Notices
NSC-030808: Updates on computer security issues
Updates on computer security issues
Here is an update on the computer security situation around campus. Please forward this notice to all computer support personnel in your area.
Windows RPC Exploits:
1.) The University and UIHC are blocking Microsoft Networking ports 135, 139, and 445 at the "border" of the campus network to hinder spread of recent hacker exploits of Microsoft Windows computers using the RPC/DCOM vulnerability that is covered by Microsoft bulletin MS03-026 (see details at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS03-026.asp) ALL campus Windows computers must get current security patches installed!
*** IMPORTANT: If you have encountered or received reports from users of any problems with this measure please report it to the IT Security Office. We need to monitor the impact of this block to help with decision making with respect to its removal. To date, we have received very few reports of adverse impact from the block.
2.) On-going security vulnerability scanning indicates we are making good progress (50-60%) towards repairing Windows computers which were breached/compromised during the Internet attacks last week. IT Security Office staff are continuing to search/scan the network, and are reporting individual compromised machines to the NSC building contact lists to assist with identification and cleanup.
We still have a significant number of computers that were breached and are totally accessible through a backdoor web interface which was installed on the machines. Not only can an attacker using this interface run any program they wish on the computer, but ALL files on the computer are available to them. It's critical that you get these computers repaired as soon as possible, or take them off-line until they can be repaired.
3.) The "Denial of Service" aspect of the Windows RPC/DCOM vulnerability still exists. An attacker can send malformed communications to a PATCHED Windows computer which results in the system either auto-booting (restarting itself), or crashing the "svchost" system task, rendering the system unstable until its manually restarted. For this reason, we need to keep the Microsoft Networking Ports block in place until a solution for this problem has been released, and all affected computers are repaired.
For more information, all previous computer security alerts can be reviewed at http://www.its.uiowa.edu/cio/ITSecurity/notices/
New Windows IIS Exploit:
4.) We have received reports that a NEW exploit has been launched on the Internet against Microsoft IIS (Internet Information Server) web servers. The exploit affects IIS versions 4.0, 5.0, and 5.1 (but not 6.0) which do not have the patches associated with Microsoft bulletin MS03-018 installed. (See details at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms03-018.asp) The exploit uses the standard http communications port, and allows an attacker to execute any code of their choice on the web server. (NOTE: The current network blocks provide NO protection against this type of attack.) All web server administrators are advised to make certain IIS servers are up to date with security patches.
Mimail computer virus:
5.) We have received several reports of campus computers being infected with the recent "Mimail" virus. PLEASE remind users NOT to open any unexpected attachments they receive with e-mail. It is also recommended that users configure their Norton Anti-Virus program to "LiveUpdate" daily. This can easily be accomplished by opening the Norton program, selecting "File", then "Schedule Updates", "Schedule", and then "Daily", and then click Ok, Ok, and Exit.
For more information, see the UI Virus Resource Center at http://www.its.uiowa.edu/cs/helpdesk/virus/
If you have questions, concerns, or comments about any of the recent developments, please contact Jane Drews in the University IT Security Office.