Results 1 to 6 of 6

Thread: Network Security made easy?

  1. #1
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197

    Network Security made easy?

    As the result of a comment made here earlier this week to which I responsed that there is always a technique to mitigate a threat until a patch is available I thought it would be of interest to look at all the Security bulletins for 2004 and extract those that pertain to "normal" systems, survey them and determine what basic things we can learn from the vulnerabilities in 2004. I decided to do this because it struck me that throughout all of last year I really didn't worry too much about the patches to internal machines after I had seen the advisories.

    By normal systems I mean systems commonly available as an Operating System today or those applications that come packaged with the OS such as IE, Wordpad, Outlook Express. I make note of the mitigation technique for a corporation and for a casual user. The corporation is expected to have admins and have a highly configurable firewall whereas the casual user should be able to follow the directions as written in the Security Bulletin and would have a Linksys, (or something similar) protecting their machine

    There were 45 Security Bulletins issued by Microsoft in 2004 of which 12 were not applicable due to them referring specifically to software such as ISA server, Exchange etc. leaving 33 bulletins to be assessed. Some Bulletins addressed multiple vulnerabilities so the total vulnerabilities to be assessed is 68.

    Of all the vulnerabilities there were a total of 13 that were unmitigable but of those unmitigable vulnerabilities 4 were local exploits requiring the attacker to already have a valid login/password combination and therefore, most likely, physical to the system. The remaining nine are only unmitigable if the service affected is mission critical and cannot be closed down. In any case where the service is not mission critical the obvious mitigation technique is to restrict or close the service. Of those nine that could not be closed in mission critical situations only two were commonly used services, (SSL). Thus, it is reasonable to conclude that only 3% of all vulnerabilities were commonly unmitigable to a corporation and none were unmitigable for a casual user. When I say none were unmitigable for a common user there was one that is "unmitigable", MS04-038, (Address Bar Spoofing on Double Byte Character Set Systems Vulnerability), yet it is only unmitigable if users visit web sites for their financial etc. institution by clicking links in emails - so you can add this one in if you like... I chose not to.

    Of the 55 remaining vulnerabilities all were mitigable with one of the following techniques:-

    Disable ActiveX and Active Scripting in IE security, (links to the next one)
    Raise the security level of the Internet and/or local zone in IE security to high
    Read email in plain text
    Disable connector in the registry
    Unregister the component
    Good firewall practices

    This is where it all becomes rather interesting from a Network Adminstrators point of view..... Only one of the above techniques cannot be forced on a user through Group Policy, (Read email in plain text... at least, I don't know how to force it at this moment... suggestions?). This is why I wasn't worried by most Security Bulletins. I enforce ActiveX and Scripting to either disabled or "prompt" in GP, I am able to create a .reg file to alter user registries as part of the login script, I am able to unregister components via script as part of a user login script or startup script and I have good firewall practices, (if it doesn't need to be open for ingress or egress it is closed and I will accept the additional maintenance of having to open ports on a "per application/user" basis).

    So the upshot really is that four skills are required to enable a Network Administrator to mitigate more than 80% of all vulnerablities that occured in 2004:-

    1. The ability to manipulate the behaviour of IE through Group Policy
    2. The ability to create a .reg file and run it through a login or startup script
    3. The ability to script an unregister a component through a login or startup script
    4. The ability to properly manipulate their firewall

    I would suggest that those skills would serve you well in the years to come

    Comment's or thoughts anyone? NOTE: I wouldn't say this is an absolutely accurate scientific study, it was done for my interest during my normal work day as a rough benchmark of my current practices. I'm sure it contains glaring errors and errata.... It's not a term paper....

    From this point on the text is my synopsis of the Security Bulletins.... Read them if you wish.... A lot of cutting and pasting went into them so there may be some horribly obvious examples of it... Please ignore the examples and check the references for actual details....

    Microsoft Security Bulletin MS04-001
    Refers to MS ISA Server - Not applicable
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-002
    Refers to MS Exchange 2003 Server - Not applicable
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-003
    Refers to MS Windows 2000/XP
    Buffer Overrun in MDAC Function Could Allow Code Execution (832483)
    Source: http://www.microsoft.com/technet/sec.../MS04-003.mspx
    Threat: Local Network
    Impact: Remote code execution
    Severity: Important
    Successful exploit grants privileges in the context of the initiating program.

    In Reality: The attacker has to be already on your local network. This would not work across the internet due to restrictions on broadcasts.

    Corporate Mitigation: The corporate firewall should already be blocking broadcasts.
    Casual User Mitigation: Not applicable for the most part, if SQL servers are being used the Linksys would be blocking the broadcast.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-004
    Refers to MS Windows 2000/XP
    Cumulative Security Update for Internet Explorer (832894)
    Source: http://www.microsoft.com/technet/sec.../MS04-004.mspx
    Threat: Public Network
    Impact: Remote code execution
    Severity: Critical
    Successful exploit grants privileges in the context of the logged on user.

    In Reality: The attacker has to engineer the user into visiting a particular web page or open an email in an HTML enabled email reader.

    Corporate Mitigation: Disable ActiveX, Disable Active Scripting in Active Directory Group Policy. Read email in plain text.
    Casual User Mitigation: Disable ActiveX and Active Scripting in IE. Read email in plain text.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-005
    Refers to MS Virtual PC for Mac - Not Applicable
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-006
    Refers to MS Windows NT/2000 Server
    Vulnerability in the Windows Internet Naming Service (WINS) Could Allow Code Execution (830352)
    Source: http://www.microsoft.com/technet/sec.../MS04-006.mspx
    Threat: Public Network
    Impact: Remote code execution
    Severity: Important
    Successful exploit causes the service to fail, (Denial of Service)

    In Reality: The attack is restricted to a DoS and WINS should not be available to the public network in any circumstances.

    Corporate Mitigation: WINS is not installed by default. Proper firewall practices prevent access to WINS.
    Casual User Mitigation: WINS not installed by default. Linksys should prevent access to WINS unless PC is DMZ'ed, (bad idea anyway).
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-006
    Refers to MS Virtual PC for Mac - Not Applicable
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-007
    Refers to MS Windows NT/2000/XP
    ASN.1 Vulnerability Could Allow Code Execution (828028)
    Source: http://www.microsoft.com/technet/sec.../MS04-007.mspx
    Threat: Public Network
    Impact: Remote code execution
    Severity: Critical
    Successful exploit causes remote code execution with system privileges

    In Reality: The attack is most likely only able to be executed from the local network.

    Corporate Mitigation: ASN.1 Components tend not to be publicly available. If it is determined that such components are vulnerable from the public network closing down or restricting the service should be considered.
    Casual User Mitigation: Not Applicable
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-008
    Refers to MS Windows 2000 Server
    Vulnerability in Windows Media Services Could Allow a Denial of Service (832359)
    Source: http://www.microsoft.com/technet/sec.../MS04-008.mspx
    Threat: Public Network
    Impact: Denial of Service
    Severity: Moderate
    Successful exploit causes Denial of Service

    In Reality: The attack is only effective against online content providers of Windows Media.

    Corporate Mitigation: Allow only public access to the Windows Media Unicast Service.
    Casual User Mitigation: Not Applicable
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-009
    Refers to MS Office XP or 2002 - Not Applicable
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-010
    Refers to MSN Messenger 6.0/6.1
    Vulnerability in MSN Messenger Could Allow Information Disclosure (838512)
    Source: http://www.microsoft.com/technet/sec.../MS04-010.mspx
    Threat: Public Network
    Impact: Information Disclosure
    Severity: Moderate
    Successful exploit causes Information Disclosure in the context of the logged on user

    In Reality: The attacker must have the user's logon name to be able to send the exploit packets.

    Corporate Mitigation: Block anonymous users in MSN, only allow trusted users in the "allow list". If MSN communication is not mission critical block it at the firewall.
    Casual User Mitigation: Block anonymous users in MSN, only allow trusted users in the "allow list".
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-011
    Refers to Windows
    Security Update for Microsoft Windows (835732)
    Source: http://www.microsoft.com/technet/sec.../MS04-011.mspx
    Threat: Numerous
    Impact: Numerous
    Severity: Overall Critical
    Successful exploit results in various levels of severity and results from DoS to complete control of a remote system.

    In Reality: This was a large rollup which, in almost every case the mitigation was available. In two cases, (both affecting SSL), the vulnerability was unmitigable if SSL was mission critical to a corporation, (e-commerce, online banking etc.)

    Corporate Mitigation: In all cases except SSL on mission critical servers proper firewall practices mitigated most issues. Other mitigations were trivial.
    Casual User Mitigation: For the largest part these were "Not Applicable".
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-012
    Refers to Windows
    Cumulative Update for Microsoft RPC/DCOM (828741)
    Source: http://www.microsoft.com/technet/sec.../MS04-012.mspx
    Threat: Remote Network/Local Network
    Impact: Numerous
    Severity: Critical for Win2000 or greater
    Successful exploit results in various levels of severity and results from DoS to complete control of a remote system.

    In Reality: This was a rollup which addressed vulnerabilities that would not "normally" be available publicly.

    Corporate Mitigation: Proper firewall practices mitigate these issues. In more "exotic" implementations you may be forced to close the affected service or limit it's functionality.
    Casual User Mitigation: For the largest part these were "Not Applicable" but the linksys would preclude them all.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-013
    Refers to Outlook Express 5.5/6.0
    Cumulative Security Update for Outlook Express (837009)
    Source: http://www.microsoft.com/technet/sec.../MS04-013.mspx
    Threat: Remote Network
    Impact: Remote Code Execution
    Severity: Critical
    Successful exploit results in control of the target system in the context of the logged on user.

    In Reality: The attacker needs to get the user to view a crafted web page or email.

    Corporate Mitigation: Read email in Plain Text.
    Casual User Mitigation: Read email in Plain Text.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-014
    Refers to Microsoft Windows
    Vulnerability in the Microsoft Jet Database Engine Could Allow Code Execution (837001)
    Source: http://www.microsoft.com/technet/sec.../MS04-014.mspx
    Threat: Remote Network
    Impact: Remote Code Execution
    Severity: Important
    Successful exploit results in control of the target system in the context of the target application.

    In Reality: This is a buffer overflow that relies on weak input validation in the application that communicates with the JET Engine.

    Corporate Mitigation: Apply input validation on apps communicating with the JET Engine from the public network or close/limit the application.
    Casual User Mitigation: Not Applicable.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-015
    Refers to Microsoft Windows
    Vulnerability in Help and Support Center Could Allow Remote Code Execution (840374)
    Source: http://www.microsoft.com/technet/sec.../MS04-015.mspx
    Threat: Remote Network
    Impact: Remote Code Execution
    Severity: Important
    Successful exploit could result in control of the target system in the context of the logged on user.

    In Reality: The attacker needs to get the user to view a crafted web page or email

    Corporate Mitigation: Read email in Plain Text.
    Casual User Mitigation: Read email in Plain Text.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-016
    Refers to Microsoft Windows
    Vulnerability in DirectPlay Could Allow Denial of Service (839643)
    Source: http://www.microsoft.com/technet/sec.../MS04-016.mspx
    Threat: Remote Network
    Impact: Denial of Service
    Severity: Moderate
    Successful exploit could result in DoS.

    In Reality: This is an old version of an API, (version 4) used solely for games, (multiplayer).

    Corporate Mitigation: Good firewall practices, prevention of program installation.
    Casual User Mitigation: Only play newer games that tend to use the version 8 of the API.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-017
    Refers to MS Visual Studio .NET, Outlook 2003 with BCM or MS CRM 1.2 - Not Applicable.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-018
    Refers to MS Outlook Express
    Cumulative Security Update for Outlook Express (823353)
    Source: http://www.microsoft.com/technet/sec.../MS04-018.mspx
    Threat: Remote Network
    Impact: Denial of Service
    Severity: Moderate
    Successful exploit could result in DoS.

    In Reality: Attacker must have the user read a crafted email.

    Corporate Mitigation: Disable the preview pane and read mail in plain text.
    Casual User Mitigation: Disable the preview pane and read mail in plain text.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-020
    Refers to POSIX Subsystem - Not Applicable.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-021
    Refers to MS IIS 4.0
    Security Update for IIS 4.0 (841373)
    Source: http://www.microsoft.com/technet/sec.../MS04-021.mspx
    Threat: Remote Network
    Impact: Remote Code Execution
    Severity: Important
    Successful exploit could result in system level control of the system.

    In Reality: Permanent redirection must be being utilized, there is no exploit without redirection.

    Corporate Mitigation: Stop the redirections or use URLScan to limit the size of input.
    Casual User Mitigation: Not Applicable.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-022
    Refers to MS Windows 2000/XP
    Vulnerability in Task Scheduler Could Allow Code Execution (841873)
    Source: http://www.microsoft.com/technet/sec.../MS04-022.mspx
    Threat: Remote Network
    Impact: Remote Code Execution
    Severity: Critical
    Successful exploit could result in control of the system in the context of the logged on user.

    In Reality: The attacker must get the user to visit a malicious web page.

    Corporate Mitigation: Disable the dynamic icon handler for JobObject files by clearing the default value in the registry.
    Casual User Mitigation: Disable the dynamic icon handler for JobObject files by clearing the default value in the registry.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-023
    Refers to MS Windows 2003/XP
    Vulnerability in HTML Help Could Allow Code Execution (840315)
    Source: http://www.microsoft.com/technet/sec.../MS04-023.mspx
    Threat: Remote Network
    Impact: Remote Code Execution
    Severity: Critical
    Successful exploit could result in control of the system in the context of the logged on user.

    In Reality: The attacker must get the user to visit a malicious web page or crafted email.

    Corporate Mitigation: Unregister HTML Help and/or view email in plain text.
    Casual User Mitigation: Unregister HTML Help and/or view email in plain text.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-024
    Refers to MS Windows 2000/XP
    Vulnerability in Windows Shell Could Allow Remote Code Execution (839645)
    Source: http://www.microsoft.com/technet/sec.../MS04-024.mspx
    Threat: Remote Network
    Impact: Remote Code Execution
    Severity: Important
    Successful exploit could result in control of the system in the context of the logged on user.

    In Reality: The attacker must get the user to visit a malicious web page or crafted email.

    Corporate Mitigation: None.
    Casual User Mitigation: None.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-025
    Refers to MS Windows 2000/XP
    Cumulative Security Update for Internet Explorer (867801)
    Source: http://www.microsoft.com/technet/sec.../MS04-025.mspx
    Threat: Remote Network
    Impact: Remote Code Execution
    Severity: Critical
    Successful exploit could result in control of the system in the context of the logged on user.

    In Reality: This was 3 vulnerabilities where the attacker must get the user to visit a malicious web page or crafted .BMP or GIF.

    Corporate Mitigation: Disable ActiveX and Active Scripting, read email in plain text.
    Casual User Mitigation: Disable ActiveX and Active Scripting, read email in plain text.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-026
    Refers to MS Exchange Server - Not Applicable.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-027
    Refers to MS Windows 2000/XP
    Vulnerability in WordPerfect Converter Could Allow Code Execution (884933)
    Source: http://www.microsoft.com/technet/sec.../MS04-027.mspx
    Threat: Remote Network
    Impact: Remote Code Execution
    Severity: Important
    Successful exploit could result in control of the system in the context of the logged on user.

    In Reality: This is pretty obscure but it requires the attacker to have the user visit a crafted web page, (it does not work through email).

    Corporate Mitigation: Uninstall the WordPerfect 5.x Converter.
    Casual User Mitigation: Uninstall the WordPerfect 5.x Converter.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-028
    Refers to MS Windows 2003/XP
    Buffer Overrun in JPEG Processing (GDI+) Could Allow Code Execution (833987)
    Source: http://www.microsoft.com/technet/sec.../MS04-028.mspx
    Threat: Remote Network
    Impact: Remote Code Execution
    Severity: Critical
    Successful exploit could result in control of the system in the context of the logged on user.

    In Reality: This was highly touted as Critical but nothing much came of it since it was harder to exploit than the initial POC indicated.

    Corporate Mitigation: Block .jpg's in email. Read email in plain text.
    Casual User Mitigation: Read email in plain text.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-029
    Refers to MS Windows 2000/XP
    Vulnerability in RPC Runtime Library Could Allow Information Disclosure and Denial of Service (873350)
    Source: http://www.microsoft.com/technet/sec.../MS04-029.mspx
    Threat: Remote Network
    Impact: Information Disclosure/Denial of Service
    Severity: Important
    Successful exploit could result in reading memory or DoS.

    In Reality: Normally managed firewalls mitigated this.

    Corporate Mitigation: Good firewall practices.
    Casual User Mitigation: Linksys should block it.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-030
    Refers to MS Windows 2000/XP
    Vulnerability in WebDAV XML Message Handler Could Lead to a Denial of Service (824151)
    Source: http://www.microsoft.com/technet/sec.../MS04-030.mspx
    Threat: Remote Network
    Impact: Denial of Service
    Severity: Important
    Successful exploit could result in DoS.

    In Reality: Only IIS 5.0 enables WebDAV by default though it is not needed by most web sites and can be disabled.

    Corporate Mitigation: Disable WebDAV unless mission critical. No mitigation if WebDAV is mission Critical.
    Casual User Mitigation: Linksys should block it.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-031
    Refers to MS Windows 2000/XP
    Vulnerability in NetDDE Could Allow Remote Code Execution (841533)
    Source: http://www.microsoft.com/technet/sec.../MS04-031.mspx
    Threat: Remote Network
    Impact: Remote Code Execution
    Severity: Important
    Successful exploit could result in local elevation of privilege or DoS.

    In Reality: NetDDE application are not generally publicly available.

    Corporate Mitigation: Good Firewall practices, Disable NetDDE if you have previously manually enabled it.
    Casual User Mitigation: Linksys should block it.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-032
    Refers to MS Windows 2000/XP
    Security Update for Microsoft Windows (840987)
    Source: http://www.microsoft.com/technet/sec.../MS04-032.mspx
    Threat: Local/Remote Network
    Impact: Local/Remote Code Execution
    Severity: Critical
    Successful exploit could result in local elevation of privilege or code execution.

    In Reality: Three out of four vulnerabilities are local exploits, the fourth requires the attacker to get the user to visit crafted web page or read crafted email.

    Corporate Mitigation: Read email in plain text. None locally, but then again physical access means no security anyway.
    Casual User Mitigation: Read email in plain text.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-033
    Refers to MS Excel - Not Applicable.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-034
    Refers to MS Windows XP
    Vulnerability in Compressed (zipped) Folders Could Allow Remote Code Execution (873376)
    Source: http://www.microsoft.com/technet/sec.../MS04-034.mspx
    Threat: Remote Network
    Impact: Remote Code Execution
    Severity: Critical
    Successful exploit could result in code execution in the context of the logged in user.

    In Reality: Requires the user to interact with the exploit.

    Corporate Mitigation: Unregister Compressed folders. Read email in plain text.
    Casual User Mitigation: Unregister Compressed folders. Read email in plain text.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-035
    Refers to MS XP 64 Bit or 2003 Server - Not Applicable.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-036
    Refers to MS Windows Servers
    Vulnerability in NNTP Could Allow Remote Code Execution (883935)
    Source: http://www.microsoft.com/technet/sec.../MS04-036.mspx
    Threat: Remote Network
    Impact: Remote Code Execution
    Severity: Critical
    Successful exploit could result in code execution in the context of System(?).

    In Reality: Normally NNTP should not be publicly available unless you provide news feeds.

    Corporate Mitigation: Good firewall Practice. None if NNTP is mission critical.
    Casual User Mitigation: Not applicable.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-037
    Refers to MS Windows
    Vulnerability in Windows Shell Could Allow Remote Code Execution (841356)
    Source: http://www.microsoft.com/technet/sec.../MS04-037.mspx
    Threat: Remote Network
    Impact: Remote Code Execution
    Severity: Critical
    Successful exploit could result in code execution in the context of the logged on user.

    In Reality: The attacker must get the user to visit a malicious web page or crafted email.

    Corporate Mitigation: Read email in Plain Text.
    Casual User Mitigation: Read email in Plain Text.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-038
    Refers to MS Windows
    Cumulative Security Update for Internet Explorer (834707)
    Source: http://www.microsoft.com/technet/sec.../MS04-038.mspx
    Threat: Remote Network
    Impact: Remote Code Execution
    Severity: Critical
    Successful exploit could result in code execution in the context of the logged on user.

    In Reality: Several vulnerabilities in IE were addressed with only one being unmitigable, however, that was a phishing issue that is mitigable by never clicking a link to go to your financial institutions web site.

    Corporate Mitigation: Disable ActiveX and Active Scripting.
    Casual User Mitigation: Disable ActiveX and Active Scripting.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-039
    Refers to MS ISA Server - Not Applicable.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-040
    Refers to MS Windows
    Cumulative Security Update for Internet Explorer (889293)
    Source: http://www.microsoft.com/technet/sec.../MS04-040.mspx
    Threat: Remote Network
    Impact: Remote Code Execution
    Severity: Important
    Successful exploit could result in code execution in the context of the logged on user.

    In Reality: The attacker must get the user to visit a malicious web page and then only IE6 SP1 was vulnerable on certain platforms.

    Corporate Mitigation: None without a package that I will mention later.
    Casual User Mitigation: None without a package that I will mention later.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-041
    Refers to MS Windows
    Vulnerability in WordPad Could Allow Code Execution (885836)
    Source: http://www.microsoft.com/technet/sec.../MS04-041.mspx
    Threat: Remote Network
    Impact: Remote Code Execution
    Severity: Important
    Successful exploit could result in code execution in the context of the logged on user.

    In Reality: This is two vulnerabilities in the Word document converter that requires extensive user interaction.

    Corporate Mitigation: Disable the handler for the converter in the registry.
    Casual User Mitigation: Disable the handler for the converter in the registry.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-0342
    Refers to MS NT Server - Not Applicable.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-043
    Refers to MS Windows
    Vulnerability in HyperTerminal Could Allow Code Execution (873339)
    Source: http://www.microsoft.com/technet/sec.../MS04-043.mspx
    Threat: Remote Network
    Impact: Remote Code Execution
    Severity: Important
    Successful exploit could result in code execution in the context of the logged on user.

    In Reality: This is a fairly obscure vulnerability that requires changes by the user.

    Corporate Mitigation: Disable the handler for the .ht files in the registry.
    Casual User Mitigation: Disable the handler for the .ht files in the registry.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-044
    Refers to MS Windows
    Vulnerabilities in Windows Kernel and LSASS Could Allow Elevation of Privilege (885835)
    Source: http://www.microsoft.com/technet/sec.../MS04-044.mspx
    Threat: Local
    Impact: Elevation of Privilege
    Severity: Important
    Successful exploit could result in code execution in the context of the logged on user.

    In Reality: This is a local vulnerability that requires a valid logon.

    Corporate Mitigation: None, but physical access = no security.
    Casual User Mitigation: Not Applicable.
    -----------------------------------------------------------
    Microsoft Security Bulletin MS04-045
    Refers to MS Windows
    Vulnerability in WINS Could Allow Remote Code Execution (870763)
    Source: http://www.microsoft.com/technet/sec.../MS04-045.mspx
    Threat: Remote Network
    Impact: Remote Code Execution
    Severity: Important
    Successful exploit could result in code execution in the context of System(?).

    In Reality: WINS should not be exposed to the public network.

    Corporate Mitigation: Good Firewall practice.
    Casual User Mitigation: Linksys should block it even if it is applicable.
    -----------------------------------------------------------
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  2. #2
    Crazy...

    I've been wanting to put together something like this for the longest time. 'Bout time someone did, eh?
    Nice post.

  3. #3
    Senior Member
    Join Date
    Nov 2001
    Posts
    4,785
    "You must spread your AntiPoints around before giving it to Tiger Shark again."

    sorry im not very active! but as arnie says " i'll be back!". this IS good!
    Bukhari:V3B48N826 “The Prophet said, ‘Isn’t the witness of a woman equal to half of that of a man?’ The women said, ‘Yes.’ He said, ‘This is because of the deficiency of a woman’s mind.’”

  4. #4
    Senior Member
    Join Date
    Nov 2001
    Posts
    1,255
    My only concern is that while it can be mitigated, what do yo do if a company policy forbids mitigation? I've run into this problem before (company demanded we stick with OE simply to avoid "retraining time" -- as one example), and it sometimes is more frustrating to deal with management than it is to deal with systems. In those circumstances, you're screwed, and I'm certain those circmstances -- while being the exception to the rule -- occur often enough to invalidate this from a standpoint of vulnerability impact measurement (at least IMO).
    Chris Shepherd
    The Nelson-Shepherd cutoff: The point at which you realise someone is an idiot while trying to help them.
    \"Well as far as the spelling, I speak fluently both your native languages. Do you even can try spell mine ?\" -- Failed Insult
    Is your whole family retarded, or did they just catch it from you?

  5. #5
    AO Ancient: Team Leader
    Join Date
    Oct 2002
    Posts
    5,197
    chsh: <------ LOOK!!!!!! I got it right....

    Yeah, there's no accounting for stupidity... er... I mean Administration.....

    There's a million different networks out there and every one is different in one way or another but I would suggest that there are sufficient networks out there that don't have exotic specific needs for the skillset outlined to be of use to a large number of admins who are pressed enough for time as it is and don't know what they need to know _specifically_ to help them secure the network while, at the same time, not having to do a masters course in it too.....
    Don\'t SYN us.... We\'ll SYN you.....
    \"A nation that draws too broad a difference between its scholars and its warriors will have its thinking done by cowards, and its fighting done by fools.\" - Thucydides

  6. #6
    Great work, Tiger. That was a good analysis and a thoughtful conclusion.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •