Diaries

Published: 2003-11-25

Port 1026-1031 increase


The number of sources scanning for port 1026-1031 is increasing over the last few days. See:

http://www.dshield.org/port_report.php?port=1026

http://www.dshield.org/port_report.php?port=1031

We are currenlty looking for more data to investigtate this issue. One important hint is the change in source ports. As of Nov. 21st, most port 135 reports came
from a source port of 666 or 4177, indicating that they where crafted. However,
more recently (e.g. Nov. 25th), more reports originate from the default source
ports (1024 and up). This is illustracted in this graphic:

http://isc.sans.org/images/1026spdistribution.gif

Not shown in the graphic is a second peak for the Nov. 25th data around source
port 60,000. This data may be associated with hosts behind NAT devices.
Current possibilities:

(1) Popup Spam:

It is possible to reach the Windows Messenger service via these ports. This
bypasses UDP 135, which is frequently blocked by firewalls.

However, most popup spam originates from a small number of sources

(2) Windows Messenger Worm/Bot

On October 15th, Microsoft released Bulletin MS03-043. This bulletin warns of a
buffer overflow for the Microsoft Messenger Service

http://www.microsoft.com/technet/security/bulletin/MS03-043.asp

This vulnerability could be used to gain access to a system, or to launch self replicating code. The malware comunity is actively working on related exploits.

RECOMMENDATIONS

Conintinue to be vigilant and please report related incidents. Note: MS03-043 was revised earlier this week regarding patching conflicts. If you put off patching
due to this conflict, please reevaluate.

0 Comments

Published: 2003-11-11

Microsoft November Bulletins

Microsoft released its first monthly set of bulletins. It covers three critical vulnerabilities:

MS03-048: http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-048.asp

Cumulative Security Update for Internet Explorer

This patch fixes a lot of older vulnerabilities in Internet Explorer and should be applied without delay. Microsoft rates this issue critical as it allows remote code execution.

MS03-049: http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-049.asp

Buffer Overrun in the Workstation Service

Another 'remote code execution' issue that should be addressed immediately.

MS03-050: http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-050.asp

Vulnerability in Microsoft Word and Microsoft Excel Could Allow Arbitrary Code to Run

You need to run Office Update to fix this issue. Microsoft Windows Update will not address Office issues. Microsoft rates this issue as 'Important'. It allows arbitrary code execution via crafted Word or Excel documents. While this is not easily remotely exploitable, it could be used to spread viruses that use social engineering to trick users into opening crafted Word or Excel documents.

MS03-051: http://www.microsoft.com/technet/treeview/?url=/technet/security/bulletin/MS03-051.asp

Buffer Overrun in Microsoft FrontPage Server Extensions Could Allow Code Execution

The Microsoft FrontPage Server Extensions are a set of add ons which allow easier integration of Microsoft FrontPage with web servers. The FrontPage Server Extensions are installed at the web server.


0 Comments