[Dshield] Microsoft ASN.1

Corinne Cook corinnec at abdi.com
Thu Feb 12 19:01:33 GMT 2004


I agree with you, Doug.  I keep machines under my control as safe as I
possibly can.  I guess I'm looking for some sort of supporting evidence to
convince certain others that clients are as vulnerable as servers and pose a
large problem.  Could this spread like Blaster, without user knowledge or
action, or will it require someone to actively download an active x program,
open an infected digitally signed email, or get infected via a bad ssl
connection, etc?  Right now, I can only find vague information out, which is
understandable as you don't want to make it easy for the blackhats, but it
is also frustrating in supporting my stance versus someone who does not see
this as a threat beyond servers.

Thanks!

Corinne

-----Original Message-----
From: list-bounces at dshield.org [mailto:list-bounces at dshield.org] On Behalf
Of Doug White
Sent: Thursday, February 12, 2004 10:02 AM
To: General DShield Discussion List
Subject: Re: [Dshield] Microsoft ASN.1


In my opinion, it is very risky to NOT make sure *ALL* Windows machines
(Clients, especially) are patched, plus running (with current definitions) a
good A/V program.

The majority of virus propagation is coming from client machines where
security policies such as A/V and patching is neglected.  One infected
machine whether internal to your network or a remote client can wreck havoc
on your entire network in very short order.

Even the practice of setting up a new machine and then connecting to the net
for downloading and applying service packs and updates, frequently become
infected during the process of downloading the updates.  This is especially
true when the new installation is assigned a static IP number prior to the
updates, firewall and A/V installation.

Home users, even those on dial-ups, but especially those on "always on"
broadband connections are especially at risk of infection when firewall, A/V
(current definitions) and patches are not aggressively kept up to date.

On our network, we use scripting that checks at the time of login for needed
patches and A/V definitions and require the download and application prior
to accepting the login.  In fact we have been doing this since the NT days.
This used to aggravate some users, but management stands behind the policy
and we are sticking to it.

======================================
Stop spam on your domain, Anti-spam solutions
http://www.clickdoug.com/mailfilter.cfm
For hosting solutions http://www.clickdoug.com
======================================
Aspire to Inspire before you Retire or Expire!


----- Original Message ----- 
From: "Corinne Cook" <corinnec at abdi.com>
To: "'General DShield Discussion List'" <list at dshield.org>
Sent: Thursday, February 12, 2004 10:38 AM
Subject: RE: [Dshield] Microsoft ASN.1


: Does anyone have any thoughts on the following related to possible ASN.1
: attacks with this vulnerability:
:
: First, how easy is this to exploit on a client versus a server?  If only
: servers are patched and clients are behind firewalls how likely and how
: severe could a network full of unpatched clients be?  I know Microsoft
said
: to patch all machines, but I know people who think this is a server side
: issue almost entirely and are not going to patch clients (even remote
laptop
: users).
:
: Would a home user with no firewall (stand alone, not networked) be easily
: infected without some action on their part (like the Blaster infection?)?
:
: I am new to understanding attacks such as these and I'm trying to learn
some
: programming and theories so I can better understand application level
: vulnerabilities and attacks, so I am wondering if there are others here
who
: understand these better and can explain these a little better.  I know
ASN.1
: is more of a mother language for networking and not really a language like
: C/+/#, etc., but I would assume some of the same rules hold generally
true?
:
: Thanks,
:
: Corinne Cook
:
: -----Original Message-----
: From: list-bounces at dshield.org [mailto:list-bounces at dshield.org]On
: Behalf Of Brian Dessent
: Sent: Wednesday, February 11, 2004 4:56 PM
: To: General DShield Discussion List
: Subject: Re: [Dshield] Microsoft ASN.1
:
:
: Dragos Ruiu wrote:
:
: > David Meltzer had this fine snort signature for it:
: >
: > alert tcp any any -> any any (msg:"Possible ASN.1 Exploit Attempt")
:
: Better hope that you have plenty of free space on the mount that
: contains your log files, if you use this one...
:
: Brian
:
: _______________________________________________
: list mailing list
: list at dshield.org
: To change your subscription options (or unsubscribe), see:
: http://www.dshield.org/mailman/listinfo/list
: _______________________________________________
: list mailing list
: list at dshield.org
: To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list
:
:

_______________________________________________
list mailing list
list at dshield.org
To change your subscription options (or unsubscribe), see:
http://www.dshield.org/mailman/listinfo/list



More information about the list mailing list