WinSWW was unexpectedly rebooted at 12:19 pm today. IDSG apologizes for the lack of notice.
WinSWW restarted earlier this morning, Oct 17 2006
WinSWW had to be rebooted unexpectly today. It should be back up now though.
High EECS Firewall use, 10/4/06
This morning, we are seeing very high utilization on the EECS firewall. There has been some service impairment as a result, and we are still investigating as to the cause. Also, service to Argus was disrupted for a few minutes this morning as a side effect.
We regret the inconvenience.
Fred
HERMES, PRINT, RIS and WINSWW downtime Oct 11, 2006
Microsoft will release their patches for the month on Tuesday, October 10th.
HERMES, PRINT, RIS and WINSWW will be down for patching Wednesday, October 11, from 3:00p?5:00p.
macserver.eecs.berkeley.edu, which hosts the Mac software warehouse, will be down for maintenance at this time as well.
Microsoft Internet Explorer WebViewFolderIcon ActiveX Vulnerability
US-CERT Technical Cyber Security Alert TA06-270A
Systems Affected;
* Microsoft Windows
* Microsoft Internet Explorer
Overview
The Microsoft Windows WebViewFolderIcon ActiveX control contains an integer overflow vulnerability that could allow a remote attacker to execute arbitrary code.
I. Description
The Microsoft Windows WebViewFolderIcon ActiveX control contains an integer overflow vulnerability. An attacker could exploit this vulnerability through Microsoft Internet Explorer (IE) or any other application that hosts the WebViewFolderIcon control. More information is available in Vulnerability Note VU#753044.
Exploit code for this vulnerability is publicly available.
II. Impact
By convincing a user to open a specially crafted HTML document, such as a web page or HTML email message, a remote attacker could execute arbitrary code with the privileges of the user who is running the program that hosts the WebViewFolderIcon control.
III. Solution
Microsoft has not released an update for this vulnerability. Consider the following workarounds and best practices:
A. Disable the WebViewFolderIcon ActiveX control
To protect against this specific vulnerability, disable the WebViewFolderIcon control by setting the kill bit for the following: {844F4806-E8A8-11d2-9652-00C04FC30871}
Typically, you will have to manually create this registry key and DWORD titled “Compatibility Flags”. Use Registry Editor to edit/create the following registry key;
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\{844F4806-E8A8-11d2-9652-00C04FC30871} Set the value of the Compatibility Flags DWORD value to 0x00000400.
More information about how to set the kill bit is available in Microsoft Support Document 240797.
http://support.microsoft.com/kb/240797/en-us
B. Disable ActiveX
To protect against this and other ActiveX and COM vulnerabilities, disable ActiveX in the Internet Zone and any other zone that might be used by an attacker.
C. Render email as plain text
To protect against this and other vulnerabilities that require a victim to load a malicious HTML document, configure email clients to render email as plain text.
D. Do not follow unsolicited links
To protect against this and other vulnerabilities that require a victim to load a malicious HTML document, do not follow unsolicited or untrusted links.
In order to convince users to visit their sites, attackers often use URL encoding, IP address variations, long URLs, intentional misspellings, and other techniques to create misleading links. Do not click on unsolicited links received in email, instant messages (IMs), web forums, or internet relay chat (IRC) channels. Type URLs directly into the browser to avoid these misleading links. While these are generally good security practices, following these behaviors will not prevent exploitation of this vulnerability in all cases, particularly if a trusted site has been compromised or allows cross-site scripting.
IDSG also advises;
1. Do not log into a Windows host as Administrator, if not needed. Instead, log in as a non-privileged user.
2. Do not add a non-privileged user account to the Administrators Group.
3. Use “run as” to run processes as needed.
Microsoft Internet Explorer VML Buffer Overflow
Microsoft Internet Explorer VML Buffer Overflow
Systems Affected
* Microsoft Windows
* Microsoft Internet Explorer
Overview
Microsoft Internet Explorer (IE) fails to properly handle Vector
Markup Language (VML) tags. This creates a buffer overflow
vulnerability that could allow a remote attacker to execute
arbitrary
code.
I. Description
Microsoft Internet Explorer contains a stack buffer overflow in code
that handles VML. More information is available in Vulnerability
Note
VU#416092, Microsoft Security Advisory (925568), and Microsoft
Security Bulletin MS06-055.
Note that this vulnerability is being exploited.
II. Impact
By convincing a user to open a specially crafted HTML document, such
as a web page or HTML email message, a remote attacker could execute
arbitrary code with the privileges of the user running IE.
III. Solution
Apply update from Microsoft
Microsoft has provided an update to correct this vulnerability in
Microsoft Security Bulletin MS06-055.
This update is available on the Microsoft Update site.
System administrators may wish to consider using Windows Server
Update
Services (WSUS).
Disable VML support
Microsoft Security Advisory (925568) suggests the following
techniques
to disable VML support:
* Un-register Vgx.dll on Windows XP Service Pack 1; Windows XP
Service Pack 2; Windows Server 2003 and Windows Server 2003
Service Pack 1
* Modify the Access Control List on Vgx.dll to be more restrictive
* Configure Internet Explorer 6 for Microsoft Windows XP Service
Pack 2 to disable Binary and Script Behaviors in the Internet
and
Local Intranet security zone
Disabling VML support may cause web sites and applications that use
VML to function improperly.
Render email as plain text
Microsoft Security Advisory (925568) suggests configuring Microsoft
Outlook and Outlook Express to render email messages in plain text
format.
Do not follow unsolicited links
In order to convince users to visit their sites, attackers often use
URL encoding, IP address variations, long URLs, intentional
misspellings, and other techniques to create misleading links.
Do
not
click on unsolicited links received in email, instant messages, web
forums, or internet relay chat (IRC) channels. Type URLs directly
into
the browser to avoid these misleading links. While these are
generally
good security practices, following these behaviors will not prevent
exploitation of this vulnerability in all cases, particularly if a
trusted site has been compromised or allows cross-site scripting.
Hermes: unexpected reboot
HERMES requires a new patch and will be rebooted at 10:00 am.
IRIS Website maintenance, Sunday, Sep 17
The IRIS website
will be moved to new hardware on Sunday, September 17, 2006. This involves migrating a large amount of data from our Oracle database to the new database server, and consequently the IRIS applications that depend on the database will be unavailable from midnight to 8pm during this migration. We expect the main IRIS website will remain up for most of this time, but brief outages will be noticeable during the transition.
The move to new hardware will greatly speed up our database applications, and in the long run will increase the reliability of our web services.
Please send questions or comments to help@eecs.
coeus/project windows access problems
There was a temporary outage of windows access to both coeus and project today between about 1PM and 2PM. This is the same problem as last time. We are still trying to find the root cause and have trouble tickets in with the vendor.
IDSG appreciates you patience during these outages.
Switch Reboot in Cory
We will be rebooting one of the switches on the first floor of Cory at 08:00 hrs tomorrow (Thursday, September 6) morning.
This should only take a few minutes and will not be noticed by most computers.
Sorry for the inconvenience,
Networks
Bruce