UCL Computer Security Newsletter - March 2004
The purpose of this newsletter is to keep all security reps and other interested parties informed about what is happening around UCL regarding computer security. Further information from the Computer Security Team is always available at http://www.ucl.ac.uk/cert.
1. What's New?
A vulnerability has been announced in the way that Microsoft Outlook 2002 handles a certain type of URL could allow a remote attacker to execute arbitrary code on the vulnerable system. Although not so originally, the vulnerability has now been upgraded to a critical one and a patch is available. There is also a new service pack 3 for Office XP that includes this and was released this month. There are also some workarounds mentioned in the bulletin which will not solve the vulnerability but will limit exposure to issues like this and should be taken as general good practice.
CERT advisory at http://www.us-cert.gov/cas/techalerts/TA04-070A.html
Microsoft security bulletin at http://www.microsoft.com/technet/security/bulletin/ms04-009.mspx
Note that this update is not available from Windows Update and not downloaded automatically - you have to go to the Office update area.
2. Recent incidents/activity
2.1 There is a massive scanning out there at the moment on port 24. This may be related to a new version of the backdoor program BackOrifice (BO2K). Since this port is unlikely to be used for genuine traffic, we have blocked it at the interface to the London MAN as a protective measure.
2.2 There is also an upsurge of agobot causing trouble presently
- details at http://www.f-secure.com/v-descs/agobot_fo.shtml.
It steals passwords and usernames, email addresses, and performs
DDoS attacks. It spreads via
RPC/DCOM (MS03-026, fixed by MS03-039): http://www.microsoft.com/technet/security/bulletin/MS03-039.asp
RPC/Locator (MS03-001): http://www.microsoft.com/technet/security/bulletin/MS03-001.asp
WebDAV (MS03-007): http://www.microsoft.com/technet/security/bulletin/MS03-007.asp
A very basic presentation on security awareness is available at http://www.ucl.ac.uk/cert/training/index.htm. [Link no longer available]
The Institutional Firewall project moved on to its latest stage when the PIX blade was placed in front of Information Systems' networks. The move was fairly smooth largely due to the quality of the information we had beforehand as to what traffic was to be expected. We hope that we will have similarly detailed information from other departments when we come to deal with the next stages over the next few months.
We welcome feedback on the content and organisation of documents on our web page.