Security UPDATE--Combined Attack Methods--June 30, 2004


To make sure that your copy of Security UPDATE isn't mistakenly blocked by antispam software, add [email protected] to your list of allowed senders and contacts.


==== This Issue Sponsored By ====

Windows & .NET Magazine

10 Things Hackers Don't Want You To Know


1. In Focus: Combined Attack Methods

2. Security News and Features

- Recent Security Vulnerabilities

- News: Vulnerable IIS Sites and IE Users Under Attack

- News: AOL Engineer Charged with Selling Screen Names to Spammer

- News: MasterCard and NameProtect Team to Stop Phishing

3. Instant Poll

4. Security Toolkit


- Featured Thread

5. New and Improved

- Monitoring Software Bundle Reduces Prices


==== Sponsor: Windows & .NET Magazine ====

Get 2 Sample Issues of Windows & .NET Magazine!

Every issue of Windows & .NET Magazine includes intelligent, impartial, and independent coverage of security, Active Directory, Exchange, scripting, and much more. Our expert authors deliver how-to articles and product evaluations that will help you do your job better. Try two, no-risk sample issues today, and find out why 100,000 IT professionals rely on Windows & .NET Magazine each month!


==== 1. In Focus: Combined Attack Methods ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net

The June 16 Security UPDATE includes a link to the news story "New IE Flaws Might Allow Code Injection," which describes a relatively new attack method being used by both intruders and purveyors of suspicious or malicious software to infest systems that use Microsoft Internet Explorer (IE). Jelmer Kuperus said that the attack uses Javascript, iframes, PHP, and timing techniques to gain access to the trusted intranet zone on a user's system. According to Kuperus, the exploit also "uses several known vulnerabilities and two previously unknown vulnerabilities." One of the vulnerabilities, for which no patch exists, involves ActiveX Data Objects (ADO).

Through this attack method that uses multiple vulnerabilities, many people's systems (possibly even the systems of some of you readers) have become infected with various sorts of software, most of which is annoying, if not outright dangerous. For example, nefarious entities have installed adware that generates an endless stream of pop-up windows on users' systems. That's the lighter side of the problem though.

As you can learn by reading the news story "Vulnerable IIS Sites and IE Users Under Attack" below, yet another factor was added to the mix last week, this time involving Microsoft IIS. Using the IIS vulnerability described in Microsoft Security Bulletin MS04-011 (Security Update for Microsoft Windows) on systems that haven't yet been updated with a patch that's been available since mid-April, intruders can inject Javascript into a server's Web pages. The Javascript then uses a technique similar to the one I described above to get IE to download Trojan horse software onto an unsuspecting user's systems. The Trojan horse program then gathers ("phishes") log-on and financial information.

So now instead of intruders having to establish their own Web sites to host malicious Javascript code, they're penetrating unpatched IIS systems around the Internet that host legitimate Web sites. As Bugtraq mailing list moderator David Amhad points out in a June 25 posting, these combined vulnerabilities have "no dependence on version or memory layout or any other such messy factors, firewalls are totally irrelevant and VPNs become basically a free ride in, \[and\] the browser doesn't end up crashing (i.e., the victim remains blissfully unaware that they've been owned)." These combined vulnerabilities have the potential to become devastating.

Some preventive steps are obvious, and some aren't so obvious, depending on the user or administrator. Obviously, loading the IIS patch MS04-011 on your servers will stop intruders from manipulating the servers' Web pages into hosting malicious code. Turning off scripting in the IE security zones will also protect users to a certain extent. But in countless scenarios, turning scripting off just isn't possible. And sometimes scripting is essential to a Web site's usability. Many of you probably already know how to improve security in IE, but in case you don't, Microsoft has some recommendations that you can read at the following URL:

One workaround if you can't turn off scripting is to disable ADO databases (ADODB) in IE. Drew Copley of eEye Digital Security wrote a simple registry script that does this very thing and one that undoes the changes. He also wrote an executable program that disables and re-enables ADODB. You can download the scripts and executable program at the eEye Web site.

Another way of protecting IE systems against ADODB attacks is to use PivX Solutions' Qwik-Fix, which protects IE against a variety of intrusion methods. Recently, the company made available a version of Qwik-Fix for enterprise environments. I don't know of any other tool that provides the same sort of functionality.


==== Sponsor: 10 Things Hackers Don't Want You To Know ====

Do you think all hackers use the same techniques to break into your network? Do you think they all guess your passwords? Do you think that an unpatched vulnerability is the only way to compromise your domain controllers? In this free web seminar, you will learn about the 10 (actually 14) things that very successful hackers will do to compromise your network. You will learn how hackers use these techniques, and how to prevent them. The techniques may surprise you, but your network health will improve greatly once you understand them. Sign up now!


==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

News: Vulnerable IIS Sites and IE Users Under Attack

A new form of attack is spreading over the Internet. The attack affects unpatched Microsoft IIS systems, which then attack unprotected Microsoft Internet Explorer (IE) systems.

News: AOL Engineer Charged with Selling Screen Names to Spammer

Jason Smathers, an America Online (AOL) engineer, has been arrested and charged with stealing tens of millions of AOL screen names (email addresses) and selling them. Sean Dunaway, who purchased the addresses from Smathers, has also been charged. He is accused of sending spam to AOL customers and selling the list of AOL screen names to other spammers.

News: MasterCard and NameProtect Team to Stop Phishing

MasterCard International and NameProtect announced a partnership in which NameProtect will provide its services to MasterCard to help stop phishing scams and illegal credit card use.


==== Announcements ====

(from Windows & .NET Magazine and its partners)

Free eBook--"The Expert's Guide for Exchange 2003: Preparing for, Moving to, and Supporting Exchange Server 2003"

This eBook will educate Exchange administrators and systems managers about how to best approach the migration and overall management of an Exchange 2003 environment. The book will focus on core issues such as configuration management, accounting, and monitoring performance with an eye toward migration, consolidation, security, and management.

Now the Windows & .NET Magazine Network VIP Web Site/Super CD Really Does Have It All!

Our VIP Web site/Super CD subscribers are used to getting online access to all of our publications, plus a print subscription to Windows & .NET Magazine and exclusive access to our banner-free VIP Web site. But now we've added even more content from the archives of SQL Server Magazine! You won't find a more complete and comprehensive resource anywhere--check it out!


==== 3. Instant Poll ====

Results of Previous Poll

The voting has closed in the Windows & .NET Magazine Network Security Web page nonscientific Instant Poll for the question, "Where are your wireless Access Points (APs)?" Here are the results from the 59 votes.

- 42% Inside the border firewall

- 24% Outside the border firewall

- 34% Between the border firewall and an internal firewall

New Instant Poll

The next Instant Poll question is, "Which Web browser does your company currently use for Internet (as opposed to intranet) browsing?" Go to the Security Administrator Web site and submit your vote for:

- Microsoft Internet Explorer (IE)

- Mozilla

- Firefox

- Opera

- Other

==== 4. Security Toolkit ====

FAQ: How Can I Enable a Connection to a Machine over RDP and Through a Firewall?

by John Savill,

A. RDP operates over TCP port 3389. To enable connectivity to any machine on the network through a firewall, open this port on the firewall. To connect to a particular system on the LAN, configure port forwarding on the firewall to send traffic from port 3389 to that computer.

Featured Thread: Running Multiple Antivirus Scanners

(Three message in this thread)

A reader wants to know whether running two different antivirus software packages on a network at the same time is a good idea. If yes, why? If no, why not? Lend a hand or read the responses:


==== Events Central ====

(A complete Web and live events directory brought to you by Windows & .NET Magazine: )

Get Smart! Evaluate Your Options in the Entry-Level Server Market

Comparing the options in the server market, including the decision to purchase an OEM-supplied server versus building your own, can be a daunting task. This free Web seminar provides an introduction to entry-level servers, evaluates the current market of entry-level servers, and assesses the value of vendor-supplied service and support. Register now!


==== 5. New and Improved ====

by Jason Bovberg, [email protected]

Monitoring Software Bundle Reduces Prices

GFI Software launched the GFI LANguard Security Event Log Monitor (SELM) and GFI Network Server Monitor bundle. Customers can now purchase GFI LANguard SELM 5.0 and GFI Network Server Monitor 5.5 together at a reduced price. GFI LANguard SELM performs networkwide event-log monitoring to alert you to important security events immediately, whereas GFI Network Server Monitor automatically detects network and server problems. The bundled software lets you monitor 10 servers through GFI LANguard SELM and unlimited servers through GFI Network Server Monitor for $1295 (as opposed to $1649 without the bundle pricing). Complete bundle pricing information is available at GFI's Web site.

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected]


==== Sponsored Links ====


Comparison Paper: The Argent Guardian Easily Beats Out MOM;6480843;8214395;q?


CommVault - Free White Paper: Managing the Infinite Inbox;9133584;8214395;q?

VERITAS Software

VERITAS White Paper: Reclaim 30% of Your Windows Storage Space Now!;9081675;8214395;t?;8450687;9350443;r?


Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.


==== Contact Us ====

About the newsletter -- [email protected]

About technical questions --

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]


This email newsletter is brought to you by Windows & .NET Magazine, the leading publication for IT professionals deploying Windows and related technologies. Subscribe today.

Windows & .NET Magazine, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2004, Penton Media, Inc. All rights reserved.

TAGS: Security
Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.