• OS/400 Alert: Major Outlook 2002 Vulnerability Discovered

    March 17, 2004 Shannon O'Donnell

    In this week’s “OS/400 Alert,” we’ll tell you about a major new vulnerability in Outlook 2002 that Microsoft has announced. Microsoft Windows Media Services are also being targeted. In addition to these latest threats, as usual, there are a number of major viruses floating around the Web that you should be aware of.

    OUTLOOK 2002 VULNERABILITY FOUND

    On March 9, Microsoft issued a Critical Security Warning for users of Outlook 2002. On March 10, Microsoft issued an additional warning about this same security exposure. What happened is that Microsoft discovered a vulnerability in Outlook 2002 that can allow Internet Explorer to execute script code in the “local machine zone” of an infected system. This script is activated by parsing specially formatted “mailto” URLs by Outlook 2002. To exploit this vulnerability, an attacker would have to host a malicious Web site that contained a Web page designed to exploit the vulnerability and then entice a user to visit that Web page. In addition, the hacker could also create an HTML-formatted e-mail message designed to exploit the vulnerability by persuading the user to read the e-mail in HTML format. Once activated, the hacker can access files on the user’s Windows XP system or run arbitrary code on that system. More information on this latest Microsoft vulnerability can be found on Microsoft’s Web site. To close this vulnerability, download the latest security patch.

    WINDOWS MEDIA SERVICES VULNERABILITY

    The following information is from Microsoft Security Bulletin MS03-022.

    Microsoft Windows Media Services is a feature of Microsoft Windows 2000 Server, Advanced Server, and Datacenter Server, and is also available in a downloadable version for Windows NT 4.0 Server. Windows Media Services contains support for a method of delivering media content to clients across a network known as multicast streaming. In multicast streaming, the server has no connection to or knowledge of the clients that may be receiving the stream of media content coming from the server. To facilitate logging of client information for the server, Windows 2000 includes a capability specifically designed to enable logging for multicast transmissions.

    This logging capability is implemented as an Internet Services Application Programming Interface (ISAPI) extension–nsiislog.dll. When Windows Media Services are added through add/remove programs to Windows 2000, nsiislog.dll is installed in the Internet Information Services (IIS) Scripts directory on the server. Once Windows Media Services is installed, nsiislog.dll is automatically loaded and used by IIS. There is a flaw in the way nsiislog.dll processes incoming client requests. A vulnerability exists because an attacker could send specially formed HTTP request (communications) to the server that could cause IIS to fail or execute code on the user’s system.

    Windows Media Services is not installed by default on Windows 2000. An attacker attempting to exploit this vulnerability would have to be aware of which computers on the network had Windows Media Services installed on it and send a specific request to that server.

    THIS WEEK’S NASTY WINDOWS WORRIES

    The following information is from Symantec’s Web site, at www.symantec.com.

    Trojan.Mitglieder.E is a variant of Trojan.Mitglieder. The Trojan opens a proxy on the system, attempts to stop security software, and is able to update itself.

    W32.Beagle.M@mm is a polymorphic mass-mailing worm that uses its own SMTP engine to spread through e-mail. Like previous Beagle variants, this worm opens a backdoor (it listens on TCP port 2556) and attempts to spread through file-sharing networks by copying itself to folders that contain “shar” in their names. W32.Beagle.M@mm also infects files with the EXE extension.

    Trojan.Etsur monitors and records certain user activity and sends information back to its creator. In particular, it may record online-banking user names and passwords.

    Trojan.Noupdate is a Trojan horse that attempts to prevent users from updating their computer with the latest Microsoft Windows patches.

    Trojan.Gipma is a Trojan horse program that displays obscene messages and makes the desktop and task bar invisible. Trojan.Gipma is written in Microsoft Visual Basic.

    W32.Cone.D@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the e-mail addresses it gathers from files on an infected computer. The e-mail attachment will have a .exe or .zip file extension. This threat is written in Microsoft Visual C++ and is compressed with UPX.

    W32.Netsky.M@mm is a mass-mailing worm that uses its own SMTP engine to send itself to the e-mail addresses it finds when scanning hard drives and mapped drives. The “sender” of the e-mail is spoofed, and its subject, message body, and attachments vary. The attachment has a .pif extension.

    Trojan.Simcss.B is a variant of Trojan.Simcss that terminates processes and downloads and executes files from the Internet.

    PTF’S AND FIXES FOR OS/400 AND RELATED PROGRAMS

    IBM released the latest cumulative package for V5R2 customers on January 21.

    The latest HIPER package was released March 3.

    The Database Group PTF was updated February 26.

    Tags:

    Sponsored by
    Focal Point Solutions Group

    Comprehensive Data Protection from Focal Point SG

    Your organization needs to be thinking differently about your backup & disaster recovery strategy

    Concerns of the Industry

    • Inefficient manual backup processes
    • Effectively storing data offsite
    • Developing and testing a concrete disaster recovery plan
    • Efficient access to data in a disaster scenario for necessary users
    • Risk of cyber security attack
    • Declining IT staff and resources

    The true cause of the above concerns is an organization’s status quo – 80% of IBM i users currently backup to tape and 40% of companies have no DR plan at all. Don’t wait for a disaster to take action.

    The new way to ensure cost-effective safety

    • Automated cloud backup
    • Two (2) remote sites – redundant storage, power, internet pipe, firewalls, etc.
    • Data encryption at all times – in-flight and at-rest
    • Fully managed remote hardware DR, including remote VPN access for necessary users
    • Regularly simulated phishing tests and cyber security training

    Potential “landmines” in solutions to avoid

    • Single point of storage – no redundancy
    • Misleading data analysis, compression/de-dup ratios, sizing of necessary computer resources for backup and DR
    • Large-scale cloud storage with difficult recovery
    • Inability to meet RTO/RPO

    Don’t get caught like the many organizations we’ve seen with inefficient exposed backup data and no DR plan!

    What VAULT400 has to offer

    Backup

    • Native software agent schedules backups to the Focal Point SG cloud based on your retention scheme
    • Client data is backed up to two data centers in US or two data centers in Canada
    • 256-bit AES encryption in-flight and at rest – only the client has the encryption key
    • Detailed data analysis to ensure proper sizing

    Disaster Recovery as a Service (DRaaS)

    • Focal Point SG provides “hands-off” DR – fully managed recovery
    • 60 days of remote VPN access available to unlimited users in event of a disaster
    • Documented reports to ensure defined SLAs are met

    Managed Service Cyber Security Training

    • Fully managed phishing tests
    • Detailed reporting of results
    • Fully managed administration of custom online cyber security training

    VAULT400 Cloud Backup & DRaaS is an IBM Server Proven Solution.

    VAULT400.com/proposal for FREE analysis & proposal

    813.513.7402 | ContactUs@FocalPointSg.com

    Leave a Reply

Content archive