Again, I must apologize for ending my week in a location where I could not get a dial-up (or other) Internet connection -- next week I will be in a hotel with high-speed connectivity in each room, so am quite sure I'll not have problems!
Also, being on holiday this week, I've not been reading my e-mail and checking web sites when I have had Internet conneactivity quite as assiduously as usual, but it seems little of significant note happened except for the first security patches for Windows XP, most of which have not (yet) been described in any detail by Microsoft -- so much for the 'comprehensive program to help customers get and stay secure' that was promised in the announcement of Microsoft's 'Strategic Technology Protection Program' we mentioned a few weeks back... Or perhaps if you are as dominant as Microsoft you do not need to explain patches to customers to help them 'get and stay secure'?
Other than that, vulnerabilities in how Universal Plug and Play (UPnP) in Windows XP (and in Windows 98, 98SE and ME) handles invalid service requests have been explained and patched, and the HFNetChk tool has been updated.
New Nimda spreads slowly
A minor variant of Nimda -- named Nimda.E by most antivirus developers -- caused a small stir early in the week. As it only used the same security exploits as earlier variants, it should not have gone far, which seems to be the case, although early reports that The New Your Times' Internet connection was under external DoS attack turned out to be severe degradation caused by a huge volume of traffic related to this new Nimda variant (and, given how Nimda works, the cynical would expect that this traffic was being generated inside the network and choking other 'valid' outbound traffic). If your only protection against Nimda has been filename-based attachment filtering, update your filters to reflect the latest filenames used by Nimda's latest variants.
Various antivirus developer descriptions:
Fixes for UPnP DoS in Windows 98, ME and XP
The Universal Plug and Play (UPnP) service in Windows 98, 98SE, ME and XP incorrectly handles certain invalid UPnP requests. On Windows XP this is manifested through a memory leak and if sufficient malformed UPnP requests were received by a vulnerable machine, system performance could become seriously degraded, perhaps requiring a restart or reboot. Under Windows 98, 98SE and ME the effects are less predictable, ranging from system slowdowns to crashes.
Note that Windows 98 and 98SE do not have any UPnP support by default but it is installed with the Internet Connection Sharing client supplied with Windows XP. Although Windows ME has native UPnP support, it does not installed and enable it in Microsoft's default configurations. However, some OEMs do ship machines with Windows ME UPnP installed and enabled. The Microsoft Security Bulletin has contradictory claims about UPnP support in Windows XP -- in one place saying this service is installed but not enabled by default, but in another saying the default is installed _and_ enabled. The bulletin does provide instructions on determining the state of UPnP on each OS -- if unsure, check...
As for patches, Windows 98, 98SE and ME patches are available from the link in the security bulletin. Windows XP users are rather ominously advised (see next item) that the fix 'is delivered as part of the first Windows XP Critical Update, which corrects a number of other issues, some security-related, in addition to this one'.
Several unspecified security fixes for Windows XP already
As noted in the previous item, the 'first Windows XP Critical Update ... corrects a number of other issues, some security-related'. It is unclear to the computer security community how releasing unspecified fixes for unspecified security flaws is supposed to enhance Microsoft's reputation of not being particularly 'security conscious'. Worse however, it appears -- at least for now -- that the only way to get this update is via the WindowsUpdate site, which is far from desirable for system administrators maintaining groups of machines. Perhaps XP is not quite ready to provide that enhanced experience we've been being promised for so long...
About three months back we reported the release of a commandline 'security scanner' to assist system administrators in remotely checking for critical system updates. Although it is not mentioned on the Microsoft pages covering this tool, and despite the fact that the main 'updates' necessary for it are the XML data files HFNetChk uses, it appears there will be occasional updates to the tool itself. If you are using HFNetChk, it would pay to occasionally check the version number referenced on the download page. About ten days ago the downloadable version was updated -- presumably to add some Windows XP-specific functionality.
SANS 'Top 20' security vulnerabilities updates
The SANS 'Top 20' exploited vulnerabilities list has been updated with the addition of hyperlinks from the CVE numbers it references to standardized descriptions of those vulnerabilities.
Further, the Center for Internet Security has made a free scanner available that automatically scans for the vulnerabilities on the 'Top 20' list. This tool is based on the SARA (Security Auditor's Research Assistant) network scanner from Advanced Research Corporation. The version available for download from the Center for Internet Security site has been adapted to specifically check for the 'Top 20' vulnerabilities. Note that SARA runs on most popular Unix(-like) systems, requiring perl and a C compiler for a successful installation and use (in the tradition of typical free Unix tools, it is distributed as source). Once built however, it can scan any type of machine on the network its Unix host is connected to, regardless of that machine's OS. (If you plan to test Windows machines with the scanner you also need to have the samba suite built and installed on the Unix box hosting the vulnerability scanner.)