Covered operating systems include Windows, MacOS, Solaris, RedHat, Fedora, Debian, and Ubuntu. Covered exploits and vulnerabilities include those known or suspected of allowing unauthorized remote access, privilege escalation, or significant DoS.
This month Microsoft brings us 13 security patches of varying criticality. At least two of them can result in a remote compromise of the system (although the second requires IPv6.) The description of MS10-006 is particularly worrying:
An unauthenticated remote code execution vulnerability exists in the way that Microsoft Server Message Block (SMB) Protocol software handles specially crafted SMB responses. An attempt to exploit the vulnerability would not require authentication, allowing an attacker to exploit the vulnerability by sending a specially crafted SMB response to a client-initiated SMB request. An attacker who successfully exploited this vulnerability could take complete control of the system.
This is not the first time, or probably the last, that windows file sharing has had a serious remote vulnerability. IPS recommends that everyone disable or firewall file sharing on their Windows systems or else carefully permit only authenticated users from specific IP addresses to connect to the service if it must be active. Luckily the University firewall does block incoming SMB packets so departments 'only' have to worry about attackes from 15,000 resnet students and other infected departments rather than the whole of the internet.
The remainder of Microsoft's patches include several that can result in system compromise if the user can be convinced to open a file or click on a link. This is not as serious as a remote exploit, but still worrying given how many users at Rutgers will willingly take such actions.
Many people around Rutgers complain about the effectiveness of our site licensed software (Trend Micro Office Scan) to IPS when we contact them and tell them they have been compromised. I will not go into a comparison of Trend vs the competition here, but an interesting report was recently released that compares the use of AV tools to going without. The study found that 32% of systems with up to date AV software were infected anyway while 46% of system without such software were infected. So the difference between using AV or not is still significant and it is still worth the cost/effort. However, the days when just running AV software was enough to protect you are long gone; do not expect AV software to solve malware problems all by itself.
Would you like to improve the effectiveness of Trend Micro on your Rutgers systems? RADS has some default settings you can change to make improvements:
The following are the top 5 most prevalent malware threats seen by RADS protected clients in the last week.
|Virus Name||Total Infections|
The following are the top 5 most prevalent signatures tracked by IPS' Intrusion Detection System for the past week. IPS runs a selection of signatures from Emerging Threats, SOURCEfire, and our own custom sauce.
|Signature Name||Total Alerts|
|ET SCAN Unusually Fast 400 Error Messages (Bad Request), Possible Web Application Scan||73795|
|ET USER_AGENTS MarketScore.com Spyware User Configuration and Setup Access||9373|
|ET TROJAN Hupigon User Agent Detected (??)||8701|
|ET SCAN Behavioral Unusual Port 445 traffic, Potential Scan or Infection||6525|
|ET USER_AGENTS IE Toolbar User-Agent (IEToolbar)||6367|