FW: Security Advisory 122101I get security advisory's occaisionally. I will
pass them along. ITS is Information Tech Services at my work place.
MD
Sent: Friday, December 21, 2001 5:56 PM
To: #EVERYONE
Subject: Security Advisory 122101
Importance: High
***Normally, ITS/Data Security will not send out lengthy patch/security
advisories for home users, especially two at the same time, but due to the
real big threat of these vulnerabilities in common Microsoft products,
ITS/Data Security thought it prudent to send the advisories. I apologize for
the length of the e-mail, but it is necessary to describe some details about
knowing and fixing the problems.***
This e-mail is for Home users of Windows XP and Internet Explorer 5.5/6.0.
COH is almost virtually unaffected, because we have very limited amount of
Windows XP installed on our network, and Desktop support group is working on
installing the patches for IE 5.5 and 6.0. There are two major
vulnerabilities that home users should be aware of. Below are the
descriptions and the way to fix the problems.
Description:
Vulnerability 1 Unchecked buffer in Universal Plug and Play can Lead to
System Compromise
Affected Systems: Users using Microsoft. Windows. ME or XP, or who have
installed the Windows XP Internet Connection Sharing client on Windows 98 or
98SE. Most likely it will only affect Windows XP users.
a.. This patch will address fixes to prevent a malicious Hacker from
completely taking control of the victims' machine, from deleting files to
attacking other machines on the Internet. This vulnerability is considered
very dangerous, and should be fixed ASAP. To install the patch for this
vulnerability, please continue to the end of this e-mail.
b.. For more information please visit the following links:
http://www.zdnet.com/zdnn/stories/news/0,4586,5100941,00.html
http://www.cnn.com/2001/TECH/ptech/12/20/microsoft.hackers.ap/index.html
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security
/bulletin/MS01-059.asp
Vulnerability 2 Cumulative Patch for IE (MS01-058)
Affected systems: Systems running IE 5.5 and 6.0
a.. This patch will address fixes for three vulnerabilities, one of which is
called "Frame Domain Verification" vulnerability, which will allow a malicious
website operator to read all files but will not allow any modification to
files in the hardrive.
b.. For more information please visit the following link:
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/b
ulletin/MS01-058.asp
How do I fix these vulnerabilities? Also, how can I be proactive on
installing patches?
With more and more users connecting with high speed Internet access medium
such as Cable and DSL, home users are more prone to attack from the Internet
than ever before.
Download critical updates from the following site:
http://windowsupdate.microsoft.com/?IE (Updating the critical updates will
fix both Vulnerability 1 and 2)
ITS/Data Security recommend Cable and DSL users to download critical updates
on a regular basis. For Windows XP users, there is a feature called,
"drizzle" that can be configured to download critical updates when available,
but Windows XP does not come with this feature already configured out of the
box. ITS/Data Security also highly recommends a personal firewall for any
home computers that are connected to the Internet, especially ones that are
connected with high speed access.
-P
Data Security Administrator
Approved for Distribution by M. S.
|