Symantec Security Response: Microsoft October
Symantec Security Response: Microsoft Oct. Security Bulletin
On Tuesday, November 9, Microsoft issued information on a new vulnerability in Microsoft ISA and Proxy Server impacting both consumer and enterprise users. Microsoft ISA and Proxy Server are prone to an Internet domain name spoofing vulnerability that could allow an attacker to spoof Internet sites. This threat is being rated as a moderate risk by Symantec. In order for an attack to occur, the attacker must entice a vulnerable user to visit a malicious website instead of the site they are attempting to access. The attacker could then present false forms to the user in an effort to gather personal information. To guard against this threat, Symantec strongly encourages all users not to click on links to unknown websites.
"With the increasing prevalence of Phishing attacks, this vulnerability may provide yet another platform for the gathering of identity information," said Oliver Friedrichs, senior manager, Symantec Security Response.
Symantec recommends a proactive approach to vulnerability management as an important element of security best practices. IT administrators can expedite and simplify the patching process by implementing solutions such as Symantec ON iPatch, which proactively scans computer systems, identifies missing security patches, reports on the patch status, and then begins deployment of missing patches. In addition, users and network administrators should keep all antivirus definitions up-to-date and use appropriate firewall settings.
In addition, Symantec has also identified a new Level 2 threat - W32.Mydoom.AH@mm. W32.Mydoom.AH@mm is a mass-mailing worm that spreads itself via email addresses found on an infected system. To date, Symantec has received a total of 25 submissions, with 20 submissions coming from corporate customers. This threat exploits a buffer overflow vulnerability in Microsoft Internet Explorer IFRAME. At this time, there is no patch available for this vulnerability. Symantec strongly advises that administrators deploy the following mitigation strategies:
* Block outbound access to TCP ports 1639 to 1649 as these ports are likely to be used by W32.Mydoom.AH to download malicious code after compromise
* Filter inbound TCP ports 1639 to 1649 traffic in order to prohibit other systems from accessing systems that may already be infected
* Block outbound access to TCP port 6667
* Disable ActiveX on all systems running Internet Explorer
* Keep AV systems up-to-date with the most recent definitions to detect this threat
"With vulnerabilities being announced regularly, organizations need to make patch management part of their ongoing systems maintenance process," said Friedrichs. "And since there is an ever-shrinking window of time between vulnerability announcement and vulnerability exploit, quick implementation of patches and mitigation strategies is critical to the integrity of a network."