Internet Storm Center evaluates moving from GREEN to YELLOW

Common Tasks

Community

Email Notifications

Personal Links

Security Protection - Harry Waldron (CS)

Security Best Practices, Breaking News, & Updates

SANS is evaluating moving to a heightened alert status for the Internet Storm Center. As malicious individuals are most likely trying to craft new Internet worms, hopefully this event will be delayed as long as possible, so that everyone can complete the job of patching up.

INTERNET STORM CENTER
http://www.incidents.org/

Internet Storm Center evaluates moving from GREEN to YELLOW
http://www.incidents.org/diary.php?date=2004-04-23

Potential Microsoft PCT worm (MS04-011)

In response to observed active exploit of the PCT vulnerability, announced in Microsoft Bulletin MS04-011, some AV vendors have raised alert status. The IT-ISAC reports that some IDS are "detecting and blocking attacks against many institutions. The attacks are attempting to steal data and/or break into payment systems."

An exploit for this issue currently being used to compromise vulnerable systems running SSL-enabled IIS 5.0. Note the vulnerability exists in any SSL-enabled program which is running on vulnerable Windows systems. Windows 2003 Server is not affected if PCT is disabled."

Possible move to Yellow
We are closely monitoring the IIS exploit and may move to Yellow this evening.

=====================================

CERT -- More on the new PCT Exploit

Exploit for Microsoft PCT vulnerability released
http://www.us-cert.gov/current/current_activity.html#pct

Exploit code has been publicly released that takes advantage of a buffer overflow vulnerability in the Microsoft Private Communication Technology (PCT) protocol. The vulnerability allows a remote attacker to execute arbitrary code with SYSTEM privileges. More information about the vulnerability is available in TA04-104A and VU#586540.

US-CERT is aware of network activity that is consistent with scanning and/or exploit attempts against this vulnerability. Reports indicate increased network traffic to ports 443/tcp and 31337/tcp. The PCT protocol runs over SSL (443/tcp) and the known exploit code connects a command shell on 31337/tcp. Note that the exploit code could be modified to use a different port or to execute different code. This vulnerability is remedied by the patches described in Microsoft Security Bulletin MS04-011.

Posted: Apr 24 2004, 06:44 AM by Harry Waldron | with no comments

Questions? Contact Susan at Susan-at-msmvps.com. Each post's copyright held by the original author. All rights reserved. Blog site is an independent site not sponsored by Microsoft.
Our servers would like to thank www.ownwebnow.com and www.exchangedefender.com. We wouldn't be here without the generosity of Vlad Mazek and his companies.

Powered by Community Server (Commercial Edition), by Telligent Systems

Theme based on the Paperclip Blog Theme included in Community Server.
Enhanced to a Site-Wide Theme by Interscape Technologies.