|
|
|
Security Sentinel: Virus detection, firewalls are not enough
By Toni McConnel, Contributing Editor
iApplianceWeb
(11/03/02, 11:15:55 PM EDT)
How many times a week (or a day!) does your security system detect a virus and get rid of it before it does any damage? On my system, that happens at least three times a week, sometimes many more than that. Virus attacks tend to come in spurts, the same virus hitting from multiple sources. Every time my Norton system reports that it has intercepted a virus and quarantinedit, I feel a happy little spurt of satisfaction and ecurity.
But how many times in the last year has a virus gotten past your security system, at work or at home, and infected your computer? For my system, the answer is twice, and each time I had to reformat my hard drive to get rid of it, which of course meant I had to reinstall my OS and all my oftware.
I'm willing to bet this has happened to you at least once in the last year, in spite of the fact that you are protected with virus detection and a firewall. How can this happen?
How this can happen is that hackers invent ways to get around virus protection faster than the security vendors can devise means to detect them. And until recently, I must admit to a level of ignorance that may be common even among fairly sophisticated computer users: I had the delusion that if I signed up with a service that provides a firewall, virus detection, and privacy control, I'd be safe.
Wrong.
Today's smart hackers are exploiting vulnerabilities in browsers, e-mail programs, and wireless networks to gain access to computers in ways that are not detected by standard virus detection software. In future columns, I'll explain some of these techniques. I'll also alert you to the vulnerabilities that are known and how to fix them, if a fix is available.
Because Microsoft products are not only ubiquitous but famous for their many security holes, we'll start there. By the way, a hacker recently broke into Microsoft's Web site where beta code is stored -- the implications for enabling future viruses is chilling. (See story in Internet Week.) Karmic justice? If that multibillion dollar company can't protect its own Web site from hackers, what hope is there for you and me?
Security alert for Windows XP users
Shane Hird of the Distributed Systems Technology Centre (http://security.dstc.edu.au) found this vulnerability in Windows XP, which was announced by Microsoft on October 16.
A security vulnerability in the Windows XP Help and Support Center makes a file intended only for use by the system available for use by any web page. An attacker can exploit the vulnerability by constructing a web page that, when opened, would call the errant function and supply the name of an existing file or folder as the argument. The attempt to upload the file or folder would fail, but the file would be deleted on the victim's system.
The user first must visit the web site, of course, and so must be lured there, usually in an HTML e-mail with an “irresistible” promise: “Earn $5000 a week in your spare time” or “Enlarge your penis by 3 inches, guaranteed!”.
The best protection against this kind of attack is to never, ever click on a URL link in an e-mail unless you know the sender, and even then you aren't completely safe, since hackers commonly use e-mail addresses they filch from people's address books.
Microsoft claims you are safe if you have already installed Microsoft's Service Pack 1. If you are not already set up to receive automatic notice of new Service Packs and security updates and patches from Microsoft, you should go immediately to http://v4.windowsupdate.microsoft.com/en/default.asp and check for available updates for your system and sign up for automatic notification of new releases.
The complete Microsoft advisory and patches are available at http://www.microsoft.com/technet/security/bulletin/MS02-060.asp
Servers running Microsoft's Internet Information Services
There are several newly discovered security vulnerabilities affecting Microsoft's Internet Information Services (IIS) 4.0, 5.0 and/or 5.1 (Microsoft Security Bulletin of October 30). Incidentally, about a year ago at least 150,000 Internet sites running IIS-at the time representing 80,000 IP addresses worldwide -- were taken down by the Code Red II virus, according to Netcraft, which tracks Web server usage. It was at this point that Microsoft announced the Strategic Technology Protection Program, offering Microsoft technicians to work with companies to make sure systems are properly installed and configured. The company also provided an online Security Tool Kit that set higher default security levels on Windows 2000 Servers and IIS and that gave security administrators the option of turning off functions that are not needed and may pose a security risk. The following reports are not encouraging about the success of these efforts:
Out-of-process privilege elevation: A3 Security Consulting Co., Ltd. identified an out-of-process privilege elevation affecting the way ISAPIs are launched when an IIS 4.0, 5.0 or 5.1 server is configured to run ISAPIs out of process. The hosting process (dllhost.exe) is supposed to run only in the security context of the IWAM_computername account. However, the process can acquire LocalSystem privileges under “certain circumstances” (not explained by Microsoft in the bulletin I read), thereby enabling an ISAPI to do likewise.
This vulnerability can only be exploited by someone who already has the authorization to load and execute applications on an affected web server. Microsoft recommends that untrusted users not be allowed to load applications onto a server, and that even trusted users' applications be scrutinized before allowing them to be loaded. Oooookay, Microsoft, how do you determine who to trust? Such abuse of authority is not rare, especially by disgruntled employees who have been laid off and take their revenge just before leaving, for example.
Denial of service: Mark Litchfield of Next Generation Security Software Ltd. found a denial of service vulnerability that results because of a flaw in the way IIS 5.0 and 5.1 allocate memory for WebDAV requests. If a WebDAV request is malformed in a particular way, IIS will allocate an extremely large amount of memory on the server.
By sending several such requests, denial of service results. The vulnerability can be exploited only if the server allows WebDAV requests to be levied on it. The IIS Lockdown Tool (http://www.microsoft.com/technet/security/tools/tools/locktool.asp) disables such requests if deployed in its default configuration.
The vulnerability does not affect IIS 4.0, as WebDAV is not supported in this version of IIS.
Script source access: Script source access permission in IIS 5.0 operates in addition to the normal read/write permissions for a virtual directory, and regulates whether scripts, .ASP files and executable file types can be uploaded to a write-enabled virtual directory. A typographical error in the table that defines the file types subject to this permission has the effect of omitting .COM files from the list of files subject to the permission.
This vulnerability can be exploited if the administrator has changed the default configuration of IIS to grant all users write and execute permissions to one or more virtual directories on the server. Default configurations of IIS are not at risk. The vulnerability does not affect IIS 4.0, as WebDAV is not supported in this version of IIS.
Cross-Site Scripting (CSS): Vulnerabilities in cross-site scripting makes it possible for an attacker to send a request to an affected server that would cause a web page containing script to be sent to another user. The script would execute within the user's browser as though it had come from the third-party site. This would let it run using the security settings appropriate to the third-part web site, as well as allowing the attacker to access any data belonging to the site.
These vulnerabilities are exploited in the same way as the one in the Windows XP Help and Support Center. A user is lured into clicking a link on the attacker's web site or in an HTML e-mail. These vulnerabilities can only be exploited if the client itself is running IIS.
Risk rating: Microsoft assigns the IIS vulnerabilities an aggregate risk rating of moderate for Internet and intranet systems, and low for client systems. There are separate patches for each version of IIS. Go to http://www.microsoft.com/technet/security/bulletin/ms02-062.asp for more detailed information and to download the appropriate patch for your system.
This is the first of the Security Sentinel columns by contributing editor Toni McConnel, who will keep you up-to-date on recent issues about security, new virus alerts, discoveries of software and hardware vulnerabilities, and most important of all, where to find further information and fixes.
Your input is invited. Write to with your concerns and/or information you would like to share with the iAppliance community concerning security.
Toni is a freelance technical writer specializing in ghostwriting technical articles for electronics magazines. You can learn more about her at www.tonimcconnel.com.
For more information about the issues, products and technologies in this story, go to the iAppliance Web Views page and call up the associatively-linked XML/Java Web map of the iApplianceWeb site and search for product information since the beginning of 2002.
For technical article coverage, go to EETimes In Focus maps on the same Web page and browse or quickly search for all articles on a particular topic since the beginning of 1998.
These Web Maps can be browsed by date, by category, by title, or by keyword, with results displayed instantly either as a list of possible hits or with the specific Web page.
|
|
|