[Sunnet Alert] Advisory #223 - Microsoft, Multiple News

Security and IT News Alerts alertmailinglist at skiifwrald.com
Sun Apr 15 10:24:27 EST 2007 

Sûnnet Beskerming Alert List Advisory #223

You are receiving this message because you have subscribed to our  
Information Security Alert Mailing List, or have been selected for a  
specific one-off copy.  If you believe that you are receiving this  
message in error, please contact info at beskerming.com to resolve the  
error.

Why not upgrade to get same day notification on security threats?   
Details and rates available online -
(http://www.beskerming.com/premium/generic_advisory.html).

Why not go the next step and get delivery tailored just for your  
company?
(http://www.beskerming.com/premium/focussed_advisory.html)


Contents
--------------------------------------------------------------------
1.	SECURITY
--------------------------------------------------------------------
1.1	Microsoft
	- Remote Hacker Automatic Control
	- Time Since Discovery - 2 Days
=======================================
/*
	- Remote or Local - Can it be achieved through a network or does it  
require physical access?
	- Hacker - The bad guy
	- Manual or Automatic  - Does the vulnerability need to be manually  
performed, or can it be automated?
	- Control, Denial of Service or Data Theft - Will the hacker get  
control of your system / website, will they prevent you from using  
it, or will they steal data.
*/
--------------------------------------------------------------------
2.    NEWS
--------------------------------------------------------------------
2.1	Google Buys Evil
2.2	Storm Worm Storm
=====================================

1.	SECURITY

1.1	Microsoft - Remote Hacker Automatic Control

	-- Products Affected --
	Windows DNS Server (Windows 2000 Server, Windows 2003 Server)

	-- Technical Description --
	Expansion and clarification of the issue identified by the ISC (Fee  
based Advisory #61).  Remote code execution by a non-authenticated  
user is possible by targeting the RPC interface of the DNS Server.   
The underlying problem is a stack-based buffer overflow when RPC  
ports between 1024 and 5000 are targeted remotely.

	-- Description --
	It has been discovered that Microsoft's DNS Server is vulnerable to  
an attack which provides the remote attacker with full control over a  
vulnerable system.  Note that this is a different issue from the  
Microsoft DNS Server remote attack described previously (Fee based  
Advisory #61).  This attack was discovered in the wild, with exploit  
code to be publicly released in the near future.

	-- Recommended Action --
	Administrators can follow the advice provided at the Source: link,  
which includes modifying the registry to prevent RPC remote  
management capability.  Other workarounds include blocking relevant  
network ports at the firewall, and using advanced networking security  
options, such as IPsec.

	-- Source --
	(Paid subscription required to access)
	
	-- Updates Available --
	(Paid subscription required to access)

	-- External Tracking Data --
	(Paid subscription required to access)

	-- Threat Matrix --
			U	O
	Home User	-	-  (Nil)
	Corporate	10	10 (Highly Critical)

=======================================
/*
Threat Matrix:
	U - User
	O - Operator
	Harmless - 0 ----- 10 - Highly Critical
*/
=======================================

2.	NEWS

2.1	Google Buys Evil

Regarded by many as pure evil, the online advertising powerhouse of  
DoubleClick has been purchased by Google for just over $3 billion USD  
in cash.  While Microsoft were initially linked to bids on the  
advertising provider, rumours of a counter-bid by Google were  
expected to result in a hotly contested bidding war (and massive  
payday for the private equity owners of DoubleClick).

While the successful purchase by Google is not too surprising, the  
final purchase price is surprising to a lot of observers.  Previous  
bid estimates had the company tentatively valued in the region of $2  
billion USD.  A price premium of more than 50%, especially when paid  
in cash, is a surprise (a welcome one for the previous owners).   
Prices such as this for online companies is only fuelling speculation  
that the market is entering a second tech bubble period.


2.2	Storm Worm Storm

Email inboxes globally have been staggering under a recent onslaught  
of spam from the Storm worm, in addition to efforts to add new  
vulnerable systems to the massive bot networks that are hosting the  
worm.  Specialist spam-detecting companies claim that more than 5  
million messages were blasted out by the worm in less than 24 hours,  
more than three times the volume pumped out by previous variants of  
the worm.

Messages from the worm are varied in their content, but there is a  
mix of traditional spam and some fairly intelligent malware infection  
attempts which claim to show that the targeted system is already  
infected with a malicious infection.

This massive worm attack comes at the same time as massive hoax  
viruses in Pakistan (no, there currently isn't a massive killer virus  
being transmitted via mobile phone handsets), and practical  
demonstration of techniques to bypass the much-vaunted SiteKey  
banking authentication system.

=======================================

Sincerely,

Sûnnet Beskerming Team
info at beskerming.com
Sûnnet Beskerming Pty. Ltd.
Adelaide, Australia
http://www.beskerming.com
Tel: +61 (0) 410 707 444

** Sûnnet Beskerming Pty. Ltd. **

Established in mid 2004, Sûnnet Beskerming Pty. Ltd. is the sister  
company to Jongsma & Jongsma Pty. Ltd., and was formed to develop and  
commercialise the research coming out of Jongsma & Jongsma Pty. Ltd..  
Sûnnet Beskerming Pty. Ltd. is an Information Security specialist  
and, in conjunction with the tools developed by Jongsma & Jongsma  
Pty. Ltd., provides total security solutions and services, from the  
perimeter to internal data stores, including web application security  
and security testing and analysis.

More information about the Alertmailinglist mailing list