Flaws in Checkpoint and RealOne; MyDoom Update; AntiVirus Software; Data Call

Published: 2004-02-05
Last Updated: 2004-02-06 01:34:23 UTC
by Marcus Sachs (Version: 1)
0 comment(s)
Checkpoint Product Flaws. According to Internet Security Systems (ISS), there are two new vulnerabilities in Checkpoint products: a buffer overflow in the ISAKMP processing component for both the Checkpoint VPN-1 server and Checkpoint VPN clients, and several remotely exploitable format string vulnerabilities in the HTTP Application Intelligence component of Firewall-1. Details about both are on ISS' web site at http://xforce.iss.net/xforce/alerts/id/162 and http://xforce.iss.net/xforce/alerts/id/163 .

(An interesting point for graduates of the SANS Hacker Techniques, Exploits and Incident Handling track - remember the class on format string attacks? Now you really DO have something you can talk about this weekend at a cocktail party!)

As far as we know there are no exploits for either of these vulnerabilities in the wild. Unfortunately we have found that many of the Internet search engines will locate installations of Firewall-1 if the HTTP proxy is active. This puts those sites at extreme risk for attack if they are not quickly updated.

RealOne Vulnerable to Remote Exploits. Real Networks released a bulletin on Wednesday detailing vulnerabilities in their RealOne player. Details and instructions for upgrading are on the web at http://www.service.real.com/help/faq/security/040123_player/EN/

MyDoom Virus Source Tracing. As we all know, the MyDoom virus uses forged source addresses, making traceback a bit harder than just looking at the FROM address. If you examine the SMTP header of one of these emails, you might find that the original IP address of the sender is present, plus the message ID if the sender uses a typical email client. Both of these items of information can be used to track down computers that remain infected.

ISP Port Blocking. Because of the MyDoom virus, some ISPs are blocking ports 3127-3198. This affects Windows users since Windows often uses this port range as the source port for outgoing connections. If you are using Windows, and ping, traceroute, and other utilities "see" the Internet but your browser and other applications cannot, this might be the cause.

AntiVirus Client Software. One more plea to the antivirus software vendors: PLEASE turn off the auto-response feature! We have found that in addition to the corporate email systems sending autoresponses to the FROM addressee of infected emails, some popular antivirus clients also do this. The result is an increase in the amount of pointless error messages, and an increase in confused consumers who do not understand why they are getting the warnings from other computers.

Request for Data. A reader has asked if others are seeing an increase in activity directed toward tcp/1080 and 3128. Our data shows an increase in targets over the past few days. Please check your logs and if you see the same increase and have any ideas about the source please drop us a note. Likewise, tcp/1024 is showing an interesting increase.

Marcus H. Sachs

The SANS Institute

Handler on Duty

0 comment(s)


Diary Archives