TO UNSUBSCRIBE: email "unsubscribe issforum" in the body of your message to [EMAIL PROTECTED] Contact [EMAIL PROTECTED] for help with any problems! ----------------------------------------------------------------------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 INTERNET THREAT UPDATE for 01-11-2002 ISS X-Force Internet Threat Intelligence Center www.iss.net - Click on 'Current Internet Threat' for more information. ****************************************************** ALERTCON 1 Projected: AlertCon 1 ****************************************************** ALERTCON 1: This reflects the malicious, determined, global, 24 x 7 attacks experienced by all networks. CISCO: Three vulnerabilities have been discovered in Cisco SN 5420 Storage Router software releases up to and including 1.1(5). Two of the vulnerabilities can cause a Denial of Service attack. The other allows an access to the SN 5420 configuration if it has been previously saved on the router. There is no workaround for these vulnerabilities. MICROSOFT: Install the patch for the UPnP vulnerability as well as the patch for the multi-vulnerability in IE 5.5 and 6.0. Exploits have now been noted in the wild for both. LINUX: FreeBSD is reporting that there is a flaw in the pine port. Pine is an application for reading mail and news. The pine port, versions previous to pine-4.44, handles URLs in messages insecurely. Pine allows users to launch a web browser to visit a URL embedded in a message. Due to a programming error, Pine does not properly escape meta-characters in the URL before passing it to the command shell as an argument to the web browser. An attacker can then assume the victim's privileges. UNIX: A vulnerability in the AFTPD has been discovered that could allow a remote user to gain elevated privileges. The problem presents itself when a user accesses the ftp server via any type of user account, either regular or anonymous. VIRUSES/WORMS (3): 1. JS_GIGGER.A is a new JavaScript worm that is capable of propagating via Microsoft Outlook/Outlook Express, MAPI, and mIRC. It also infects HTML and ASP files by appending its virus code. 2. Troj/Sub7-21-I is a newly discovered backdoor Trojan. When the server program is installed, the computer is exposed to security attacks from remote locations. Once the connection is established, the attacker can acquire sensitive information such as passwords and take control over the infected computer. 3. Macromedia has released information regarding their Flash issue that we reported on Wednesday. FACTOID: According to CyberAtlas�, during the 9 to 5 workday 34 percent of total media minutes are spent on the Internet, while 30 percent are spent watching television and 26 percent are spent listening to the radio. The survey conducted by CyberAtlas excluded time spent crafting and reading e-mail. COMMENTARY: Trust. Merriam Webster defines it as: 1 a: assured reliance on the character, ability, strength, or truth of someone or something b: one in which confidence is placed. On the Internet, trust is no less important but harder to achieve. This trusted relationship definition should apply when seeking solutions to exploits and vulnerabilities. - ------------------------------------------------------ RECOMMENDATIONS - ------------------------------------------------------ X-Force Advisory regarding the UPnP and IE 5.5 and 6.0 issues see: http://xforce.iss.net/alerts/advise107.php http://xforce.iss.net/alerts/advise106.php The Cisco advisory is available at: http://www.cisco.com/warp/public/707/SN-multiple-pub.shtml For the FreeBSD Security Advisory and solution, please see: http://www.linuxsecurity.com/advisories/freebsd_advisory-1797.html Information regarding the AFTPD Home Directory Change Core Dump Vulnerability can be found at: http://www.securityfocus.com/cgi-bin/vulns-item.pl?section=discussion&; id=3806 For information regarding the JS_GIGGER.A worm, see: http://www.antivirus.com/vinfo/virusencyclo/default5.asp?VName=JS_GIGG ER.A For information on the Trojan Sub 7 refer to: http://www.sophos.com/virusinfo/analyses/trojsub721i.html For information from Macromedia on the Flash issue, please see: http://www.macromedia.com/support/flash - - For an excellent home/small office firewall solution, please see: http://www.networkice.com/ - - For information on removing infected executable files, refer to: http://www.sophos.com/support/faqs/filvir.html - -For other current worms and viruses moving across the Internet see: https://gtoc.iss.net/secure/viruses.php http://www.antivirus.com/vinfo/ - ------------------------------------------------------ ATTACK SIGNATURE RANKING - global IDS, midnight - midnight, previous Day, % of total - ------------------------------------------------------ Unauthorized Access Attempt 42.20% Denial Of Service 27.23% Protocol Decode 13.53% Suspicious Activity 11.57% Pre-Attack Probe 05.35% Back Door 00.12% - ------------------------------------------------------ TOP TEN ATTACK DESTINATION PORTS - global IDS, midnight - midnight, previous day, % of top ten (ports found at) http://www.networkice.com/Advice/Exploits/Ports/default.htm - ------------------------------------------------------ 80 (http) 76.83% 21 (ftp) 07.68% 25 (smtp) 07.06% 1214 (unassigned) 03.08% 22 (ssh) 01.81% 443 (ssl) 01.03% 6346 (unassigned) 00.76% 69 (tftp) 00.59% 137 (netbios-ns) 00.58% 515 (lp,lpr,printer) 00.58% - ------------------------------------------------------ BACKGROUND, COPYRIGHT NOTICE, and DISCLAIMER - ------------------------------------------------------ Background. We provide this information in the spirit of PDD 63 to help security professionals wage the war against Internet threats more effectively. Information in this update derived primarily from global, real time, 24 x 7 IDS feeds, ISS X-Force R&D Team research, and professional liaison. Other sources as noted. AlertCon 1 reflects the global, malicious, determined, 24 x 7 attacks experienced by all networks. AlertCon 2 means increased vigilance/action recommended due to a specific threat or concern. AlertCon 3 means increased attacks against specific targets or vulnerabilities on a scale that is unusually high, action required. AlertCon 4 reflects an Internet emergency for a target or group of targets whose business continuity may depend on some sort of immediate, decisive action. All summaries cover 24 hours the previous workday, GMT. Monday summaries may cover some weekend activity. Copyright 2001 Internet Security Systems, Inc. Permission is granted for the redistribution of the Internet Threat Update electronically. It is not to be sold or edited in any way without express consent of ISS. Refer comments or questions to: [EMAIL PROTECTED] or [EMAIL PROTECTED] Disclaimer: This information is subject to change without notice. Use of this information constitutes acceptance for use in an 'as is' condition. There are no warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk. No other use authorized. FOIA Exemption 4. Patrick Gray Manager, X-Force Internet Threat Intelligence Center Internet Security Systems 6303 Barfield Road Atlanta, GA 30328 -----BEGIN PGP SIGNATURE----- Version: PGP 7.0.4 iQA/AwUBPD8kIpG41ROSQPncEQIXAwCgvEPFSAB08qq+WGL+a0synI6GYIgAoOB1 Gb8nXEMW5K6TmnhdXw7fi4f6 =fSCz -----END PGP SIGNATURE-----
