code red and MS's liability...

Nick Estes plug-discuss@lists.PLUG.phoenix.az.us
Mon, 13 Aug 2001 00:31:02 -0700 (MST) 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

> There was an announcement for a cleanup kit that flew by one of the
> bugtraq lists Friday (+/- 1 day).

To find the info, point lynx at www.microsoft.com, on page 3 (assuming
"normal" sized console), there's a link to code red II, navigate to the
right frame, and then to the content frame.

> It's important to note that the only cleanup kit that can be sure to
> undo everything is a repartition of the disk and a fresh install of
> the OS.  That's because the CRII boxes are rooted and anything at all
> might have been done to them.

That's pretty much what M$'s instructions say, of course they put a lot of
marketting speak around it, but they basically say "You're screwed,
format/reinstall". (They also provide the "cleanup" tool for code red
there, but there's no way to be sure that the box hasn't been compromised
further)

It all makes me very happy to be using apache under linux; if a buffer
overflow of this nature is found in apache, all the attacker could hope to
do is "infect" my access_logs, and perhaps deface a few websites until
such time as I apt-get upgrade (-=

This brings up an interesting idea.  Given an appropriate bug in apache,
something similar to the first code red could actually work (code red II
wouldn't, but the first would), but that could be fixed pretty easily.
iptables can match based on the UID or GID of a process, so it would be
fairly trivial to allow apache to only accept connections and never
initiate them (specific exceptions needed for DBs and things could be made
too).

Too cool, now I'll have to build up some rules allowing different network
services precisely the network access they need and nothing more.  This
way if a service should get compromised it would be very difficult to use
it as a launching point for anything else. (-=

	--Nick
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: pgpenvelope 2.10.2 - http://pgpenvelope.sourceforge.net/

iD8DBQE7d4I7v+hjYTGg7s4RAspEAJ9PFIlr1GdNbAnD3YQ4LbeP82lVxwCeI3mU
4++a6UpHKVNci43iEKTCnnQ=
=BQET
-----END PGP SIGNATURE-----