Wednesday, August 17, 2005 - Posts

Malicious Software Removal Tool updated to remove Worm

Malicious Software Removal Tool updated to remove Charlie Gibson's worm:
This Alert is to notify you that on 17 August 2005 the Microsoft Windows
Malicious Software Removal Tool has been updated with added detection
and cleaning capabilities for the following Malicious Software:

*	Zotob.A
*	Zotob.B
*	Zotob.C
*	Zotob.D
*	Zotob.E
*	Bobax.O
*	Esbot.A
*	Rbot.MA
*	Rbot.MB
*	Rbot.MC

The updated version of the Microsoft Windows Malicious Software Removal
Tool is available for download from the Download Center at this
location

NOTE: This updated version is currently NOT available on Windows Update,
Microsoft Update or through Windows Server Update Services.

More information on the Microsoft Windows Malicious Software Removal
Tool is available here:
http://go.microsoft.com/fwlink/?LinkId=40573
posted Wednesday, August 17, 2005 11:26 PM by bradley with 0 Comments

Worm attack or maybe a wake up call on how we are setting up our networks?

This morning Charlie Gibson said his computer rebooted...a lot.  Because he was nailed by that worm going around.  Call me wacko..and granted I can say this snug as a bug on Windows 2003 and full XP sp2 borg where to attack me you had to authenticate to me which meant you'd get my 2x4 first.. so....here's all these folks talking about how massive networks were taken out and it just seems to be they just aren't zoning their risks properly.

If we know we have gooshiness inside... if we know that laptops would be a prime infector here... if we were told it looked like this was a worm.... I'm sorry but maybe Charlie Gibson's computer shouldn't be a concern to the people running the entire Network.

There are two statements in the Protecting your Windows Network by Johansson and Riley that I think we need to be reminded of...

“Less-sensitive systems may depend on more-sensitive systems”

More sensitive systems must never depend on less-sensitive systems”

I mean maybe Charlie Gibson..or someone at his firm needs to turn on Automatic updates or deploy WSUS or Shavlik.  I mean if SBSers can do it... why not a big company like ABC? Why can't our desktops get patches a lot quicker than we are doing it now?  Do we really have that much 'patch breakage' at the desktop level?  If we do... why?  What's the stupid line of business app that is breaking so much.... and if security patches make it break.... maybe ...just maybe... it's a program that isn't so great?

posted Wednesday, August 17, 2005 8:51 PM by bradley with 0 Comments

So what do I call myself?

From the mailbag today comes the question of what do we call our domain name... and he wasn't talking about the .local issue mind you [which we should always do] but rather that internal box name so that should partnerships split, firms explode..whatever.. you weren't stuck with a inner netbios/domain name that just drove the customer crazy to the point that they were willing to flatten the box to get it off of there.

 

Personally I agree.  The only caveat I would say to calling the entire fleet of your servers something like SBSServer is an issue that cropped up after SBS 2003 sp1 where if you had named your servers identical for all those in your control, the monitoring emails would get a bit confusing: 

 

But yeah...naming that server something that you won't be asked to wipe off the face of the earth later is probably wise...

 

The titles of the performance and usage reports include the server name rather than the organization name

After you install SP1 for Windows SBS, the organization name is replaced with the server name in the title of the performance report and the usage report.

 

If you prefer to see the organization name in these reports, you can change the RegisteredOrganization entry in the registry.

 

Caution: 

Incorrectly editing the registry may severely damage your system. Before making changes to the registry, you should back up any valued data on the computer. 

 

 

To change the RegisteredOrganization registry entry

Click Start, click Run, type regedit in the Open box, and then click OK. Registry Editor opens.

 

Navigate to and click the following registry subkey:HKEY_LOCAL_MACHINE\Software\Microsoft\SmallBusinessServer

 

In the details pane, double-click RegisteredOrganization.

 

Enter your organization name in the Value data field, and then click OK.

 

Click File, and then click Exit to close Registry Editor.
posted Wednesday, August 17, 2005 8:32 PM by bradley with 0 Comments

Just call me a Security news junkie

So today I received word that in addition to the way I'm getting Security advisories now [via the Comprehensive email], there are TWO NEW WAYS to get the Advisories.

There are now RSS feeds as well as via Instant Messenger!  Okay call me crazy but this is really cool.  I already get Security bulletins via IM now.... and I get McAfee's late breaking virus issues.... now I can add Security Advisories.  So you click on the Advisory page and then on the link to sign up for Instant Messenger....

And then you select those alerts you want......well.. you want them all... I do. And once you click submit.. there... instant security paranoia....

 

So what's a Security Advisory you ask?

Microsoft Security Advisories, a supplement to the Microsoft Security Bulletins, address security changes that may not require a security bulletin but that may still affect customers' overall security.

Bottom line they are a bit more pro-active... a bit more mitgationish... and just more good info to have.

And while you are signing up for RSS feeds.. don't forget to have the MSRC blog in your feed reader as well.

posted Wednesday, August 17, 2005 7:46 PM by bradley with 1 Comments

Changing addresses

Recently two questions from the mailbag came in about changing the domain name of the server because the firm's name changed or the email address needed to change.

But here's the thing... you don't need to change the name of the domain or the server.  It doesn't matter what those are named.

Go to the 'Connect to Internet Wizard' and rerun it...and while there, enter the new domain name when the wizard prompts you and enter any new SMTP or POP info.

Voila... your email will be 'renamed' painlessly and you don't need to change a thing on your Server domain.

Run the wizard......Go with the wizard.... trust in the wizards.....

....Luke, trust the force..... [still like Star Wars IV [my number 1] the best.....

posted Wednesday, August 17, 2005 12:57 PM by bradley with 1 Comments

Like you didn't have enough fun before with patching

Adobe Acrobat 7.0.3 Professional and Standard update - multiple languages - Acrobat for Windows - Downloads:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=2990
Adobe Reader 6.0.4 update - multiple languages - Adobe Reader for Windows - Downloads:
http://www.adobe.com/support/downloads/detail.jsp?ftpID=2988

You can update your product to version 6.0.4 in one of two ways:

(1) Update automatically using the update manager. Choose Help > and Check for updates. Select all updates and click the update button at the bottom left corner of the update manager screen.

2) Update manually and apply each update individually. If your current version is

Adobe Reader 6.0.3: Apply the Adobe Reader 6.0.4 update by downloading the file.

Adobe Reader 6.0.2: Apply the Adobe Reader 6.0.3 patch and then apply the 6.0.4 update.

Adobe Reader 6.0.1: Apply the Reader 6.0.2 update and then the Reader 6.0.3 update before updating to Reader 6.0.4.

Secunia - Advisories - Adobe Acrobat / Reader Plug-in Buffer Overflow Vulnerability:
http://secunia.com/advisories/16466/


A vulnerability has been reported in Adobe Reader and Adobe Acrobat, which potentially can be exploited by malicious people to compromise a user's system.

The vulnerability is caused due to an unspecified boundary error in the core application plug-in and can be exploited to cause a buffer overflow when a specially crafted file is opened.

Successful exploitation may allow execution of arbitrary code.

Okay so lemme get this straight... Adobe has a security vulnerability .. a buffer overflow.... and I either have to ask everyone to hit the update button [yeah right, that's gonna happen] or I have to deploy possibly three patches...and I'm not sure what version of 6 I have in the first place?

Yo?  Adobe?  Heard of rollup patches?

posted Wednesday, August 17, 2005 12:34 PM by bradley with 1 Comments

The case of the FFS

I have a problem coming up in my office... I can see it now.... we're not quite ready to be storing Excel and Word documents in a SQL database... okay... let's correctly put that sentence in the proper context shall we?  “I'M” not ready to be storing Excel and Word documents in a SQL database.  But yet I can see that the way we are yanking files around now just probably not a good long term solution at all.

For one we have traditionally fought the FFS.. fatal finger syndrome where accidentally dragging and dropping  a file or a folder will be dropped under another one.

People will blame viruses... harddrives...etc. but it's FFS.

Nigel pointed to a possible solution..... I just may have to try that on certain computers at the office...

Disable the Drag and drop or copy and paste files option in the Internet and local intranet zone. To do this, follow these steps:
a. In Internet Explorer, click Internet Options on the Tools menu, and then click the Security tab.
b. In the Select a Web content zone to specify its security settings box, click Internet, and then click Custom Level.
c. In the Settings box, locate the Drag and drop or copy and paste files option under Miscellaneous. Make a note of your current setting.
d. Under Drag and drop or copy and paste files, click Disable, and then click OK.
e. Click Yes, and then click OK two times.
f. Repeat these steps for the local intranet zone by clicking Local intranet instead of Internet in step 2b.

posted Wednesday, August 17, 2005 12:01 AM by bradley with 0 Comments