Patching Security Holes: Don't Put It Off

Have you heard the latest news about .htr files on IIS? Microsoft released a security bulletin (MS01-104) about the discovery on Monday, January 29. I received a copy of the bulletin at 11:42 P.M. Mountain time. However, I was asleep when the bulletin arrived, so I didn't know about it until Tuesday morning. I manage a few IIS servers, so naturally I was concerned about how the problem might affect my systems. However, Microsoft initially reported problems with .htr files in June 1999 with the release of security bulletin MS99-019. Back then, I determined that the systems I manage don't need .htr file support, so I immediately reconfigured the systems to eliminate that support. As a result, my IIS systems have been immune to three subsequent .htr file vulnerabilities, as reported in MS00-031, MS00-044, and in Microsoft's latest bulletin.

Apparently, not enough administrators take immediate action upon learning of new vulnerabilities. This neglect is a huge mistake, as evidenced quite clearly in another recent security report—this one issued by the Computer Emergency Response Team (CERT). CERT's advisory, also issued on Monday, pertains to BIND, a popular DNS service used widely across the Internet. The advisory details the new-found security risks with BIND, but CERT also points out the age-old security problems with system administrators as well.

According to its latest advisory, CERT released a previous advisory regarding BIND in November 1999 but continued to receive reports of compromises based on the reported vulnerabilities into December 2000. The advisory contains a chart showing that the height of those attacks came approximately 60 days after CERT released its first advisory. The pattern indicates that intruders became aware of and acted upon the reported vulnerabilities much quicker than network administrators acted to correct the same security problems. That's bad news—especially in light of the latest CERT advisory about BIND. The newly reported problems can lead to a direct system compromise or Denial of Service (DoS) attack against the BIND DNS service.

CERT highlighted administrator lag time because BIND is so widely used across the Internet, and the security problems with the code are very serious. If administrators don't patch or upgrade the BIND servers across the Internet as soon as possible, then we can fully expect to see the Internet come to a screeching halt sometime within the next 60 days as DNS servers fall victim to intrusion—that is, if CERT's trend analysis is still applicable, and I think it is.

I've said this many times in past issues of this newsletter, so I'll keep it brief this time: Make every effort to stay on top of the latest security risk discoveries, and take immediate action to defend your networks. Don't put if off!