Network managers have until midnight to avoid a possible Internet
meltdown before the Code Red worm strikes at midnight Greenwich
Mean Time on 1 August.
Microsoft and number of high-level US IT security bodies today
issued a last-ditch warning, urging users of Microsoft's Internet
Information Server to protect themselves.
The only guaranteed defence against the worm, which can cause
denial of service attacks that bring Internet traffic to a halt, is
to install patches that close the security holes targeted by the
worm.
Microsoft warned that the worm could give a hacker "complete
control of the server and allow him to take any desired action on
it."
Eric Chien, chief researcher at Symantec's anti virus research
centre said, "Most large corporations have installed this patch
already. Those that haven't will be small businesses and they
simply don't know about it or realise that they are at risk."
However, unprotected machines could become hosts in which the worm
replicates. If sufficient copies of the worm are loose the Internet
will grind to a halt, as it did with the Melissa virus, putting
global e-commerce revenues at risk.
"Every organisation or person who has Windows NT or Windows2000
systems AND the IIS web server software may be vulnerable,"
according to the CERT coordination centre, the world's leading,
independent security body.
The Code Red worm takes advantage of a buffer overflow
vulnerability, allowing the attacker to gain control over an
unprotected server. Most system administrators and users will not
even know they have been compromised.
A buffer overflow occurs when an application fails as a result of
being sent too much data. Good programming should prevent such
occurrences.
The Microsoft patch effectively disables a feature called script
mapping on Index Server, when it is being used in conjunction with
the IIS Web server.
Graham Cluley, senior technology consultant at Sophos Anti Virus
urged users to "apply the patch from Microsoft. They released it on
18 June and mind bogglingly enough, people still haven't applied
it," he said
Cluley also said IT managers had a duty to ensure the worm did not
spread, "Don't just apply this patch to protect your own computers,
but as part of the Internet community, we should all be doing our
bit clearing up the Net."
Marty Lindner of CERT said, "As long as there is at least one
machine out there still scanning and spreading the worm, it will
find a vulnerability again and continue."
The severity of the threat resulted in a joint call to arms from
Microsoft, the National Infrastructure Protection Centre, the
Federal Computer Incident Response Centre (FedCIRC), the
Information Technology Association of America (ITAA), the CERT
Coordination Centre, the SANS Institute, Internet Security Systems
and the Internet Security Alliance
Who is affected?
Every organisation or person who has Windows NT or Windows2000
systems
and the IIS web server software may be
vulnerable.
IIS is installed automatically for many applications. If you are
not certain, follow the "Step by Step" instructions from
Digital
Island to determine whether you are running IIS 4.0 or
5.0.
If you are using Windows 95, Windows 98, or Windows ME, there is no
action that you need to take in response to this alert.
What to do if you are vulnerable
1. To rid your machine of the current worm, reboot your
computer.
2. To protect your system from re-infection: Install
Microsoft's patch for the Code Red vulnerability problem:
Windows NT version 4.0
www.microsoft.com/Downloads/Release.asp?ReleaseID=30833Windows 2000 Professional, Server and Advanced Server
www.microsoft.com/Downloads/Release.asp?ReleaseID=30800
Step-by-step instructions for these actions are posted at
http://www.digitalisland.com/codered
Microsoft's description of the patch and its installation, and the
vulnerability it addresses is posted at:
www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-033.asp