"Beat the Worm:" A Guide to Mitigating Critical Flaws, Part I

Critical Flaw or Red Herring?

Every day, network administrators are deluged by hundreds of potential software flaws. Identifying critical flaws, prioritizing fixes, and ensuring the remedy does not cause additional issues – all before the first cup of coffee. Part one of this four part series will identify the motivation behind an attack.

By leveraging critical security flaws that are discovered in various, widely used software products, worm writers develop and release attacks, frequently in the form of a worm solely designed to exploit a particular flaw. Worms are quite possibly the most aggressive threat a security professional has to deal with when protecting network infrastructures. Stringent corporate security policies and the use of third party software can dramatically aid in the prevention and remediation of such threats.

Upon the discovery of a critical vulnerability, prioritizing patches to fix software flaws is a daunting task for any network administrator. Each time security professionals choose to prioritize the remediation of a software flaw, there is a risk of causing complications within the infrastructure. The increasing size and complexity of IT architectures exacerbates these complications, and can cost a company a substantial amount of time and money. Software compatibility issues, broken patches or even improper implementations are all examples of problems that can arise from a rushed remediation strategy. For this reason, security professionals need to be able to accurately gauge the threat level of a given software flaw so they can prioritize its remediation and begin deployment of the necessary patch, or third party software solution.

Worm Writer Motivation
The creator of a worm is often motivated personally, politically, or financially, or often due to a combination of these reasons. A worm writer who is personally motivated will often design and release a worm just for the challenge of doing something that hasn’t been done before or simply to see how much havoc the worm can cause. Some virus and worm writers take pride in their malicious creations and are motivated to write new and improved worms solely for personal satisfaction. Political motivations usually stem from cultural differences in the overall state of the two or more entities. Most worm writers enjoy their solitude, and are quickly drawn into action during times of serious political conflict. For example, the Code Red worm was designed to attack English-based operating systems during a time of serious political fallout, which occurred the second quarter of 2001. Financial motivations are self-explanatory and are seen as the least likely motivator but do exist. Worm writers operating for financial gain can be offered a substantial amount of money to design and or release a worm to target a desired company, infrastructure, or country.

Regardless of a worm writer’s motivation, network administrators need to remain vigilant. Implementing a proactive security strategy that incorporates ongoing vulnerability assessment and constantly updated vulnerability checks is crucial. When using a vulnerability scanner, be sure to choose a tool with the option to prioritize, schedule and automate remediation activities. This will allow for effective patch management, while obviating the tedious task of implementing manual patches across distributed enterprises. Visit http://www.eeye.com for more information.

Next issue: Part 2: The Complexity of Flaw Exploitation

Source: eEye’s Research Team

eWeek: Compromise Likely of Serious Windows SSL Vulnerability
"Security experts are monitoring what appears to be a coordinated effort to exploit a known vulnerability in the Secure Sockets Layer (SSL) implementation in Windows, and say that there may be a worm doing some of the work." Full Article

eWeek: Microsoft Patches More Windows Holes
"It's security bulletin release Tuesday for Microsoft. The company issued four new security bulletins—all of which pertain to Windows vulnerabilities. Three of the new patches the company rated "critical," and the other, "important.”" Full Article

SearchSecurity.com: TCP Protocol Flaw: The Sky Isn't Falling
"A critical vulnerability, affecting multiple vendors, has been identified in the Transmission Control Protocol (TCP) used for Internet connections, mainly routing infrastructure including networked operating systems and network equipment. However, experts say the problem is being corrected and isn't that big of a deal." Full Article

NetworkWorldFusion.com: Cisco Warns of More Critical Software Holes
"Cisco warned its customers about two critical security holes that affect almost every product the company makes. The vulnerabilities could be used by malicious hackers to create so-called "denial of service" (DoS) attacks, causing Cisco products to abruptly restart or drop active connections with other devices." Full Article

Q: What are the workarounds for the LSASS Vulnerability?

A: While these workarounds will not correct the underlying vulnerability, they help block known attack vectors. When a workaround reduces functionality, it is identified below.

Use a personal firewall.
If you use the Internet Connection Firewall feature in Windows XP or in Windows Server 2003 to help protect your Internet connection, it blocks unsolicited inbound traffic by default. Microsoft recommends blocking all unsolicited inbound communication from the Internet.

Block the following ports at the firewall:
UDP ports 135, 137, 138, and 445, and TCP ports 135, 139, 445, and 593. All unsolicited inbound traffic on ports greater than 1024. Any other specifically configured RPC port.

Enable advanced TCP/IP filtering on systems that support this feature.
You can enable advanced TCP/IP filtering to block all unsolicited inbound traffic. For additional information about how to configure TCP/IP filtering, please refer to Microsoft Knowledge Base Article 309798.

Block the affected ports using IPSec on the affected machines.
You can secure network communications by using Internet Protocol Security (IPSec).

For additional security, consider blocking using IPSec. IPSec allows you to control both inbound and outbound traffic, as opposed to just inbound traffic.

Have a question you would like answered? Send it to versa@eEye.com, and win an eEye t-shirt if we select your question for an upcoming newsletter.

Now Available: Retina® Remediation Manager
Retina Remediation Manager is a fast, effective patch and configuration automation solution which allows for the efficient planning and execution of remediation activities. Enterprises that perform regular vulnerability assessments are frequently faced with the daunting task of remediating hundreds, if not thousands, of workstations and servers. Click here to learn how to eliminate the burden of manually patching your systems. Full Article

Upcoming Webinar: Vulnerability Expert Forum
eEye Digital Security will be hosting special web seminars focusing on recently announced critical vulnerabilities. Prospects, customers and partners are invited to participate in these discussions with eEye's vulnerability experts, such as Marc Maiffret, where we explore the impact high-risk vulnerabilities and exploits have on network environments and infrastructures. Our experts will provide in depth knowledge about these issues and the solutions eEye Digital Security provides to detect and protect against current and future critical software flaws and security weaknesses.
Date/Time: North America: Wednesday, May 12 @ 1pm PST / 4pm EST
Date/Time: Europe: Thursday, May 13 @ 15:30 GMT - 16:30 CET Full Article

News Release: eEye® Digital Security Extends Vulnerability Management Offering
eEye released REM™ 2.0 Security Management Platform on March 22, 2004. REM 2.0 enables organizations to proactively address network security threats, enforce security policies and automate remediation activities, all from a secure, web-based management console. Full Article

Upcoming Webinar: How to Achieve Operational Efficiency with Retina Enterprise
During this webcast, we’ll discuss some of the common misconceptions about security layers and why vulnerability assessment and remediation is a critical component to your overall network security strategy. This webinar will also provide a hands-on look at Retina Network Security Scanner and how you can use vulnerability assessment to quickly identify issues within your network and take corrective actions to proactively fix vulnerabilities before they’re exploited.
Date/Time: Thursday, May 13 @ 11am PST / 2pm EST Full Article

CNN.com: Microsoft Releases Flurry of 'Critical' Patches
Microsoft Corp. has released three critical patches to fix security flaws that could allow an attacker to take over another computer user's Windows operating system. A fourth patch, which the company called "important," also fixes a similar vulnerability in the Windows operating system that is used on more than 90 percent of the world's computers. More

eWeek.com: How Long Is Too Long to Develop a Patch?
A disturbing pattern is emerging from the last couple of months' worth of Microsoft security patches: Some of the critical vulnerabilities fixed had been reported to the company quite some time before, 200 days before the patch in one case. More

HOW TO SUBSCRIBE
To subscribe to this and other eEye newsletters, please visit: http://www.eeye.com/html/resources/newsletters/subscribe.html

FEEDBACK
The eEye newsletter staff welcomes any comments, questions or suggestions from our readers. We hope that you will not hesitate to contact us with any feedback you may have. Send all feedback to versa@eeye.com.

DISCLAIMER
The information within this newsletter may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.

NOTICE
Permission is hereby granted for the redistribution of this newsletter electronically. It is not to be edited in any way without the express consent of eEye. If you wish to reprint the whole or any part of this newsletter in any other medium excluding electronic medium, please email versa@eeye.com for permission.