Manifesto Multilinko
Interesting links and notes on updates to my main website.

[add RSS feed][add RSS feed]

[to search, use Blogger search in top bar]

NEW BLOG

HOME ----



This page is powered by Blogger. Isn't yours?

[contact me]

My Blogger Profile

View my photo galleries.

Listen to my radio station.

Twitter Updates

    follow me on Twitter

    Currently Reading



    This is an Ottawa blog (Ontario, Canada).

    Cool blogs:
    McWetlog
    wood s lot
    La Tribu du Verbe
    Wil Wheaton
    Darren Barefoot
    Lectio.ca

    Blogger profiles in Ottawa

    Other good sites:
    Slashdot
    Wired News
    Mark Morford's Notes & Errata


    This page uses Extreme Tracker which is determining your referrer by running some JavaScript.
    eXTReMe Tracker


    The commenting system was Reblogger.



    Wednesday, January 14, 2004
    computer and network security - Microsoft January 2004 bulletins

    For some reason, I didn't get the monthly MS security email, but anyway

    Microsoft Windows Security Bulletin Summary for January, 2004

    There is an MDAC vulnerability, just rated "important".
    Microsoft Security Bulletin MS04-003: Buffer Overrun in MDAC Function Could Allow Code Execution (832483)
    Symantec Security Response: Microsoft MDAC Function Broadcast Response Buffer Overrun Vulnerability

    Note that when they say "Windows Security", they're just bulletins for the core OS.
    MS has separate security bulletins for all of its various products.

    The one that is getting the most attention is for their rather uselessly named "Internet Security and Acceleration Server"
    Microsoft Security Bulletin MS04-001: Vulnerability in Microsoft Internet Security and Acceleration Server 2000 H.323 Filter Could Allow Remote Code Execution (816458)

    There are accompanying, related advisories from OCIPEP, CERT, Symantec. Note that the H.323 vulnerability extends to a variety of systems other than just Microsoft.

    OCIPEP AV04-001: Vulnerability Issues in Implementations of the H.323 Protocol
    CERT® Advisory CA-2004-01 Multiple H.323 Message Vulnerabilities
    Symantec Security Response: Microsoft ISA Server 2000 H.323 Filter Remote Buffer Overflow Vulnerability

    Symantec Recommendations

    Block external access at the network boundary, unless service is required by external parties.
    Block TCP port 1720 at network perimeter or gateway. The H.323 filter listens on TCP port 1720 for incoming traffic, therefore blocking this port will protect against a remote attack.

    Deploy network intrusion detection systems to monitor network traffic for malicious activity.
    Use intrusion detection systems to monitor networks for anomalous activity and report attempted attacks.

    Implement multiple redundant layers of security.
    An attacker's ability to exploit this vulnerability to execute arbitrary code may be hindered through the use of various memory protection schemes. Where possible, implement the use of non-executable and randomly mapped memory segments.

    Microsoft has released security advisory MS04-001 to address this issue. Users are strongly advised to obtain fixes.

    I expect though you may need port 1720 (H.323 host call) for other H.323 audio/video conference apps, for example according to my TCP/IP port page you need it for NetMeeting, GnomeMeeting, Netscape Conference, presumably ohphone and so on. So you may want to be careful about blocking it at your perimeter.
    posted by Richard at 16:11 / permalink (post) | permalink (numeric)

    HOME -