoft Knowledge Base article 231943 discusses the release history of the different versions of MDAC. Mitigating factors: * For an attack to be successful an attacker would have to simulate a SQL server that is on the same IP subnet as the target system. * When a client system on a network tries to see a list of computers that are running SQL Server and that reside on the network, it sends a broadcast request to all the devices that are on the network. A target system must initiate such a broadcast request to be vulnerable to an attack. An attacker would have no way of launching this first step but would have to wait for anyone to enumerate computers that are running SQL Server on the same subnet. Also, a system is not vulnerable by having these SQL management tools installed. * Code executed on the client system would only run under the privileges of the client program that made the broadcast request. Severity Rating: Microsoft Data Access Components 2.5 (included with Windows 2000) Important Microsoft Data Access Components 2.6 (included with SQL Server 2000) Important Microsoft Data Access Components 2.7 (included with Windows XP) Important Microsoft Data Access Components 2.8 (included with Windows Server 2003) Important The above assessment is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: CAN-2003-0903 Workarounds Microsoft has tested the following workarounds. These workarounds will not correct the underlying vulnerability. However, they help block known attack vectors. Workarounds may reduce functionality in some cases; in such cases, the reduction in functionality is identified below. Block UDP port 1434 from accepting inbound traffic. Block UDP port 1434 on your system's network interface from accepting inbound traffic. For example, to block network traffic that originates from a Windows 2000-based computer that comes from UDP 1434 to this host, type the following at the command line: ipsecpol -w REG -p "Block UDP 1434 Filter" -r "Block Inbound UDP 1434 Rule" -f *=0:1434:UDP -n BLOCK -x See Microsoft Knowledge Base article 813878 "How to Block Specific Network Protocols and Ports by Using IPSec" for more information about IPsec and the technology that this workaround uses. Impact of Workaround: SQL client systems would no longer be able to initiate SQL broadcast requests. For example, tools like SQL Enterprise Manager use broadcast requests to enumerate all SQL Server instances on a subnet. The workaround would also prevent connections to non-default instances of SQL Server. An example of non-default instances of SQL server is additional instances of SQL server that are installed on the same computer. Frequently Asked Questions What is the scope of the vulnerability? This is a buffer overrun vulnerability. An attacker who successfully exploited this vulnerability could gain the same level of privileges over the system as the program that initiated the broadcast request. The actions that an attacker could carry out on the system would depend on the permissions of the user account under which the program using MDAC ran. If the program ran with limited privileges, an attacker would be limited accordingly. However, if the program ran under the context of Local System, the attacker could gain the same level of permissions. What causes the vulnerability? The vulnerability results because of an unchecked buffer in a specific MDAC component. If an attacker were able to successfully exploit this vulnerability, it could allow them to gain control over the system and take any action that the legitimate process executing MDAC could take. What is Microsoft Data Access Components? Microsoft Data Access Components (MDAC) is a collection of components that make it easy for programs to access databases and to change the data within them. Modern databases may take a variety of forms (for example, SQL Server databases, Microsoft Access databases, and XML files) and may be housed in a variety of locations (for example, on the local system or on a remote database server). MDAC provides a consolidated set of functions for working with these data sources in a consistent manner. A good discussion of MDAC and the components that it provides is available on MSDN. Do I have MDAC on my system? It is very likely that you do because MDAC is a ubiquitous technology: * MDAC installs as part of Windows 2000, SQL Server 2000, Windows XP, and Windows Server 2003. * MDAC is available for download from the Microsoft Web site. * MDAC is installed by many other Microsoft programs. To name just a few cases, it is installed as part of the Microsoft Windows NT 4.0 Option Pack, Microsoft Access, and SQL Server. A tool is available that can help you determine what version of MDAC is running on your system. Microsoft Knowledge Base article 301202 "HOW TO: Check for MDAC Version" describes this tool and explains how to use it. Also, Microsoft Knowledge Base article 231943 discusses the release history of the different versions of MDAC. Why did Microsoft Windows Update offer me a language version of the security update that is different than I expected? It is recommended, but not necessary, to install the language version of this update that follows the MDAC language that the customer has installed. Customers download this security update by using Windows Update, and subsequently by using Microsoft Software Update Services (SUS), based on the language version of Windows that a customer has. A customer could have a more recent version of MDAC installed, which is localized into a language other than the language of the instance of Windows. For example, if a customer installs a Spanish language instance of SQL Server installed on an English instance of Windows, the customer may have a Spanish language version of MDAC installed. This is a supported configuration for which we would recommend the Spanish language update. Certain log entries note the disparity. If the customer prefers the Spanish update, they should install the security update by using the download links that are at the beginning of this security bulletin. Note: While the installation of this security update is in English, the security update in itself is localized and Windows Update will offer customers an update that match the language version of Windows they have. What might an attacker use the vulnerability to do? This vulnerability could enable an attacker to reply to a client system request with a malformed User Datagram Protocol (UDP) packet, which would cause a buffer overrun to occur. If an attacker were to successfully exploit this vulnerability, they could take any action that they wanted to on the system that the overrun process could take. How could an attacker exploit this vulnerability? An attacker could exploit this vulnerability by simulating a server running SQL Server that listens on a network for a client system to request an enumeration of all systems on the specific network that are running SQL Server. By replying to that request with a specially-crafted packet, an attacker could cause a buffer overrun to occur in a specific MDAC component on the client system. What does the update do? This security update removes the vulnerability by validating that the number of bytes that are specified in the reply is of an appropriate value. Security Update Information Installation platforms and Prerequisites: For information about the specific security update for your platform, click the appropriate link: Microsoft Data Access Components (all versions) Prerequisites This security update requires that you have any one of the following MDAC versions installed: * MDAC 2.5 Service Pack 2 * MDAC 2.5 Service Pack 3 * MDAC 2.6 Service Pack 2 * MDAC 2.7 * MDAC 2.7 Service Pack 1 * MDAC 2.7 Service Pack 1 Refresh * MDAC 2.8 Inclusion in future service packs: The fix for this issue will be included in MDAC 2.8 Service Pack 1. Installation Information This update supports the following Setup switches: /? Displays the list of installation switches. /Q Uses Quiet mode. /T: Specifies the temporary working folder. /C Extracts files only to the folder when it is used with /T. /C: Overrides the Install command that author defines. /N Does not restart the dialog box. Deployment Information For example, the following command-line command installs the security update without any user intervention and suppresses a restart: _Q832483_MDAC_X86.EXE /C:"dahotfix.exe /q /n" /q English, for example, is ENU. The /q switch that is specified for Dahotfix.exe is for a silent install. The /n switch suppresses the restart. The trailing /q switch is to also suppress the end-user license agreement (EULA) pop-up window. Restart Requirement You must restart your computer after you apply this security update. Removal Information This security update cannot be removed after it has been installed. File Information The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. MDAC 2.5 Service Pack 2: Date Time Version Size File Name 29-Oct-2003 02:20 3.520.6101.0 212,992 Odbc32.dll 28-Oct-2003 21:44 3.70.11.46 24,848 Odbcbcp.dll 28-Oct-2003 00:06 3.520.6101.0 102,672 Odbccp32.dll 28-Oct-2003 21:44 3.70.11.46 524,560 Sqlsrv32.dll MDAC 2.5 Service Pack 3: Date Time Version Size File Name 29-Oct-2003 02:24 3.520.6301.0 212,992 Odbc32.dll 28-Oct-2003 21:44 3.70.11.46 24,848 Odbcbcp.dll 28-Oct-2003 01:08 3.520.6301.0 102,672 Odbccp32.dll 28-Oct-2003 21:44 3.70.11.46 524,560 Sqlsrv32.dll MDAC 2.6 Service Pack 2: Date Time Version Size File Name 28-Oct-2003 17:22 2000.80.747.0 86,588 Dbnetlib.dll 29-Oct-2003 02:35 3.520.7502.0 417,792 Odbc32.dll 28-Oct-2003 17:22 2000.80.747.0 29,252 Odbcbcp.dll 29-Oct-2003 02:34 3.520.7502.0 217,088 Odbccp32.dll 28-Oct-2003 17:22 2000.80.747.0 479,800 Sqloledb.dll 28-Oct-2003 17:22 2000.80.747.0 455,236 Sqlsrv32.dll MDAC 2.7 Date Time Version Size File Name 28-Oct-2003 05:09 2000.81.9002.0 61,440 Dbnetlib.dll 28-Oct-2003 05:05 3.520.9002.0 204,800 Odbc32.dll 28-Oct-2003 05:10 2000.81.9002.0 24,576 Odbcbcp.dll 28-Oct-2003 05:09 3.520.9002.0 94,208 Odbccp32.dll 28-Oct-2003 05:06 2.70.9002.0 413,696 Oledb32.dll 28-Oct-2003 05:09 2000.81.9002.0 450,560 Sqloledb.dll 28-Oct-2003 05:09 2000.81.9002.0 356,352 Sqlsrv32.dll MDAC 2.7 Service Pack 1 or MDAC 2.7 Service Pack 1 Refresh: Date Time Version Size File Name 28-Oct-2003 04:12 2000.81.9042.0 61,440 Dbnetlib.dll 28-Oct-2003 04:09 2.71.9042.0 126,976 Msdart.dll 28-Oct-2003 04:09 3.520.9042.0 204,800 Odbc32.dll 28-Oct-2003 04:13 2000.81.9042.0 24,576 Odbcbcp.dll 28-Oct-2003 04:13 3.520.9042.0 98,304 Odbccp32.dll 28-Oct-2003 04:10 2.71.9042.0 417,792 Oledb32.dll 28-Oct-2003 04:12 2000.81.9042.0 471,040 Sqloledb.dll 28-Oct-2003 04:12 2000.81.9042.0 385,024 Sqlsrv32.dll MDAC 2.8: Date Time Version Size File Name 12-Dec-2003 23:40 2000.85.1025.0 24,576 Odbcbcp.dll 19-Nov-2003 00:38 2000.85.1025.0 401,408 Sqlsrv32.dll MDAC 2.8 for Windows Server 2003 64-Bit Edition: Date Time Version Size File Name 15-Dec-2003 18:51 2000.85.1025.0 49,152 Odbcbcp.dll 15-Dec-2003 18:52 2000.85.1025.0 978,944 Sqlsrv32.dll Verifying Update Installation To verify that the security update is installed on your computer, check the file manifests that are listed in this bulletin and make sure that you have the correct versions of the files. You may also be able to verify that this security update is installed by reviewing the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\DataAccess\Q832483 For the Microsoft Data Access Components 2.8 that shipped in Windows Server 2003 64-Bit Edition you can verify that this security update is installed by reviewing the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\HotFix\KB832483 Note These registry keys may not be not created correctly if an administrator or an OEM integrates or slipstreams the 832483 security update into the Windows installation source files. Obtaining other security updates: Updates for other security issues are available from the following locations: * Security updates are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". * Updates for consumer platforms are available from the WindowsUpdate Web site. Support: * Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY for customers in the U.S. and Canada. There is no charge for support calls that are associated with security updates. * International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates. Information on how to contact Microsoft support is available at the International Support Web Site. Security Resources: * The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. * Microsoft Software Update Services * Microsoft Baseline Security Analyzer (MBSA): Please view Knowledge Base Article 306460 for list of security updates that have detection limitations with the MBSA tool. * Windows Update * Windows Update Catalog: Please view Knowledge Base Article 323166 for more information on the Windows Update Catalog. * Office Update Software Update Services (SUS): Microsoft Software Update Services (SUS) enables administrators to quickly and reliably deploy the latest critical updates and security updates to Windows® 2000 and Windows Server? 2003-based servers, as well as to desktop computers running Windows 2000 Professional or Windows XP Professional. For information about how to deploy this security update with Software Update Services, visit the Software Update Services Web site. Systems Management Server (SMS): Systems Management Server can provide assistance deploying this security update. For information about Systems Management Server visit the SMS Web Site. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: * V1.0 January 13, 2004: Bulletin published -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBQARUQ+kli63F4U8VAQG6sQQAqxWRs89Y/F7GsQLkB09NFQFpkXvAZC2X Hz1MyZ/ScWAxELe3/4aJkSgEOeBfh9Skk7zq05tGR4mQCPBg/qggLTz/G6ZyGVOq Hja/a48yPLU5YDM7ds8O9q9QyOh1RKG+hiiRTdJCvk9VeQFXUHEcXvIMC8UggoY9 n2m++v6UmWs= =z0hQ -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Jan 14 10:13:36 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Wed, 14 Jan 2004 10:13:36 -0200 Subject: [SECURITY-L] CAIS-Alerta: Vulnerabilidade no Exchange Server 2003 (832759) Message-ID: <20040114121336.GC93269@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Vulnerabilidade no Exchange Server 2003 (832759) To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Tue, 13 Jan 2004 18:57:13 -0200 (BRDT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta' repassando o alerta divulgado pela Microsoft, "Microsoft Security Bulletin MS04-002: Vulnerability in Exchange Server 2003 Could Lead to Privilege Escalation (832759)", que trata de uma vulnerabilidade no modo como conexoes HTTP sao reutilizadas quando a autenticacao NTLM e' utilizada entre servidores front-end Exchange 2003 provendo acesso OWA (Outlook Web Access), quando o OWA roda sob Windows 2000 e Windows Server 2003, e quando servidores back-end Exchange 2003 rodam sob Windows Server 2003. Usuarios que acessam seus mailboxes atraves do servidor front-end Exchange 2003 e OWA (Outlook Web Acess), podem acessar o mailbox de outro usuario caso este usuario seja armazenado no mesmo servidor back-end e se este mailbox foi recentemente acessado. Atacantes nao podem predizer qual mailbox sera' acessado. Esta vulnerabilidade causa acesso randomico e nao-confiavel a mailboxes dos usuarios e esta' limitada apenas a mailboxes que foram recentemente acessados atraves do OWA. Sistemas Afetados: . Microsoft Exchange Server 2003 Sistemas Nao Afetados: . Microsoft Exchange 2000 Server . Microsoft Exchange Server 5.5 Correcoes disponiveis: A correcao consiste na aplicacao do patch recomendado pela Microsoft e disponivel em: . Microsoft Exchange Server 2003 http://www.microsoft.com/downloads/details.aspx?FamilyId=9542F949-D09B-4199-A837-FBCFC0567676&displaylang=en Para maiores detalhes sobre medidas de contorno (workarounds), perguntas mais frequentes, ou ainda, sobre outras recomendacoes tecnicas para instalacao das correcoes, recomenda-se consultar o alerta original da Microsoft. Maiores informacoes: . Microsoft Security Bulletin MS04-002 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS04-002.asp . Microsoft Knowledge Base Article 832749 http://support.microsoft.com/?kbid=832749 . Microsoft Knowledge Base Article 823265 http://support.microsoft.com/?kbid=823265 . Microsoft Knowledge Base Article 832769 http://support.microsoft.com/?kbid=832769 Identificadores do CVE: CAN-2003-0904 (http://cve.mitre.org) O CAIS recomenda aos administradores de plataformas Microsoft a atualizarem seus sistemas com urgencia, devido a criticidade do presente alerta. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ Microsoft Security Bulletin MS04-002 Vulnerability in Exchange Server 2003 Could Lead to Privilege Escalation (832759) Issued: January 13, 2004 Version: 1.0 Summary Who should read this document: System administrators who have servers that are running Microsoft® Outlook® Web Access for Microsoft Exchange Server 2003 Impact of vulnerability: Elevation of Privilege Maximum Severity Rating: Moderate Recommendation: System administrators should install this security update on all front-end servers that are running Outlook Web Access for Exchange Server 2003. Microsoft also recommends installing this security update on all other Exchange 2003 servers so that they will be protected if they are later designated as front end servers. Security Update Replacement: None Caveats: Apply the update when a disruption in OWA and Simple Mail Transfer Protocol (SMTP) mail flow and other Internet Information Services (IIS) applications is acceptable. Tested Software and Security Update Download Locations: Affected Software: * Microsoft Exchange Server 2003 - Download the Update http://www.microsoft.com/downloads/details.aspx?FamilyId=9542F949-D09B-4199-A837-FBCFC0567676&displaylang=en Non Affected Software: * Microsoft Exchange 2000 Server * Microsoft Exchange Server 5.5 The software listed above has been tested to determine if the versions are affected. Other versions either no longer include security patch support or may not be affected. Please review the Microsoft Support Lifecycle Web site to determine the support lifecycle for your product and version. http://go.microsoft.com/fwlink/?LinkId=21742 Technical Details Technical description: A vulnerability exists in the way that Hypertext Transfer Protocol (HTTP) connections are reused when NTLM authentication is used between front-end Exchange 2003 servers providing OWA access and , when running Outlook Web Access (OWA) on Windows 2000 and Windows Server 2003, and when using back-end Exchange 2003 servers that are running Windows Server 2003. Users who access their mailboxes through an Exchange 2003 front-end server and Outlook Web Access might get connected to another user's mailbox if that other mailbox is (1) hosted on the same back-end mailbox server and (2) if that mailbox has been recently accessed by its owner. Attackers seeking to exploit this vulnerability could not predict which mailbox they might become connected to. The vulnerability causes random and unreliable access to mailboxes and is specifically limited to mailboxes that have recently been accessed through OWA. By default, Kerberos authentication is used as the HTTP authentication method between Exchange Server 2003 front-end and back-end Exchange servers. This behavior manifests itself only in deployments where OWA is used in an Exchange front-end/back-end server configuration and Kerberos has been disabled as an authentication method for OWA communication between the front-end and back-end Exchange servers. This vulnerability is exposed if the Web site that is running the Exchange Server 2003 programs on the Exchange back-end server has been configured not to negotiate Kerberos authentication, causing OWA to fall back to using NTLM authentication. The only known way that this vulnerability can be exposed is by a change in the default configuration of Internet Information Services 6.0 on the Exchange back-end server. This vulnerability cannot be exposed by a routine fallback to NTLM because of a problem with Kerberos authentication. This configuration change may occur when Microsoft Windows SharePoint Services (WSS) 2.0 is installed on a Windows Server 2003 server that also functions as an Exchange Server 2003 back-end. Mitigating factors: * To exploit this vulnerability, an attacker would first have to authenticate to an Exchange Server 2003 front-end server. * The mailbox that an attacker could get access to is random and not possible to predict. It is also not for certain that they would get connected to another user's mailbox at all. * Only mailboxes that have recently been accessed through Outlook Web Access using the same pair of front-end and back-end servers could be affected. * Exchange 2000 Server and Exchange Server 5.5 are not affected by this vulnerability. * Only deployments that have a front-end server that hosts Outlook Web Access for Exchange 2003 Server, that runs on either Windows 2000 or Windows Server 2003, and that has a back-end Exchange Server 2003 that runs on Windows Server 2003 are affected by this vulnerability. * By default, Kerberos authentication is used for HTTP requests between an Exchange Server 2003 front-end server and an Exchange back end-server. This vulnerability is only exposed if the Web site that is running the Exchange Server 2003 programs on the Exchange back end-server has been configured not to negotiate Kerberos authentication, causing OWA to use NTLM authentication. This configuration change may occur when Microsoft Windows SharePoint Services is installed on a Windows Server 2003 server that also functions as an Exchange Server 2003 back-end. Severity Rating: Microsoft Exchange Server 2003 Moderate The above assessment (http://go.microsoft.com/fwlink/?LinkId=21140) is based on the types of systems that are affected by the vulnerability, their typical deployment patterns, and the effect that exploiting the vulnerability would have on them. Vulnerability identifier: CAN-2003-0904 Workarounds Microsoft has tested the following workarounds that apply to this vulnerability. These workarounds help block known attack vectors. However, they will not correct the underlying vulnerability. Workarounds may reduce functionality in some cases; in such cases, the reduction in functionality is identified below. 1. Disable HTTP connection reuse on an Exchange Server 2003 front-end server. By default, Exchange Server 2003 reuses HTTP Connections between front-end and back-end servers to gain improved performance. Connection reuse can be turned off on the Exchange front-end server. Doing so could cause some performance degradation, but it is an effective workaround to this vulnerability. After you apply the update to the Exchange Server 2003 front-end server, you can remove this workaround. See Microsoft Knowledge Base Article 832749 for information about how to disable HTTP connection reuse on a Microsoft Exchange Server 2003 front-end server. Impact of workaround: Clients may experience small performance degradation when they use OWA to access their mailboxes. 2. Enable Kerberos on the virtual server that hosts OWA on the Exchange Server 2003 back-end server. The only known way that this vulnerability can be exposed is if Kerberos is disabled on the Internet Information Services virtual server where Outlook Web Access is hosted on the back-end server. This configuration change may occur when Windows SharePoint Services (WSS) 2.0 is installed on the same virtual server. See Microsoft Knowledge Base Article 832769 for information about how to configure Windows SharePoint Services to use Kerberos authentication. See Microsoft Knowledge Base Article 823265 for information about how to re-enable OWA and other Exchange components after you install Windows SharePoint Services. Impact of workaround: None Frequently Asked Questions What is the scope of the vulnerability? Users who use Outlook Web Access for Exchange Server 2003 to access their mailboxes could connect to another user's mailbox. An attacker seeking to exploit this vulnerability could not predict which mailbox they would become connected to or if they would connect to another user's mailbox at all. The vulnerability causes random and unreliable access to mailboxes and is specifically limited to mailboxes that have recently been accessed through OWA. This behavior occurs when OWA is used in an Exchange front-end server configuration and when Kerberos is disabled as an authentication method for the IIS Web site that hosts OWA on the back-end Exchange servers. By default, Kerberos authentication is used as the HTTP authentication method between Exchange Server 2003 front-end and back-end Exchange servers. This vulnerability is only exposed if the Web site that is running the Exchange Server 2003 programs on the Exchange back-end server has been configured not to use Kerberos authentication, and OWA is using NTLM authentication. This configuration change can occur when Microsoft Windows SharePoint Services is installed on a Windows Server 2003 server that also functions as an Exchange Server 2003 back-end. What causes the vulnerability? The vulnerability results because of the way that HTTP connections are reused when using NTLM authentication between Exchange 2003 front-end servers and Exchange 2003 back-end servers when the back-end server is running Windows Server 2003. Even though Kerberos is enabled and used by default when an Exchange Server 2003 front-end component authenticates to the back-end Exchange server, there are situations when Kerberos authentication is explicitly disabled on the back-end server, and therefore only NTLM authentication is available. What is Outlook Web Access? Outlook Web Access is a feature of Exchange Server. By using OWA, a server that is running Exchange Server can also function as a Web site that lets authorized users read or send e-mail messages, manage their calendar, or perform other mail functions over the Internet by using a Web browser. OWA can be deployed in an Exchange front-end/back-end server configuration. What are front-end and back-end Exchange servers? Exchange can be deployed so that end users with mailboxes on multiple servers can all connect to a single front-end Exchange server. This front-end server in turn connects ("proxies") to the appropriate back-end servers where mailboxes are actually stored. What are Kerberos and NTLM? Kerberos and NTLM are two different authentication protocols. Kerberos is the preferred Windows authentication protocol. It is used whenever possible and is the default protocol that Exchange Server 2003 uses between front-end and back-end Exchange servers for Outlook Web Access. NTLM authentication can be used as an alternate method when Kerberos authentication is unavailable. How do I verify whether Kerberos is enabled for Outlook Web Access? By default, Kerberos is enabled for OWA for Exchange Server 2003. However, because Internet Information Services is the Windows component that hosts OWA, check the configuration of your IIS server to verify that Kerberos is enabled. To verify the IIS authentication setting, look in the IIS metabase on the Exchange back-end server. To do so, use the following command-line commands: * cscript.exe %SystemDrive%\inetpub\adminscripts\adsutil.vbs get w3svc/NTAuthenticationProviders -or- * cscript.exe %SystemDrive%\inetpub\adminscripts\adsutil.vbs get w3svc/1/root/NTAuthenticationProviders If only the value "NTLM" is returned, there may be a problem. The correct response is: * "The parameter 'NTAuthenticationProviders' is not set at this node." -or- * "Negotiate, NTLM" The term negotiate is used to describe Kerberos authentication over HTTP. See Microsoft Knowledge Base Article 832769 for information about how to configure Windows SharePoint Services to use Kerberos authentication. I did not change any default security settings on my Exchange server. Is there any other way Kerberos might have been disabled on the Web site hosting the Exchange programs on the back-end Exchange server? Yes. When a Microsoft Internet Information Services virtual server is extended with Windows SharePoint Services, the virtual server is subsequently configured to use Integrated Windows authentication (formerly named NTLM, or Windows NT Challenge/Response authentication) and explicitly disables Kerberos authentication. If Windows SharePoint Services (WSS) has been installed on the same server as an Exchange Server 2003 back-end running Windows Server 2003, Kerberos might have been disabled on the Web site hosting the Exchange programs. See Microsoft Knowledge Base Article 832769 for information about how to configure Windows SharePoint Services to use Kerberos authentication. See Microsoft Knowledge Base Article 823265 for information about how to re-enable OWA and other Exchange components after you install Windows SharePoint Services. Who could exploit the vulnerability? To exploit this vulnerability, an attacker would have to be an authorized user who has a mailbox on the same back-end Exchange server and who could first authenticate through OWA by using valid credentials. The mailbox that an attacker could access is random and cannot be predicted. It is also not certain that the attacker would get connected to another user's mailbox at all. What could this vulnerability allow an attacker to do? An authenticated user who gained access to another user's mailbox that is hosted on the same Exchange system could perform any action that the legitimate user could do through OWA. This includes reading, sending, and deleting e-mail messages in the user's mailbox. What systems are primarily at risk from the vulnerability? Only systems where Outlook Web Access is accessed through a Microsoft Exchange Server 2003 front end/back-end configuration are at risk from the vulnerability. The back-end server must be running Exchange Server 2003 on Windows Server 2003. The front-end server can be running Windows 2000 or Windows Server 2003. Can my OWA be affected although I do not have a front-end and back-end server configuration? No. Exchange servers running OWA on the same server as the Exchange information store are not affected; only front-end/back-end Exchange Server 2003 configurations are affected by this vulnerability. I am running Small Business Server 2003. Am I affected by this vulnerability? No. Small Business Server is by default a single server setup with OWA access through the same server that hosts user mailboxes. Only front-end/back-end Exchange Server 2003 configurations are affected by this vulnerability. Are all versions of Exchange and Outlook Web Access vulnerable? No. The vulnerability affects only Outlook Web Access for Exchange Server 2003. On which Exchange servers should I install the update? This update is intended for front-end servers that are running Outlook Web Access for Microsoft Exchange Server 2003. You do not have to install this update on back-end Exchange servers or on front-end Exchange servers that are not providing OWA services. However, it is recommended that you install this update on all systems that are running Exchange Server 2003 so that you are protected if you later migrate a back-end server to the role of a front-end server. Does the update introduce any behavioral changes? Yes. The update changes the connection pooling so that HTTP connections that use NTLM to authenticate are not added to the pool. It is unlikely that this behavioral change will be noticed by OWA end users. What does the update do? The update removes the vulnerability by making sure that all authentication methods re-authenticate correctly before reusing any HTTP connections between the front-end and back-end Exchange servers, and that connections that are established by using NTLM authentication are not improperly reused. Security Update Information Installation platforms and Prerequisites: Exchange Server 2003 (all versions) Prerequisites This security update requires a released version of Exchange Server 2003. Inclusion in future service packs: The fix for this issue will be included in Exchange Server 2003 Service Pack 1. Installation Information This security update supports the following Setup switches: /? Show the list of installation switches. /u Use unattended mode (same as /m). /m Use unattended mode (same as /u). /f Force other programs to quit when the computer shuts down. /n Do not back up files for removal. /o Overwrite OEM files without prompting. /z Do not restart when the installation is complete. /q Use Quiet mode (no user interaction) and unattended mode (same as /u or /m). /l List installed hotfixes. /x Extract the files without running Setup. See Microsoft Knowledge Base article 331646 for additional information about installer switches. Deployment Information To install the security update without any user intervention, use the following command line: Exchange2003-kb832759-x86-enu /q Restart Requirement You do not have to restart your computer after you apply this security update. However, the installer will restart Internet Information Services (IIS) and all dependent services. Therefore, it is recommended that you apply this security update at a time when there are no users logged on through Outlook Web Access. Also, the restart of IIS stops the routing engine and the SMTP service if the front-end Exchange server is tasked with this role also. Therefore, no e-mail messages will be routed during this restart of the IIS service. This includes incoming and outgoing SMTP e-mail traffic. Apply this update when a disruption in OWA and SMTP e-mail flow is acceptable. Removal Information To remove this update, use the Add or Remove Programs tool in Control Panel. System administrators can use the Spuninst.exe utility to remove this security update. The Spuninst.exe utility is located in the %Windir%\$ExchUninstall832759$\Spuninst folder. The Spuninst.exe utility supports the following Setup switches: /? Show the list of installation switches. /u Use unattended mode. /f Force other programs to quit when the computer shuts down. /z Do not restart when the installation is complete. /q Use Quiet mode (no user interaction). File Information The English version of this fix has the file attributes (or later) that are listed in the following table. The dates and times for these files are listed in coordinated universal time (UTC). When you view the file information, it is converted to local time. To find the difference between UTC and local time, use the Time Zone tab in the Date and Time tool in Control Panel. Exchange Server 2003 Enterprise Edition and Exchange Server 2003 Standard Edition: Date Time Version Size File Name 19-Dec-2003 18:35 6.5.6980.57 396800 exprox.dll Verifying Update Installation To verify that the security update is installed on your computer, use the Microsoft Baseline Security Analyzer (MBSA) tool. For additional information about MBSA, click the following article number to view the article in the Microsoft Knowledge Base: 320454 Microsoft Baseline Security Analyzer Version 1.1.1 Is Available You may also be able to verify the files that this security update installed by reviewing the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Exchange Server 2003\SP1\832759 Note This registry key may not be not created correctly if an administrator or an OEM integrates or slipstreams the 832759 security update in the Windows installation source files. Obtaining other security updates: Updates for other security issues are available from the following locations: * Security updates are available from the Microsoft Download Center, and can be most easily found by doing a keyword search for "security_patch". * Updates for consumer platforms are available from the WindowsUpdate Web site. Support: * Technical support is available from Microsoft Product Support Services at 1-866-PCSAFETY for customers in the U.S. and Canada. There is no charge for support calls that are associated with security updates. * International customers can get support from their local Microsoft subsidiaries. There is no charge for support associated with security updates. Information on how to contact Microsoft support is available at the International Support Web Site. Security Resources: * The Microsoft TechNet Security Web Site provides additional information about security in Microsoft products. * Microsoft Software Update Services * Microsoft Baseline Security Analyzer (MBSA): Please view Knowledge Base Article 306460 for list of security updates that have detection limitations with the MBSA tool. * Windows Update * Windows Update Catalog: Please view Knowledge Base Article 323166 for more information on the Windows Update Catalog. * Office Update Systems Management Server (SMS): Systems Management Server can provide assistance deploying this security update. For information about Systems Management Server visit the SMS Web Site. SMS also provides several additional tools to assist administrators in the deployment of security updates such as the SMS 2.0 Software Update Services Feature Pack and the SMS 2.0 Administration Feature Pack. The SMS 2.0 Software Update Services Feature Pack utilizes the Microsoft Baseline Security Analyzer and the Microsoft Office Detection Tool to provide broad support for security bulletin remediation. Some software updates may require administrative rights following a restart of the computer. Note: The inventory capabilities of the SMS 2.0 Software Update Services Feature Pack may be used for targeting updates to specific computers, and the SMS 2.0 Administration Feature Pack's Elevated Rights Deployment Tool can be used for installation. This provides optimal deployment for updates that require explicit targeting using Systems Management Server and administrative rights after the computer has been restarted. Disclaimer: The information provided in the Microsoft Knowledge Base is provided "as is" without warranty of any kind. Microsoft disclaims all warranties, either express or implied, including the warranties of merchantability and fitness for a particular purpose. In no event shall Microsoft Corporation or its suppliers be liable for any damages whatsoever including direct, indirect, incidental, consequential, loss of business profits or special damages, even if Microsoft Corporation or its suppliers have been advised of the possibility of such damages. Some states do not allow the exclusion or limitation of liability for consequential or incidental damages so the foregoing limitation may not apply. Revisions: * V1.0 January 13, 2004: Bulletin published -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBQARbwekli63F4U8VAQHKAwQAt7Xu94hr4UKpKnkbjbhL7qxDXnC8b4qM BcogeDIOtAqSArIyftzt8QpHXvQGdXRs37hEOL7ilKiibIq7Jie/ok2fKkVZD3HZ eo3yKai7ggUg9UXH0NXd/6HmhHp3eEClnkmLjv25oOZio9H5555wmYOANUYZeIpg 1N41POPUbS8= =AkLG -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Jan 14 11:14:45 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Wed, 14 Jan 2004 11:14:45 -0200 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20040114131439.GA93500@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 13/1/2004 --------- CAIS Assunto: CERT Advisory CA-2004-01 Multiple H.323 Message Vulnerabilities http://www.security.unicamp.br/docs/bugs/2004/01/v64.txt Microsoft ISA Server Security Bulletin Assunto: Summary for January 2004 http://www.security.unicamp.br/docs/bugs/2004/01/v63.txt Microsoft ISA Server Security Bulletin Assunto: Summary for January 2004 http://www.security.unicamp.br/docs/bugs/2004/01/v62.txt Microsoft Windows Security Bulletin Assunto: Summary for January 2004 http://www.security.unicamp.br/docs/bugs/2004/01/v61.txt CAIS-Alerta Assunto: Vulnerabilidade no Exchange Server 2003 (832759) http://www.security.unicamp.br/docs/bugs/2004/01/v60.txt CAIS-Alerta Assunto: Vulnerabilidades nos componentes MDAC (832483) http://www.security.unicamp.br/docs/bugs/2004/01/v59.txt Update Notification (FEDORA-2003-048) Assunto: Vulnerabilidade de Seguranca no kernel http://www.security.unicamp.br/docs/bugs/2004/01/v58.txt CAIS-Alerta Assunto:Vulnerabilidades nos filtros H.323 do Microsoft ISA Server 2000 (816458) http://www.security.unicamp.br/docs/bugs/2004/01/v57.txt Mandrake Linux Security Update Advisory (MDKSA-2004:002) Assunto: Vulnerabilidades de Seguranca no pacote ethereal http://www.security.unicamp.br/docs/bugs/2004/01/v56.txt Debian Security Advisory (DSA-422-1) Assunto: multiple problems in cvs http://www.security.unicamp.br/docs/bugs/2004/01/v55.txt Cisco Security Advisory (47843) Assunto: H.323 Message Processing http://www.security.unicamp.br/docs/bugs/2004/01/v54.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Wed Jan 14 16:18:39 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Wed, 14 Jan 2004 16:18:39 -0200 Subject: [SECURITY-L] Falha no LiveUpdate permite alteraXXo local de privilXgios de usuXrios Message-ID: <20040114181839.GA94128@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: Falha no LiveUpdate permite alteraXXo local de privilXgios de usuXrios To: security em unicamp.br Date: Tue, 13 Jan 2004 19:09:08 -0300 (ART) Falha no LiveUpdate permite alteração local de privilégios de usuários 13/1/2004 - 17:56 Helena Nacinovic http://www.infoguerra.com.br/infonews/viewnews.cgi?newsid1074023804,78889,/ Uma falha no programa LiveUpdate da Symantec, que faz o download e instalação de informações de vírus novos para o antivírus Norton, foi descoberta nesta semana. O bug permite que usuários locais obtenham privilégios de administradores da máquina afetada e, desta forma, tenham acesso a configurações e arquivos restritos. O bug foi classificado pela Secure Network Operations como crítico e afeta máquinas que usem o Windows 2000, 2003 e XP com o Symantec LiveUpdate versão 1.70.x até 1.90.x, presente nos seguintes produtos antivírus: Norton SystemWorks 2001-2004, Norton AntiVirus (e versão Pro) 2001-2004, Norton Internet Security (e versão Pro) 2001-2004 e Symantec AntiVirus for Handhelds v3.0. A Secure Network Operations frisou que apenas produtos para varejo estão sujeitos a esse problema, já que os produtos Symantec Enterprise não possuem o LiveUpdate automático. Para explorar a vulnerabilidade, o atacante precisa fazer o login na máquina como usuário sem privilégios e escolher baixar as atualizações disponíveis do LiveUpdate. Usando uma janela de ajuda, o atacante pode abrir um prompt do arquivo cmd.exe com privilégios de administrador. A Symantec já criou correções para o problema, que podem ser instaladas usando o próprio LiveUpdate. ______________________________________________________________________ Conheça a nova central de informações anti-spam do Yahoo! Mail: http://www.yahoo.com.br/antispam ----- End forwarded message ----- From security em unicamp.br Thu Jan 15 10:43:46 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Thu, 15 Jan 2004 10:43:46 -0200 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20040115124346.GA40264@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 14/1/2004 --------- Red Hat Security Advisory (RHSA-2004:007-01) Assunto: Updated tcpdump packages fix various vulnerabilities http://www.security.unicamp.br/docs/bugs/2004/01/v69.txt CERT Advisory (CA-2004-01) Assunto: Multiple H.323 Message Vulnerabilities http://www.security.unicamp.br/docs/bugs/2004/01/v68.txt SUSE Security Announcement (SuSE-SA:2004:002) Assunto: Vulnerabilidade de Seguranca no pacote tcpdump http://www.security.unicamp.br/docs/bugs/2004/01/v67.txt Red Hat Security Advisory (RHSA-2004:006-01) Assunto: Updated kdepim packages resolve security vulnerability http://www.security.unicamp.br/docs/bugs/2004/01/v66.txt KDE Security Advisory Assunto: VCF file information reader vulnerability http://www.security.unicamp.br/docs/bugs/2004/01/v65.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Thu Jan 15 10:44:19 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Thu, 15 Jan 2004 10:44:19 -0200 Subject: [SECURITY-L] KDE 3.1.5 Message-ID: <20040115124419.GB40264@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: KDE 3.1.5 To: security em unicamp.br Date: Thu, 15 Jan 2004 07:38:50 -0300 (ART) KDE 3.1.5 Quatro meses depois do lançamento da quarta versão de manutenção do KDE (3.1.4) lançam a quinta versão (3.1.5). Graças a contribuição de diversos usuários foram corrigidos muitos problemas e alguns bugs perigosos. Para ler o comunicado sobre a nova versão do KDE e download acesse: http://www.kde.org/announcements/announce-3.1.5.php Fonte: NoticiasLinux.com.br ______________________________________________________________________ Yahoo! GeoCities: a maneira mais fácil de criar seu web site grátis! http://br.geocities.yahoo.com/ ----- End forwarded message ----- From security em unicamp.br Thu Jan 15 16:05:36 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Thu, 15 Jan 2004 16:05:36 -0200 Subject: [SECURITY-L] Red Hat anuncia fim do suporte para o Red Hat Linux Message-ID: <20040115180536.GA40764@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: Red Hat anuncia fim do suporte para o Red Hat Linux To: security em unicamp.br Date: Thu, 15 Jan 2004 12:26:48 -0300 (ART) Red Hat anuncia fim do suporte para o Red Hat Linux De acordo com sua política de suporte para o Red Hat Linux, a Red Hat garantia o suporte de cada distribuição lançada por no mínimo 12 meses. Já tendo ultrapassado esse período, a Red Hat anunciou agora que não sairão mais correções ou atualizações para as versões 7.x e 8.0 do Red Hat. Junto com isso, ela anunciou também que o Red Hat 9.0 só terá suporte até 30 de abril de 2004. Agora, as opções que a Red Hat oferece são o Red Hat Enterprise Linux (RHEL), que é paga, e o já bastante conhecido Fedora, que é grátis e parece estar ganhando alguns adeptos. Aqui você pode ver um comparativo entre o RHEL, o Fedora e o Red Hat original: http://www.redhat.com/software/rhelorfedora/. Para mais informações sobre migrar do Red Hat para uma das outras soluções disponíveis: http://www.redhat.com/solutions/migration/rhl/ Fonte: guiadohardware.net ______________________________________________________________________ Yahoo! GeoCities: a maneira mais fácil de criar seu web site grátis! http://br.geocities.yahoo.com/ ----- End forwarded message ----- From security em unicamp.br Fri Jan 16 11:22:23 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Fri, 16 Jan 2004 13:22:23 -0000 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20040116132408.GA86848@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 15/1/2004 --------- @RISK Assunto: The Consensus Security Vulnerability Alert Vol. 3 No. 2 http://www.security.unicamp.br/docs/bugs/2004/01/v75.txt SUSE Security Announcement (SuSE-SA:2004:003) Assunto: Vulnerabilidade de Seguranca Kernel (x86_64, AMD64) http://www.security.unicamp.br/docs/bugs/2004/01/v74.txt Debian Security Advisory (DSA 423-1) Assunto: Vulnerabilidade de Seguranca no kernel-image-2.4.17-ia64 http://www.security.unicamp.br/docs/bugs/2004/01/v73.txt slackware-security (SSA:2004-014-02) Assunto: Vulnerabilidade de Seguranca no INN http://www.security.unicamp.br/docs/bugs/2004/01/v72.txt slackware-security (SSA:2004-014-01) Assunto: Vulnerabilidade de Seguranca no kdepim http://www.security.unicamp.br/docs/bugs/2004/01/v71.txt Mandrake Linux Security Update Advisory (MDKSA-2004:003) Assunto: Vulnerabilidade de Seguranca no kdepim http://www.security.unicamp.br/docs/bugs/2004/01/v70.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Mon Jan 19 12:42:01 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Mon, 19 Jan 2004 12:42:01 -0200 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20040119144200.GA408@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 16/1/2004 --------- Debian Security Advisory (DSA 424-1) Assunto: buffer overflow in mc http://www.security.unicamp.br/docs/bugs/2004/01/v78.txt OpenCA Security Advisory Assunto: Vulnerability in signature verification in OpenCA http://www.security.unicamp.br/docs/bugs/2004/01/v77.txt OpenPKG Security Advisory (OpenPKG-SA-2004.002) Assunto: denial of service in tcpdump http://www.security.unicamp.br/docs/bugs/2004/01/v76.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Mon Jan 19 13:18:46 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Mon, 19 Jan 2004 13:18:46 -0200 Subject: [SECURITY-L] Brecha do IE ajuda golpes que se proliferam por e-mail Message-ID: <20040119151846.GB448@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: Brecha do IE ajuda golpes que se proliferam por e-mail To: security em unicamp.br Date: Fri, 16 Jan 2004 16:51:01 -0300 (ART) Brecha do IE ajuda golpes que se proliferam por e-mail 16/1/2004 - 17:34 Helena Nacinovic - helena em infoguerra.com.br Os golpes por e-mail que usam bancos como isca têm se proliferado nos últimos dias, segundo a Panda Antivírus. As mensagens fraudulentas que se disfarçam de comunicados de bancos como o Citibank ou o Banco do Brasil foram apelidadas de "phishing", um trocadilho com a palavra "fishing" - pescar em inglês, por "pescarem" internautas desavisados. Em geral, os textos das mensagens têm conteúdo bem semelhante, alertando os internautas sobre problemas técnicos ou de segurança que requerem um suposto recadastramento dos dados confidenciais. Desta forma, o internauta é redirecionado para um site falso, que normalmente clona a aparência dos sites oficiais dos bancos. Na página, a pessoa é instruída a fornecer senhas, informações de identidade e dados de cartão de crédito. Alguns desses golpes foram criados para explorar a vulnerabilidade URLSpoof do Internet Explorer, que permite manipular o endereço exibido na barra de endereços do navegador, levando os internautas a acreditar que estão acessando os sites legítimos dos bancos. Na realidade, o site é um clone da página verdadeira, acessado desta forma através de um link manipulado com código DHTML (Dinamic HTML). A vulnerabilidade, que foi descoberta no final do ano passado, ainda não foi corrigida pela Microsoft. Para contornar o problema, os usuários devem ter muito cuidado ao receber e-mails de bancos que solicitam informações. Antes de fornecê-las, é recomendável entrar em contato com o banco para confirmar a autenticidade da mensagem. Também é preciso ter cuidado ao seguir links de sites não confiáveis, sendo preferível digitar o endereço na barra de URL. Fonte: http://www.infoguerra.com.br/infonews/viewnews.cgi?newsid1074281670,89578,/ ______________________________________________________________________ Yahoo! GeoCities: a maneira mais fácil de criar seu web site grátis! http://br.geocities.yahoo.com/ ----- End forwarded message ----- From security em unicamp.br Mon Jan 19 13:19:13 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Mon, 19 Jan 2004 13:19:13 -0200 Subject: [SECURITY-L] SeguranXa da Rede e controle de Acesso Message-ID: <20040119151912.GC448@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: SeguranXa da Rede e controle de Acesso To: security em unicamp.br Date: Fri, 16 Jan 2004 16:54:34 -0300 (ART) Segurança da Rede e controle de Acesso Artigo sobre Segurança da Rede e controle de Acesso, algumas dicas de como configurar seu linux em uma rede, para evitar surpressas. Link: http://www.linuxit.com.br/modules.php?name=Sections&op=viewarticle&artid=354 ______________________________________________________________________ Yahoo! GeoCities: a maneira mais fácil de criar seu web site grátis! http://br.geocities.yahoo.com/ ----- End forwarded message ----- From security em unicamp.br Mon Jan 19 13:23:17 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Mon, 19 Jan 2004 13:23:17 -0200 Subject: [SECURITY-L] Service Pack 2 e sua =?iso-8859-1?q?seguran=E7a?= Message-ID: <20040119152317.GD448@unicamp.br> ----- Forwarded message from Denny Roger ----- From: "Denny Roger" Subject: Service Pack 2 e sua segurança To: Cc: Date: Mon, 19 Jan 2004 13:06:50 -0200 X-Mailer: Microsoft Outlook Express 6.00.2600.0000 Fonte: www.batori.com.br Service Pack 2 e sua segurança Já está disponível na página da Microsoft toda a documentação sobre o Service Pack 2 do Windows XP. Segundo a documentação, a Microsoft está incluindo novas funcionalidades de segurança contra ataques de vírus de computador. A nova tecnologia de segurança do XP inclui também: proteção de rede, proteção de memória, e-mail mais seguro, utilização do browser de forma mais segura, e melhorou a manutenção de computador. Com o novo SP 2 do Windows XP, mesmo não sendo aplicada as últimas correções de segurança no sistema operacional os ataques serão dificilmente realizados com sucesso, segundo a Microsoft. Este documento especificamente focaliza nas mudanças entre versões mais recentes do Windows XP e Windows XP Service Pack 2. Exemplos e detalhes das mudanças que afetaram as principais tecnologias no Windows XP estão descritas neste documento. Antes de aplicar o Service Pack 2 do Windows XP, acesse o site http://www.microsoft.com/downloads/details.aspx?FamilyID=7bd948d7-b791-40b6- 8364-685b84158c78&DisplayLang=en e faça o download da documentação. Autor: Denny Roger Batori Software & Security www.batori.com.br (11) 3105 5638 ----- End forwarded message ----- From security em unicamp.br Mon Jan 19 13:29:00 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Mon, 19 Jan 2004 13:29:00 -0200 Subject: [SECURITY-L] E-mail falso faz ameaXas em nome do FBI Message-ID: <20040119152900.GE448@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: E-mail falso faz ameaXas em nome do FBI To: security em unicamp.br Date: Fri, 16 Jan 2004 16:58:38 -0300 (ART) E-mail falso faz ameaças em nome do FBI Sexta-feira, 16 de janeiro de 2004 - 16h10 SÃO PAULO - Se você receber um e-mail (aparentemente) do FBI dizendo que está sob investigação da polícia federal americana pelo download ilegal de filmes e programas na internet, ignore: é uma mensagem falsa. O próprio FBI soltou um comunicado para dizer que se trata de um hoax (trote). A mensagem falsa, em inglês, traz como assunto "Seu endereço IP foi registrado" ("Your IP was logged"). Segundo o bureau, ainda por cima o falso e-mail traz um vírus. Os federais dizem que estão realmente acompanhando casos de violação de direitos intelectuais, mas garante que não está investigando ninguém e nem notificando as pessoas por e-mail. Renata Mesquita, do Plantão INFO Fonte: http://info.abril.com.br/aberto/infonews/012004/16012004-6.shl ______________________________________________________________________ Yahoo! GeoCities: a maneira mais fácil de criar seu web site grátis! http://br.geocities.yahoo.com/ ----- End forwarded message ----- From security em unicamp.br Mon Jan 19 13:29:52 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Mon, 19 Jan 2004 13:29:52 -0200 Subject: [SECURITY-L] Configurando seu Servidor FTP de maneira segura Message-ID: <20040119152952.GF448@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: Configurando seu Servidor FTP de maneira segura To: security em unicamp.br Date: Sat, 17 Jan 2004 01:02:02 -0300 (ART) Configurando seu Servidor FTP de maneira segura O presente artigo apresenta algumas técnicas e procedimentos dos quais os administradores de redes podem se valer para tornar o seu servidor FTP mais seguro, principalmente se tratando de um servidor FTP público. Link: http://www.linuxit.com.br/modules.php?name=Sections&op=viewarticle&artid=355 ______________________________________________________________________ Yahoo! GeoCities: a maneira mais fácil de criar seu web site grátis! http://br.geocities.yahoo.com/ ----- End forwarded message ----- From security em unicamp.br Mon Jan 19 13:30:53 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Mon, 19 Jan 2004 13:30:53 -0200 Subject: [SECURITY-L] Mozilla 1.6 Message-ID: <20040119153053.GG448@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: Mozilla 1.6 To: security em unicamp.br Date: Sat, 17 Jan 2004 15:51:55 -0300 (ART) Mozilla 1.6 A Mozilla Foundation liberou a versão 1.6 final do patriarca da sua família de browsers. A nova versão inclui os clássicos bug fixes, pequenas mudanças no Mozilla Mail, suporte à autenticação NTLM cross-plataform (o que é útil pra quem usa Mozilla em plataformas não Windows em redes Microsoft), a possibilidade de dar reload em janelas com o código das páginas e etc. Maiores informações no site abaixo: http://www.mozilla.org/releases/mozilla1.6/ Download for Linux: http://ftp.mozilla.org/pub/mozilla.org/mozilla/releases/mozilla1.6/mozilla-i686-pc-linux-gnu-1.6-installer.tar.gz Download for MS Windows: http://ftp.mozilla.org/pub/mozilla.org/mozilla/releases/mozilla1.6/mozilla-win32-1.6-installer.exe ______________________________________________________________________ Yahoo! GeoCities: a maneira mais fácil de criar seu web site grátis! http://br.geocities.yahoo.com/ ----- End forwarded message ----- From security em unicamp.br Mon Jan 19 14:30:13 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Mon, 19 Jan 2004 14:30:13 -0200 Subject: [SECURITY-L] SpamAssassin 2.62 Message-ID: <20040119163013.GA697@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: SpamAssassin 2.62 To: security em unicamp.br Date: Mon, 19 Jan 2004 12:31:28 -0300 (ART) SpamAssassin 2.62 Enviado em: Monday, January 19 @ 10:36:46 EDT SpamAssassin é um filtro de emails que utiliza análises de texto para identificar SPAM... Uma vez identificado, o email pode ser opcionalmente marcado como SPAM para filtragem posterior utilizando mecanismos de seu próprio MUA... SpamAssassin também oferece uma ferramenta de comando de linha para filtragem utilizando módulos PERL próprios, permitindo que o mesmo possa ser usado como proteção de spam em servidores proxy POP/IMAP... http://www.spamassassin.org Fonte: http://www.linuxsecurity.com.br/article.php?sid=8211&mode=thread&order=0 ______________________________________________________________________ Yahoo! GeoCities: a maneira mais fácil de criar seu web site grátis! http://br.geocities.yahoo.com/ ----- End forwarded message ----- From security em unicamp.br Tue Jan 20 09:54:11 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Tue, 20 Jan 2004 09:54:11 -0200 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20040120115411.GA47664@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 20/1/2004 --------- ANUNCIO DE SEGURANCA DO CONECTIVA LINUX (CLA-2004:809) Assunto: Correcao para vulnerabilidade do tipo buffer overflow no kdepim http://www.security.unicamp.br/docs/bugs/2004/01/v86.txt ANUNCIO DE SEGURANCA DO CONECTIVA LINUX (CLA-2004:809) Assunto: Correcao de seguranca no pacote screen http://www.security.unicamp.br/docs/bugs/2004/01/v85.txt ANUNCIO DE SEGURANCA DO CONECTIVA LINUX (CLA-2004:808) Assunto: Correcao para vulnerabilidade remota no cvs http://www.security.unicamp.br/docs/bugs/2004/01/v84.txt 19/1/2004 --------- Fedora-list Assunto: Fedora Core 1 for AMD64 test1 http://www.security.unicamp.br/docs/bugs/2004/01/v83.txt Guardian Digital Security Advisory (ESA-20040119-002) Assunto: multiple vulnerabilities in libpcap, tcpdump http://www.security.unicamp.br/docs/bugs/2004/01/v82.txt Debian Security Advisory (DSA 427-1) Assunto: mising boundary check in kernel-patch-2.4.17-mips http://www.security.unicamp.br/docs/bugs/2004/01/v81.txt 18/1/2004 --------- Debian Security Advisory (DSA 426-1) Assunto: insecure temporary files in netpbm-free http://www.security.unicamp.br/docs/bugs/2004/01/v80.txt 16/1/2004 --------- Debian Security Advisory (DSA 425-1) Assunto: multiple vulnerabilities in tcpdump http://www.security.unicamp.br/docs/bugs/2004/01/v79.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Wed Jan 21 09:46:35 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Wed, 21 Jan 2004 09:46:35 -0200 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20040121114635.GA2644@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 20/1/2004 --------- Security Corporation Security Advisory (SCSA-026) Assunto: Vulnerabilidade de Seguranca no pacote DUcalendar http://www.security.unicamp.br/docs/bugs/2004/01/v88.txt Debian Security Advisory (DSA 428-1) Assunto: buffer overflow in slocate http://www.security.unicamp.br/docs/bugs/2004/01/v87.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Wed Jan 21 10:22:01 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Wed, 21 Jan 2004 10:22:01 -0200 Subject: [SECURITY-L] Boletins de Noticias Message-ID: <20040121122201.GA2711@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticia e/ou revistas eletronicas: 20/1/2004 --------- SecurityFocus Newsletter #232 Fonte: SecurityFocus http://www.security.unicamp.br/docs/informativos/2004/01/b10.txt 19/1/2004 --------- MODULO SECURITY NEWS (No.325 : Perspectivas 2004 - Parte 1) Fonte: Modulo http://www.security.unicamp.br/docs/informativos/2004/01/b9.txt 14/1/2004 --------- SANS NewsBites Vol. 6 Num. 2 Fonte: SANS http://www.security.unicamp.br/docs/informativos/2004/01/b8.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Thu Jan 22 09:46:06 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Thu, 22 Jan 2004 09:46:06 -0200 Subject: [SECURITY-L] NIST Computer Security Incident Handling Guide Message-ID: <20040122114606.GA57531@unicamp.br> ----- Forwarded message from Rafael R Obelheiro ----- From: Rafael R Obelheiro Subject: [S] NIST Computer Security Incident Handling Guide To: seguranca em pangeia.com.br Date: Wed, 21 Jan 2004 15:21:13 -0200 Organization: DAS-UFSC Pessoal, O NIST (National Institute of Standards and Technology) publicou recentemente o Computer Security Incident Handling Guide, NIST Special Publication 800-61. O guia esta' disponivel para download em http://www.csrc.nist.gov/publications/nistpubs/800-61/sp800-61.pdf Boa leitura, --rro ----- End forwarded message ----- From security em unicamp.br Thu Jan 22 09:46:46 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Thu, 22 Jan 2004 09:46:46 -0200 Subject: [SECURITY-L] MS atualiza ferramenta que verifica configuracoes de sistema Message-ID: <20040122114645.GB57531@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: MS atualiza ferramenta que verifica configuraXXes de sistema To: security em unicamp.br Date: Wed, 21 Jan 2004 17:51:46 -0300 (ART) MMS atualiza ferramenta que verifica configurações de sistema Quarta-feira, 21 de Janeiro de 2004 - 14h02 IDG Now! A Microsoft divulgou na terça-feira (20/01) a nova versão de uma ferramenta que detecta configurações defeituosas capazes de deixar alguns usuários vulneráveis a falhas de segurança. A Microsoft Baseline Security Analyzer (MBSA) 1.2 inclui suporte para vários produtos da companhia, entre eles, o Exchange 2003 e as três últimas versões do BizTalk Server. A versão está disponível em três idiomas: francês, alemão e japonês. O MBSA faz o rastreamento de um ou mais computadores com o sistema operacional Windows para garantir que eles estão em dia com as últimas correções de segurança. O software checa o sistema operacional e outros componentes, entre eles o Internet Information Server e o SQL Server. A ferramenta inclui ainda suporte para o Office 2000, XP e 2003. No entanto, neste caso o usuários não pode fazer a varredura do sistema remotamente. Entre os outros produtos suportados pelo MBSA 1.2 estão o Commerce Server 2000 e 2002; o Content Management Server 2001 e 2002; SNA Server 4.0; Microsoft Virtual Machine; XML 2.5, 2.6, 3.0 e 4.0. [ John Fontana - Network World Fusion, EUA ] Fonte: http://idgnow.terra.com.br/idgnow/corporate/2004/01/0012 ______________________________________________________________________ From security em unicamp.br Thu Jan 22 10:01:45 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Thu, 22 Jan 2004 10:01:45 -0200 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20040122120144.GA57633@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 21/1/2004 --------- Gentoo Linux Security Advisory (GLSA 200401-02) Assunto: Honeyd remote detection vulnerability via a probe packet http://www.security.unicamp.br/docs/bugs/2004/01/v94.txt Fedora List Assunto: Fedora News Updates #3 http://www.security.unicamp.br/docs/bugs/2004/01/v93.txt Cisco Security Advisory (Cisco voice products) Assunto: Voice Product Vulnerabilities on IBM Servers http://www.security.unicamp.br/docs/bugs/2004/01/v92.txt Trustix Secure Linux Security Advisory (#2004-0005) Assunto: possible privilege elevation in slocate http://www.security.unicamp.br/docs/bugs/2004/01/v91.txt Red Hat Security Advisory (RHSA-2004:034-01) Assunto: Updated mc packages resolve buffer overflow vulnerability http://www.security.unicamp.br/docs/bugs/2004/01/v90.txt Honeyd Security Advisory (2004-001) Assunto: Vulnerabilidade de Seguranca no pacote Honeyd http://www.security.unicamp.br/docs/bugs/2004/01/v89.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Mon Jan 26 11:04:21 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Mon, 26 Jan 2004 11:04:21 -0200 Subject: [SECURITY-L] Vulnerabilidades de Seguranca Message-ID: <20040126130421.GA54860@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 23/1/2004 --------- Mandrake Linux Security Update Advisory (MDKSA-2004:005) Assunto: Vulnerabilidade de Seguranca no pacote jabber http://www.security.unicamp.br/docs/bugs/2004/01/v98.txt Mandrake Linux Security Update Advisory (MDKSA-2004:004) Assunto: Vulnerabilidade de Seguranca no pacote slocate http://www.security.unicamp.br/docs/bugs/2004/01/v97.txt S-Quadra Security Research (#2004-01-23) Assunto: QuadComm Q-Shop ASP Shopping Cart Software http://www.security.unicamp.br/docs/bugs/2004/01/v96.txt 22/1/2004 --------- @RISK Assunto: The Consensus Security Vulnerability Alert Vol. 3 No. 3 http://www.security.unicamp.br/docs/bugs/2004/01/v95.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Mon Jan 26 16:21:58 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Mon, 26 Jan 2004 16:21:58 -0200 Subject: [SECURITY-L] Nessus 2.0.10a Message-ID: <20040126182156.GA339@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: Nessus 2.0.10a To: security em unicamp.br Date: Mon, 26 Jan 2004 14:59:15 -0300 (ART) Nessus 2.0.10a Nessus é um scanner de segurança/vulnerabilidades remoto para Linux, BSD, Solaris e outros *NIX em geral... Trabalha com multi-threading e é baseado em plugins, além de possuir uma interface GTK que facilita sua configuração/entendimento e tem a capacidade de fazer mais de 900 checks remotos de segurança... Permite a exibição de um relatório gerado em HTML, XML, LaTeX e texto ASCII, além de sugerir uma solução para cada problema encontrado... http://www.nessus.org/ Fonte: http://www.linuxsecurity.com.br/article.php?sid=8235&mode=thread&order=0 ______________________________________________________________________ Yahoo! GeoCities: a maneira mais fácil de criar seu web site grátis! http://br.geocities.yahoo.com/ ----- End forwarded message ----- From security em unicamp.br Mon Jan 26 16:22:23 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Mon, 26 Jan 2004 16:22:23 -0200 Subject: [SECURITY-L] Nmap 3.50 Message-ID: <20040126182223.GB339@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: Nmap 3.50 To: security em unicamp.br Date: Mon, 26 Jan 2004 15:00:26 -0300 (ART) Nmap 3.50 Nova versão disponível... Nmap é uma ferramenta para auditoria/exploração de segurança de redes... Suporta ping scanning (para determinar que hosts estão "vivos" numa determinada rede), várias técnicas de port scanning (que determinam que serviços determinados hosts oferecem), TCP/IP fingerprinting (para advinhação do sistema operacional do host remoto)... Nmap também oferece diversas outras opções como sunRPC scanning, decoy scanning e muito mais, considerado também um dos mais rápidos e eficientes Security Scanners disponíveis hoje.... http://www.insecure.org/nmap Fonte: http://www.linuxsecurity.com.br/article.php?sid=8232&mode=thread&order=0 ______________________________________________________________________ Yahoo! GeoCities: a maneira mais fácil de criar seu web site grátis! http://br.geocities.yahoo.com/ ----- End forwarded message ----- From security em unicamp.br Tue Jan 27 09:11:40 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Tue, 27 Jan 2004 09:11:40 -0200 Subject: [SECURITY-L] ABSG - Advanced Bash Scripting Guide v2.4 Message-ID: <20040127111140.GA38788@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: ABSG - Advanced Bash Scripting Guide v2.4 To: security em unicamp.br Date: Mon, 26 Jan 2004 15:04:24 -0300 (ART) ABSG - Advanced Bash Scripting Guide v2.4 Quase todos os usuários *UNIX já tiveram contato com o Bourne Again Shell (bash). O scripting em shell é algo que todos os sysadmins/programadores mais cedo ou mais tarde recorrem e devem, necessariamente, ter um mínimo de conhecimento. O ABSG (guia avançado de "scripting" em bash) é uma referência e um tutorial sobre scripting em bash. Este livro (equivalente a mais de trezentas páginas quando impresso) abrange todos os aspectos de shell "scripting". Contém quase duzentos exemplos ilustrativos e muito bem comentados. HTML: http://www.tldp.org/LDP/abs/html/index.html PDF: http://www.tldp.org/LDP/abs/abs-guide.pdf Fonte: http://www.linuxsecurity.com.br/article.php?sid=8227&mode=thread&order=0 ----- End forwarded message ----- From security em unicamp.br Tue Jan 27 09:13:00 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Tue, 27 Jan 2004 09:13:00 -0200 Subject: [SECURITY-L] Uma introducao a SQL Injection para desenvolvedores Oracle Message-ID: <20040127111257.GB38788@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: Uma introduXXo a SQL Injection para desenvolvedores Oracle To: security em unicamp.br Date: Mon, 26 Jan 2004 15:01:57 -0300 (ART) Uma introdução a SQL Injection para desenvolvedores Oracle Esse artigo é indicado para desenvolvedores de aplicações, administradores de bancos de dados e auditores, para que entendam os riscos de ataques baseados em SQL Injection... http://www.net-security.org/dl/articles/IntegrigyIntrotoSQLInjectionAttacks.pdf Fonte: http://www.linuxsecurity.com.br/article.php?sid=8231&mode=thread&order=0 ----- End forwarded message ----- From security em unicamp.br Tue Jan 27 09:19:17 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Tue, 27 Jan 2004 09:19:17 -0200 Subject: [SECURITY-L] Nmap 3.50 Message-ID: <20040127111917.GC38788@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: Nmap 3.50 To: security em unicamp.br Date: Mon, 26 Jan 2004 15:00:26 -0300 (ART) Nmap 3.50 Nova versão disponível... Nmap é uma ferramenta para auditoria/exploração de segurança de redes... Suporta ping scanning (para determinar que hosts estão "vivos" numa determinada rede), várias técnicas de port scanning (que determinam que serviços determinados hosts oferecem), TCP/IP fingerprinting (para advinhação do sistema operacional do host remoto)... Nmap também oferece diversas outras opções como sunRPC scanning, decoy scanning e muito mais, considerado também um dos mais rápidos e eficientes Security Scanners disponíveis hoje.... http://www.insecure.org/nmap Fonte: http://www.linuxsecurity.com.br/article.php?sid=8232&mode=thread&order=0 ----- End forwarded message ----- From security em unicamp.br Tue Jan 27 09:19:51 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Tue, 27 Jan 2004 09:19:51 -0200 Subject: [SECURITY-L] Nessus 2.0.10a Message-ID: <20040127111951.GD38788@unicamp.br> ----- Forwarded message from Caio Souza Mendes ----- From: Caio Souza Mendes Subject: Nessus 2.0.10a To: security em unicamp.br Date: Mon, 26 Jan 2004 14:59:15 -0300 (ART) Nessus 2.0.10a Nessus é um scanner de segurança/vulnerabilidades remoto para Linux, BSD, Solaris e outros *NIX em geral... Trabalha com multi-threading e é baseado em plugins, além de possuir uma interface GTK que facilita sua configuração/entendimento e tem a capacidade de fazer mais de 900 checks remotos de segurança... Permite a exibição de um relatório gerado em HTML, XML, LaTeX e texto ASCII, além de sugerir uma solução para cada problema encontrado... http://www.nessus.org/ Fonte: http://www.linuxsecurity.com.br/article.php?sid=8235&mode=thread&order=0 ----- End forwarded message ----- From security em unicamp.br Tue Jan 27 10:32:17 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Tue, 27 Jan 2004 10:32:17 -0200 Subject: [SECURITY-L] Boletim de Noticias Message-ID: <20040127123217.GA56321@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e redes da Unicamp com os seguintes boletins de noticia e/ou revistas eletronicas: 26/1/2004 --------- SANS Complimentary Webcast, Thursday, January 29 - Seamless Encryption In Government Fonte: SANS http://www.security.unicamp.br/docs/informativos/2004/01/b14.txt SecurityFocus Newsletter #233 Fonte: SecurityFocus http://www.security.unicamp.br/docs/informativos/2004/01/b13.txt No.326 : Perspectivas 2004 - Parte 2 Fonte: Modulo Security News http://www.security.unicamp.br/docs/informativos/2004/01/b12.txt 21/1/2004 --------- SANS NewsBites Vol. 6 Num. 3 Fonte: SANS http://www.security.unicamp.br/docs/informativos/2004/01/b11.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Wed Jan 28 09:18:04 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Wed, 28 Jan 2004 09:18:04 -0200 Subject: [SECURITY-L] CERT Advisory CA-2004-02 Email-borne Viruses Message-ID: <20040128111804.GB56668@unicamp.br> CERT Advisory CA-2004-02 Email-borne Viruses Original release date: January 27, 2004 Last revised: -- Source: CERT/CC A complete revision history can be found at the end of this file. Systems Affected * Any system running Microsoft Windows (all versions from Windows 95 and up) and used for reading email or accessing peer-to-peer file sharing services. Overview In recent weeks there have been several mass-mailing viruses released on the Internet. It is important for users to understand the risks posed by these pieces of malicious code and the steps necessary to protect their systems from virus infection. I. Description Over the past week, we have seen two more mass-mailing viruses, W32/Bagle and W32/Novarg, impact a significant number of home users and sites. The technology used in these viruses is not significantly different from prior mass-mailing viruses such as W32/Sobig and W32/Mimail. Unsolicited email messages containing attachments are sent to unsuspecting recipients. They may contain a return address, a provocative envelope, or something else that encourages its receiver to open it. This technique is called social engineering. Because we are trusting and curious, social engineering is often effective. The widespread impact of these latest viruses, which rely on human intervention to spread, demonstrates the effectiveness of social engineering. It continues to be important to ensure that anti-virus software is used and updated regularly, that attachments are examined on mail servers, and that firewalls filter unneeded ports and protocols. It also remains necessary that users be educated about the dangers of opening attachments, especially executable attachments. CERT Incident Note IN-2004-01 - W32/Novarg http://www.cert.org/incident_notes/IN-2004-01.html CERT Incident Note IN-2003-03 - W32/Sobig.F http://www.cert.org/incident_notes/IN-2003-03.html CERT Incident Note IN-2003-02 - W32/Mimail http://www.cert.org/incident_notes/IN-2003-02.html II. Impact A virus infection can have significant consquences on your computer system. These consequences include, but are not limited to: * Information disclosure - Mass-mailing viruses typically harvest email addresses from the addressbooks or files found on an infected system. Some viruses will also attempt to send files from an infected host to other potential victims or even back to the virus author. These files may contain sensitive information. * Add/Modify/Delete files - Once a system is compromised, a virus could potentially add, modify or delete arbitrary files on the system. These files may contain personal information or be required for the proper operation of the computer system. * Affect system stability - Viruses can consume significant amounts of computer resources causing a system to run slowly or be rendered unusable. * Install a backdoor - Many viruses will install a backdoor on an infected system. This backdoor may be used by a remote attacker to gain access to the system, or view/add/modify/delete files on the system. These backdoors may also be leveraged to download and control additional tools for use in distributed denial-of-service (DDoS) attacks against other sites. * Attack other systems - Systems infected by viruses are frequently used to attack other systems. These attacks frequently involve attempts to exploit vulnerabilities on the remote systems or denial-of-service attacks that utilize a high volume of network traffic. * Send unsolicited bulk email (spam) to other users - There have been numerous reports of spammers leveraging compromised systems to send unsolicited bulk email. Frequently these compromised systems are poorly protected end user computers (e.g., home and small business systems). III. Solution In addition to following the steps outlined in this section, the CERT/CC encourages home users to review the "Home Network Security" and "Home Computer Security" documents. Home Network Security http://www.cert.org/tech_tips/home_networks.html Home Computer Security http://www.cert.org/homeusers/HomeComputerSecurity/ Run and maintain an anti-virus product While an up-to-date antivirus software package cannot protect against all malicious code, for most users it remains the best first line of defense against malicious code attacks. Users may wish to read IN-2003-01 for more information on anti-virus software and security issues. CERT Incident Note IN-2003-01 http://www.cert.org/incident_notes/IN-2003-01.html Most antivirus software vendors release frequently updated information, tools, or virus databases to help detect and recover from malicious code. Therefore, it is important that users keep their antivirus software up to date. The CERT/CC maintains a partial list of antivirus vendors. Computer Virus Resources http://www.cert.org/other_sources/viruses.html Many antivirus packages support automatic updates of virus definitions. The CERT/CC recommends using these automatic updates when available. Do not run programs of unknown origin Do not download, install, or run a program unless you know it to be authored by a person or company that you trust. Email users should be wary of unexpected attachments. Be sure you know the source of an attachment before opening it. Also remember that it is not enough that the mail originated from an email address you recognize. The Melissa virus spread precisely because it originated from a familiar email address. Users should also be wary of URLs in email messages. URLs can link to malicious content that in some cases may be executed without user intervention. A common social engineering technique known as "phishing" uses misleading URLs to entice users to visit malicious web sites. These sites spoof legitimate web sites to solicit sensitive information such as passwords or account numbers. In addition, users of Internet Relay Chat (IRC), Instant Messaging (IM), and file-sharing services should be particularly careful of following links or running software sent to them by other users. These are commonly used methods among intruders attempting to build networks of distributed denial-of-service (DDoS) agents. Use a personal firewall A personal firewall will not necessarily protect your system from an email-borne virus, but a properly configured personal firewall may prevent the virus from downloading additional components or launching attacks against other systems. Unfortunately, once on a system, a virus may be able to disable a software firewall, thus eliminating its protection. Email gateway filtering Depending on your business requirements, it is advisable to configure filtering of specific file extensions of email attachments at the email gateway. This filtering should be configured carefully, as this may affect legitimate attachments as well. It is recommended that attachments are quarantined for later examination and/or possible retrieval. Recovering from a system compromise If you believe a system under your administrative control has been compromised, please follow the steps outlined in Steps for Recovering from a UNIX or NT System Compromise http://www.cert.org/tech_tips/win-UNIX-system_compromise.html _________________________________________________________________ Authors: Jeff Carpenter, Chad Dougherty, Jeff Havrilla, Allen Householder, Brian King, Marty Lindner, Art Manion, Damon Morda, Rob Murawski ______________________________________________________________________ This document is available from: http://www.cert.org/advisories/CA-2004-02.html ______________________________________________________________________ CERT/CC Contact Information Email: cert em cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo em cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. ______________________________________________________________________ NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. ______________________________________________________________________ Conditions for use, disclaimers, and sponsorship information Copyright 2004 Carnegie Mellon University. Revision History January 27, 2004: Initial release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBQBabI5Z2NNT/dVAVAQEarAQAnpwtajJK0Rv9UkZvfRYjeQHrfZCwkGfg CFt8o8PO+5QS2U5JbfQRMm+Qjpm+c1x4BERtH5V0HwVhr85G8jBNGjYrfXrm4Ybw vwNIfdsaRgpoiHekseNel2k38vs7urgnrMXL6nK2Y/WcjLMPpT8cXu04jq8nVI05 /3+ek6Y/4LE= =Ftap -----END PGP SIGNATURE----- From security em unicamp.br Wed Jan 28 09:16:29 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Wed, 28 Jan 2004 09:16:29 -0200 Subject: [SECURITY-L] CAIS-Alerta: Propagacao do virus Novarg.A/Mydoom Message-ID: <20040128111629.GA56668@unicamp.br> ----- Forwarded message from Centro de Atendimento a Incidentes de Seguranca ----- From: Centro de Atendimento a Incidentes de Seguranca Subject: CAIS-Alerta: Propagacao do virus Novarg.A/Mydoom To: rnp-alerta em cais.rnp.br, rnp-seg em cais.rnp.br Date: Tue, 27 Jan 2004 10:01:19 -0200 (BRDT) -----BEGIN PGP SIGNED MESSAGE----- Prezados, O CAIS esta' repassando o "CERT Incident Note IN-2004-01, W32/Novarg.A Virus", que trata da propagacao do virus denominado W32/Novarg.A ou W32/Mydoom. O virus possui tres caracteristicas importantes: . Abre uma porta TCP no intervalo 3127-3198 o que sugere a capacidade de acesso remoto aos sistemas comprometidos. . Deixa uma copia no diretorio "C:\Program Files\KaZaA\My Shared Folder\" que pode ser acessada por usuarios de aplicativos P2P com nomes sugestivos (ex: winamp5, icq2004-final, activation_crack, strip-girl-2.0bdcom_patches, rootkitXP, office_crack, nuke2004. . Esta' programado para realizar um ataque de negacao de servico contra o site SCO.COM. Alguns dos possiveis subjects que constam nas mensagens enviadas pelo virus sao: . test . hi . hello . Mail Delivery System . Mail Transaction Failed . Server Report . Status . Error A maioria das mensagens possui um arquivo em anexo com os seguintes nomes e extensoes: . document . readme . doc . text . file . data . test . message . body .bat, .cmd, .exe, .pif, .scr, .zip O corpo da mensagem pode incluir os seguintes conteudos: "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment." "The message contains Unicode characters and has been sent as a binary attachment." "Mail transaction failed. Partial message is available." Maiores informacoes sobre o W32/Novarg.A podem ser encontradas nas URLs abaixo: http://www.cert.org/incident_notes/IN-2004-01.html http://www.sarc.com/avcenter/venc/data/w32.novarg.a em mm.html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.R http://us.mcafee.com/virusInfo/default.asp?id=mydoom http://www.f-secure.com/v-descs/novarg.shtml http://www.sophos.com/virusinfo/analyses/w32mydooma.html http://www3.ca.com/virusinfo/virus.aspx?ID=38102 O CAIS recomenda fortemente a todos os usuarios que mantenham seus antivírus sempre atualizados, com frequencia diaria ou de forma automatica; nao abram anexos de qualquer especie sem antes analisa´-los com um antivirus, se certificando sempre da autenticidade do endereco de origem do e-mail. Atenciosamente, ################################################################ # CENTRO DE ATENDIMENTO A INCIDENTES DE SEGURANCA (CAIS) # # Rede Nacional de Ensino e Pesquisa (RNP) # # # # cais em cais.rnp.br http://www.cais.rnp.br # # Tel. 019-37873300 Fax. 019-37873301 # # Chave PGP disponivel http://www.rnp.br/cais/cais-pgp.key # ################################################################ CERT® Incident Note IN-2004-01 The CERT Coordination Center publishes incident notes to provide information about incidents to the Internet community. W32/Novarg.A Virus Release Date: January 27, 2004 Overview The CERT/CC has been receiving reports of a new mass-mailing virus known as W32/Novarg.A, W32/Shimg, or W32/Mydoom that has been reported to open a backdoor to the compromised system and possibly launch a denial-of-service attack against a web site at a fixed time in the future. Description The W32/Novarg.A virus attempts to do the following: * Modify various Windows registry values so that the virus is run again upon reboot * Open a listening TCP port in the range of 3127-3198, suggesting remote access capabilities * Install a copy of itself in the C:\Program Files\KaZaA\My Shared Folder\ folder, which will be available for download by KaZaA users The virus arrives as an email message with a 22,528-byte attachment that has a random filename with a file extension of .cmd, .pif, .scr, .exe, or .bat. The attachment may also arrive as a ZIP archive. Some messages containing the virus have had the following characteristics: Subject: From: To: Body: (The body has been reported to contain one of the following three messages.) "The message cannot be represented in 7-bit ASCII encoding and has been sent as a binary attachment." "The message contains Unicode characters and has been sent as a binary attachment." "Mail transaction failed. Partial message is available." In addition to the backdoor capabilities, the virus is also believed to have the capability to launch a distributed denial-of-service attack against a specific web site beginning on February 1, 2004. As with other malicious code having mass-mailing capabilities, W32/Novarg.A may cause "collateral" denial-of-service conditions in networks where either (a) multiple systems are infected, or (b) large volumes of infected mail are received. The CERT/CC is continuing to analyze the malicious code and we will update this Incident Note as more information is confirmed. Anti-virus vendors have developed signatures for W32/Novarg.A: http://www.sarc.com/avcenter/venc/data/w32.novarg.a em mm.html http://www.trendmicro.com/vinfo/virusencyclo/default5.asp?VName=WORM_MIMAIL.R http://us.mcafee.com/virusInfo/default.asp?id=mydoom http://www.f-secure.com/v-descs/novarg.shtml http://www.sophos.com/virusinfo/analyses/w32mydooma.html http://www3.ca.com/virusinfo/virus.aspx?ID=38102 Solutions In addition to following the steps outlined in this section, the CERT/CC encourages home users to review the "Home Network Security" and "Home Computer Security" documents. Run and maintain an anti-virus product While an up-to-date antivirus software package cannot protect against all malicious code, for most users it remains the best first-line of defense against malicious code attacks. Users may wish to read IN-2003-01 for more information on anti-virus software and security issues. Most antivirus software vendors release frequently updated information, tools, or virus databases to help detect and recover from malicious code, including W32/Novarg.A. Therefore, it is important that users keep their antivirus software up to date. The CERT/CC maintains a partial list of antivirus vendors. Many antivirus packages support automatic updates of virus definitions. The CERT/CC recommends using these automatic updates when available. Do not run programs of unknown origin Never download, install, or run a program unless you know it to be authored by a person or company that you trust. Email users should be wary of unexpected attachments, while users of Internet Relay Chat (IRC), Instant Messaging (IM), and file-sharing services should be particularly wary of following links or running software sent to them by other users since these are commonly used methods among intruders attempting to build networks of distributed denial-of-service (DDoS) agents. Filter network traffic Reports to CERT/CC indicate that the virus opens a listening TCP port in the range of 3127-3198. Sites should consider blocking both inbound and outbound traffic to these ports, depending on network requirements, at the host and network level. If access cannot be blocked for all external hosts, the CERT/CC recommends limiting access to only those hosts that require it for normal operation. As a general rule, the CERT/CC recommends filtering all types of network traffic that are not required for normal operation. Recovering from a system compromise If you believe a system under your administrative control has been compromised, please follow the steps outlined in Steps for Recovering from a UNIX or NT System Compromise Reporting The CERT/CC is tracking activity related to this worm as CERT#25304. Relevant artifacts or activity can be sent to cert em cert.org with the appropriate CERT# in the subject line. Authors: Marty Lindner, Damon Morda, and Chad Dougherty This document is available from: http://www.cert.org/incident_notes/IN-2004-01.html CERT/CC Contact Information Email: cert em cert.org Phone: +1 412-268-7090 (24-hour hotline) Fax: +1 412-268-6989 Postal address: CERT Coordination Center Software Engineering Institute Carnegie Mellon University Pittsburgh PA 15213-3890 U.S.A. CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends. Using encryption We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from http://www.cert.org/CERT_PGP.key If you prefer to use DES, please call the CERT hotline for more information. Getting security information CERT publications and other security information are available from our web site http://www.cert.org/ To subscribe to the CERT mailing list for advisories and bulletins, send email to majordomo em cert.org. Please include in the body of your message subscribe cert-advisory * "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office. NO WARRANTY Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement. Conditions for use, disclaimers, and sponsorship information Copyright 2004 Carnegie Mellon University. Revision History January 27, 2004: Initial Release -----BEGIN PGP SIGNATURE----- Version: PGP 6.5.8 iQCVAwUBQBZTFukli63F4U8VAQG04gP/WjFf00pOouBM54+j016cE0Y3BYWMPUJA Acw/6EHGA2IlwLN+3sQFE0zXR++pfR2fqclist2oDcayjOOtFQbknNdLyLO6NQ1X mNCSW1/aHZMSXclLtnpF7EIvgfo1Z8Cuv8VNkhLlBfXgiFKZDZAnj9YrycBN+YN4 oWjXDbEvUDg= =pFpI -----END PGP SIGNATURE----- ----- End forwarded message ----- From security em unicamp.br Wed Jan 28 16:28:50 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Wed, 28 Jan 2004 16:28:50 -0200 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20040128182845.GA13089@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 23/1/2004 --------- Red Hat Security Advisory (RHSA-2004:032-01) Assunto: vulnerabilidade de seguranca no pacote gaim. http://www.security.unicamp.br/docs/bugs/2004/01/v99.txt 26/01/2004 ---------- Fedora Update Notification (FEDORA-2004-059) Assunto: vulnerabilidade de seguranca no pacote slocate. http://www.security.unicamp.br/docs/bugs/2004/01/v100.txt Slackware Security Team (SSA:2004-026-01) Assunto: vulnerabilidade de seguranca no pacote gaim. http://www.security.unicamp.br/docs/bugs/2004/01/v101.txt Debian Security Advisory (DSA 429-1) Assunto: vulnerabilidade de seguranca no pacote gnupg. http://www.security.unicamp.br/docs/bugs/2004/01/v102.txt Mandrake Linux Security Update Advisory (MDKSA-2004:006) Assunto: vulnerabilidade de seguranca no pacote gaim. http://www.security.unicamp.br/docs/bugs/2004/01/v103.txt Mandrake Linux Security Update Advisory (MDKSA-2004:007) Assunto: vulnerabilidade de seguranca no pacote mc. http://www.security.unicamp.br/docs/bugs/2004/01/v112.txt Mandrake Linux Security Update Advisory (MDKSA-2004:008 Assunto: vulnerabilidade de seguranca no pacote tcpdump. http://www.security.unicamp.br/docs/bugs/2004/01/v104.txt Fedora Legacy Update Advisory (FLSA:1187) Assunto: vulnerabilidade de seguranca no pacote screen. http://www.security.unicamp.br/docs/bugs/2004/01/v105.txt 27/01/2004 ---------- CAIS-Alerta Assunto: Propagacao do virus Novarg.A/Mydoom http://www.security.unicamp.br/docs/bugs/2004/01/v106.txt Gentoo Linux Security Advisory (GLSA 200401-03) Assunto: Apache mod_python Denial of Service vulnerability. http://www.security.unicamp.br/docs/bugs/2004/01/v107.txt CERT Advisory CA-2004-02 Assunto: Email-borne Viruses. http://www.security.unicamp.br/docs/bugs/2004/01/v108.txt CAIS-Alerta Assunto: CA-2004-02 Propagacao de Virus de Email http://www.security.unicamp.br/docs/bugs/2004/01/v109.txt Gentoo Linux Security Advisory (GLSA 200401-04) Assunto: GAIM 0.75 Remote overflows. http://www.security.unicamp.br/docs/bugs/2004/01/v110.txt 28/01/2004 ---------- Debian Security Advisory (DSA 430-1) Assunto: vulnerabilidade de seguranca no pacote trr19. http://www.security.unicamp.br/docs/bugs/2004/01/v111.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br From security em unicamp.br Fri Jan 30 12:28:28 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Fri, 30 Jan 2004 12:28:28 -0200 Subject: [SECURITY-L] =?iso-8859-1?q?Utilit=E1rios_e_guias_de_remo=E7=E3o?= =?iso-8859-1?q?_de_v=EDrus?= para o AVG Message-ID: <20040130142828.GA15306@unicamp.br> Os usuários do Anti-Vírus AVG com suas bases de vírus atualizadas podem continuar recebendo as mensagens de alertas falsos que indicam que o vírus I-Worm/Mydoom foi enviado do seu endereço de e-mail. Isto acontece porque o vírus I-Worm/Mydoom altera o endereço de remetente do e-mail infectado. Graças a isso, fica muito difícil identificar o verdadeiro remetente do vírus, e então, notificá-lo de que seu computador está infectado. Isto pode pode fazer com que o vírus exiba um endereço de e-mail diferente do que o verdadeiro remetente do e-mail infectado possue. Quando tal e-mail é detectado pelo sistema antivírus no computador que recebe a mensagem infectada, na maioria dos casos, um aviso de advertência é enviado ao endereço de remetente indicado na mesagem infectada - mesmo que o e-mail NÃO tenha sido enviado deste endereço. Fonte: http://www.avgbrasil.com.br/br_index.phtml?obj_id=301 From security em unicamp.br Fri Jan 30 14:36:01 2004 From: security em unicamp.br (Security Team - UNICAMP) Date: Fri, 30 Jan 2004 14:36:01 -0200 Subject: [SECURITY-L] Vulnerabilidades de seguranca Message-ID: <20040130163600.GA45145@unicamp.br> Srs. Usuarios, Atualizamos o site da Equipe de Seguranca em Sistemas e Redes da Unicamp com os seguintes boletins de vulnerabilidades: 28/01/2004 ---------- SGI Security Advisory (20040103-01-U) Assunto: SGI Advanced Linux Environment security update #9) http://www.security.unicamp.br/docs/bugs/2004/01/v113.txt Fedora Legacy Update Advisory (FLSA:1207) Assunto: Updated cvs resolves security vulnerability. http://www.security.unicamp.br/docs/bugs/2004/01/v114.txt 29/01/2004 ---------- SuSE Security Announcement (SuSE-SA:2004:004) Assunto: vulnerabilidade de seguranca no pacote gaim. http://www.security.unicamp.br/docs/bugs/2004/01/v115.txt SGI Security Advisory (20040104-01-P) Assunto: userland binary vulnerabilities. http://www.security.unicamp.br/docs/bugs/2004/01/v116.txt Cisco Security Advisory Assunto: Buffer Overrun in Microsoft Windows 2000 Workstation Service (MS03-049). http://www.security.unicamp.br/docs/bugs/2004/01/v117.txt -- Equipe de Seguranca em Sistemas e Redes Unicamp - Universidade Estadual de Campinas mailto:security em unicamp.br http://www.security.unicamp.br