Rmus
October 14th, 2005, 07:26 AM
Several articles and newletters/advisories are predicting the inevitable worm and subsequent onslaught of infected machines, as occurred with Zotob.
But this need not be inevitable if some common sense and a properly configured firewall are in place.
Some excerpts from the latest MS Technet Bulletins:
Vulnerability in DirectShow (http://www.microsoft.com/technet/security/Bulletin/MS05-050.mspx)
Who could exploit the vulnerability?
On a Windows operating system, any anonymous user who could deliver a specially crafted .avi file to the affected system could try to exploit this vulnerability.
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to try to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.
----------------------------
Vulnerabilities in MSDTC and COM+ (http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx)
Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
Some Workarounds for MSDTC Vulnerability - CAN-2005-2119:
Block the following at the firewall:
==> All unsolicited inbound traffic on ports greater than 1024
==> Any other specifically configured RPC port
These ports can be used to initiate a connection with MSDTC. Blocking them at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. Also, make sure that you block any other specifically-configured RPC port on the remote system. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. While RPC can use UDP ports 135, 137, 138, 445, and TCP ports 135, 139, 445, and 593, the MSDTC service is not vulnerable over those ports.
Some Workarounds for COM+ Vulnerability - CAN-2005-1978:
Block the following at the firewall:
==> UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593
==> If installed, COM Internet Services (CIS) or RPC over HTTP, which listen on ports 80 and 443
These ports are used to initiate a connection with RPC. Blocking them at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. Also, make sure that you block any other specifically configured RPC port on the remote system. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports.
-----------------------------
You may remember similar advice about the vulnerability that led to Zobob:
Vulnerability in Plug and Play (http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx)
Block TCP ports 139 and 445 at the firewall:
These ports are used to initiate a connection with the affected protocol. Blocking them at the firewall, both inbound and outbound, will help prevent systems that are behind that firewall from attempts to exploit this vulnerability. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports.
------------------------------
Safe computing to all!
-rich
________________
~~Be ALERT!!! ~~
But this need not be inevitable if some common sense and a properly configured firewall are in place.
Some excerpts from the latest MS Technet Bulletins:
Vulnerability in DirectShow (http://www.microsoft.com/technet/security/Bulletin/MS05-050.mspx)
Who could exploit the vulnerability?
On a Windows operating system, any anonymous user who could deliver a specially crafted .avi file to the affected system could try to exploit this vulnerability.
In a Web-based attack scenario, an attacker would have to host a Web site that contains a Web page that is used to try to exploit this vulnerability. An attacker would have no way to force users to visit a malicious Web site. Instead, an attacker would have to persuade them to visit the Web site, typically by getting them to click a link that takes them to the attacker's site.
----------------------------
Vulnerabilities in MSDTC and COM+ (http://www.microsoft.com/technet/security/Bulletin/MS05-051.mspx)
Firewall best practices and standard default firewall configurations can help protect networks from attacks that originate outside the enterprise perimeter. Best practices recommend that systems that are connected to the Internet have a minimal number of ports exposed.
Some Workarounds for MSDTC Vulnerability - CAN-2005-2119:
Block the following at the firewall:
==> All unsolicited inbound traffic on ports greater than 1024
==> Any other specifically configured RPC port
These ports can be used to initiate a connection with MSDTC. Blocking them at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. Also, make sure that you block any other specifically-configured RPC port on the remote system. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports. While RPC can use UDP ports 135, 137, 138, 445, and TCP ports 135, 139, 445, and 593, the MSDTC service is not vulnerable over those ports.
Some Workarounds for COM+ Vulnerability - CAN-2005-1978:
Block the following at the firewall:
==> UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593
==> If installed, COM Internet Services (CIS) or RPC over HTTP, which listen on ports 80 and 443
These ports are used to initiate a connection with RPC. Blocking them at the firewall will help protect systems that are behind that firewall from attempts to exploit this vulnerability. Also, make sure that you block any other specifically configured RPC port on the remote system. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports.
-----------------------------
You may remember similar advice about the vulnerability that led to Zobob:
Vulnerability in Plug and Play (http://www.microsoft.com/technet/security/Bulletin/MS05-039.mspx)
Block TCP ports 139 and 445 at the firewall:
These ports are used to initiate a connection with the affected protocol. Blocking them at the firewall, both inbound and outbound, will help prevent systems that are behind that firewall from attempts to exploit this vulnerability. We recommend that you block all unsolicited inbound communication from the Internet to help prevent attacks that may use other ports.
------------------------------
Safe computing to all!
-rich
________________
~~Be ALERT!!! ~~