Archive for the ‘Advisories’ Category

More on the University of Exeter outbreak

Advisories, News (29/1/10, 18:01)

We are now able to confirm that the malware infected systems through the vulnerability highlighted in our previous e-mail. Further details and an update for this Windows Vista vulnerability can be found at

http://support.microsoft.com/kb/975517

Microsoft and Symantec performed an analysis of the malware, and updated Symantec definitions now detect it as a generic ‘downloader’.

There is no reason to suspect that this malware poses a specific threat to other JANET connected sites, and we have not seen any infections elsewhere. It is worth mentioning a few best practices that limit your risk to this and similar infections:

- Ensure that operating systems are kept fully patched
- Ensure that anti-virus definitions are kept up to date
- By default, block Windows LAN service ports at your network border

Vulnerability in Microsoft Internet Explorer

Advisories (20/1/10, 15:35)

There are reports that targeted attacks are exploiting a vulnerability in Internet Explorer. A specially crafted HTML document allows a remote attacker to execute arbitrary code. This vulnerability exists in Internet Explorer 6,7 and 8, but Data Execution Protection (DEP) appears to provide protection to users of versions 7 and 8. This leaves users of Internet Explorer 6 particularly exposed.

Whilst we are not aware of this vulnerability being widely used, the targeted nature of this attack may see it being used against particular sites. An update is not yet available, but Microsoft have released advice that may mitigate an attack. More details are available at:

http://www.kb.cert.org/vuls/id/492515
http://www.microsoft.com/technet/security/advisory/979352.mspx
http://support.microsoft.com/kb/979352

Microsoft yesterday announced that they plan to release an update for this issue outside of their normal patch scedule.

Remote code execution affecting Microsoft Vista, Windows 7 and Server 2008

Advisories (21/9/09, 10:49)

If your not doing it already, there is yet another good reason why blocking TCP port 445 is a good idea. A new exploit ( http://seclists.org/fulldisclosure/2009/Sep/0039.html ) has been made public which has been reported as causing a crash on Windows Server 2008 but we have not verified this, but we have tested it as affecting both Vista and Windows 7. In most cases the system will restart after the crash causing a DOS attack.

Other reports ( http://www.reversemode.com/index.php?option=com_mamblog&Itemid=15&task=show&action=view&id=64&Itemid=15 ) suggest that this causes more than a crash and it results in remote code execution, which if true usually lead to new forms of malware spreading very rapidly.

TCP port 445 is commonly used for Windows shares which is generally not required over the Internet, and is frequently utilised for spreading malware. A recent notable case being Conficker which would scan for and infect vulnerable systems on this port. There is no patch for this latest vulnerability and the only way to prevent remote attackers causing this exploit is to prevent them from accessing your systems on TCP port 445, this is usually done on firewalls.

 

 

 

 

Privacy Policy | Web Admin
© The JNT Association,
JANET(UK), Lumen House, Library Avenue
Harwell Science and Innovation Campus, Didcot, Oxfordshire
OX11 0SG