[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
[ISN] BITS Gives Bad Guys an Inroad
Forwarded with permission from: Security UPDATE <Security_UPDATE (at) list.windowsitpro.com>
PLEASE VISIT OUR SPONSORS, WHO BRING YOU SECURITY UPDATE FOR FREE:
VeriSign's Extended Validation SSL Certificates
Identity-based Security with UTM
Your First Look at FAN Technology
=== CONTENTS ===================================================
IN FOCUS: BITS Gives Bad Guys an Inroad
NEWS AND FEATURES
- Microsoft Redesigns Security Bulletins and Advanced Notifications
- Verizon Expands Security Offerings Via CyberTrust Acquisition
- Enterprise Wireless Routers Buyers Guide
- Recent Security Vulnerabilities
GIVE AND TAKE
- Security Matters Blog: Time to Upgrade Samba and PHP
- FAQ: Check a Folder for a File Type
- From the Forum: Network Access for Services
- Product Evaluations from the Real World
- Share Your Security Tips
- Finding Malicious Content in Email Message Bodies
RESOURCES AND EVENTS
FEATURED WHITE PAPER
=== SPONSOR: VeriSign ==========================================
VeriSign's Extended Validation SSL Certificates
Increase customer confidence at transaction time with the latest
breakthrough in online security - Extended Validation (EV) SSL
Certificates from VeriSign. Extended Validation triggers the address
bar to turn green when a visitor is using Microsoft Internet Explorer 7
and viewing a site with EV SSL Certificates. This green bar lets
customers know that the site they are on is highly authenticated and
In a recent VeriSign study, 77% of the respondents indicated that
they would be hesitant about shopping at, would check into problems
with, or would abandon a site that once showed EV and no longer did.
Learn more about Extended Validation by reading the technical white
paper: Maximizing Site Visitor Trust Using Extended Validation SSL.
=== IN FOCUS: BITS Gives Bad Guys an Inroad =============
by Mark Joseph Edwards, News Editor, mark at ntsecurity / net
Malware developers have been using Microsoft's Background Intelligent
Transfer Service (BITS) to download software to Windows systems for
quite some time. Using BITS is logical because it's designed to
download files and is a standard part of all supported Windows OSs.
BITS takes advantage of unused bandwidth to help optimize network
usage, which makes its activity less noticeable to a user.
One problem in defending against this misuse is that BITS is used by
Windows Update, Microsoft Systems Management Server (SMS), Microsoft
Messenger, and other tools, so it's typically trusted by firewalls to
move traffic in and out of the network. Another problem in preventing
malware developers from using BITS is that when a malicious application
downloads files with it, the traffic is seen as coming from BITS and
not the application itself.
Firewall leak testers have long known about the potential danger of
BITS and have openly discussed the matter for over a year. At least one
program, bits_tester.exe (at the first URL below), is available that
works with Microsoft's bitsadmin.exe tool (in the Windows XP SP2
Support Tools at the second URL below) to demonstrate how BITS can
easily download files from Web servers.
According to Guillaume Kaddouch of the Firewall Leak Tester Web site,
the only way to currently control BITS activity is to limit the ability
of svchost.exe (on XP and later Windows versions) or services.exe (on
Windows 2000) to communicate over the network. So for example, if you
want to better guarantee that BITS will be used only for file transfers
on your network or between your network and Microsoft's software update
sites, then you need to implement a deny-all policy for svchost.exe or
services.exe and make specific exceptions for hosts that you want to
receive content from through BITS. Keep in mind that because Microsoft
also makes a BITS API available for developers to use, you might need
to make exceptions for other legitimate desktop applications that use
BITS to download their updates or other content.
The danger of malware misusing BITS isn't limited to software
downloads. BITS can also become a significant source of information
leakage because it can upload files too, although doing so requires
that BITS upload to a Microsoft IIS server with BITS extensions
installed. Here again, a deny-all policy can help.
Elia Florio brought the BITS problem to light again this month in a
post on the Symantec Security Response blog (at the URL below) in which
Florio suggested that Microsoft could improve the security of BITS.
"It's not easy to check what BITS should download and not download," he
wrote. "Probably the BITS interface should be designed to be accessible
only with a higher level of privilege, or ... BITS should be restricted
to only [download content from] trusted URLs."
Microsoft hasn't said much about the issue of BITS being misused or
whether the company intends to add any layers of security for it. While
we're all waiting to find out, you do need to protect your systems in
case your other security solutions fail to detect malware that might
misuse BITS. I did a bit of checking to put together a list of URLs for
sites that BITS might use to download files and updates from Microsoft.
The list below is probably not complete, but you can use it to start
building firewall rules. Keep in mind that you might need to add the
usual HTTP or HTTPS prefix to the server addresses below, depending on
your firewall rule requirements. I've noted the two addresses that
require HTTPS access; the others require regular HTTP access.
*.windowsupdate.microsoft.com (HTTPS required)
*.update.microsoft.com (HTTPS required)
If your rule mechanism allows for it, you could simplify the matter by
allowing BITS to access *.windowsupdate.com, *.microsoft.com, and
*.windows.com over both HTTP and HTTPS.
=== SPONSOR: Cyberoam ==========================================
Identity-based Security with UTM
Identity-based UTM is a third generation security solution, offering
the complete set of security features over a single platform. Its user
identity-based security offers protection against blended threats that
target the individual user as well as insider threats.
=== SECURITY NEWS AND FEATURES =================================
Microsoft Redesigns Security Bulletins and Advanced Notifications
Advanced notifications will provide more information, and security
bulletins will have decision-making information at the top.
Verizon Expands Security Offerings Via CyberTrust Acquisition
Verizon Business announced that it will acquire CyberTrust, a
privately held security services provider. Terms of the deal were not
disclosed, however the two companies expect the transaction to be
completed sometime in the next 60 to 90 days.
Enterprise Wireless Routers
Selecting the hardware and configuration for your company's wireless
network is a complicated and daunting task. The most important criteria
for purchasing an enterprise wireless router are network standards and
speed, security, and dependability. Learn more in our Buyer's Guide.
Recent Security Vulnerabilities
If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these
=== SPONSOR: Brocade ===========================================
Your First Look at FAN Technology
Gain control over the growing amount of file data in your
enterprise. Learn how File Area Networks (FANs) can help you centralize
file consolidation, migration, replication, and failover. Download this
eBook and start streamlining your file management projects today!
=== GIVE AND TAKE ==============================================
SECURITY MATTERS BLOG: Time to Upgrade Samba and PHP
by Mark Joseph Edwards, http://list.windowsitpro.com/t?ctl=573FC:57B62BBB09A69279661DBC84E7D40DD5
If you're using Samba for Linux and Windows interoperability or PHP to
drive applications on your Web servers or desktops, you should upgrade
those tools soon. The new releases of both Samba and PHP contain fixes
for several security problems and new features. Learn more at
FAQ: Check a Folder for a File Type
by John Savill, http://list.windowsitpro.com/t?ctl=573F9:57B62BBB09A69279661DBC84E7D40DD5
Q: How can I quickly check whether a folder contains a certain type of
Find the answer at
FROM THE FORUM: Network Access for Services
A forum participant has a server that runs a particular service.
Because the service has a GUI, the participant wonders if he needs to
grant that service the right to interact with the desktop. The service
also needs network access, but the participant is having trouble
granting that access. He gets an "access denied" error when the service
attempts network access. Join the discussion at
PRODUCT EVALUATIONS FROM THE REAL WORLD
Share your product experience with your peers. Have you discovered a
great product that saves you time and money? Do you use something you
wouldn't wish on anyone? Tell the world! If we publish your opinion,
we'll send you a Best Buy gift card! Send information about a product
you use and whether it helps or hinders you to
SHARE YOUR SECURITY TIPS AND GET $100
Share your security-related tips, comments, or problems and
solutions in Security Pro VIP's Reader to Reader column. Email your
contributions to r2r@xxxxxxxxxxxxxxxxxxx If we print your submission,
you'll get $100. We edit submissions for style, grammar, and length.
=== PRODUCTS ===================================================
by Renee Munshi, products@xxxxxxxxxxxxxxxx
Finding Malicious Content in Email Message Bodies
Avinti announced iSolation Server 4.0 with Blended Threat
Protection, which blocks attacks that use active content and URLs
embedded in email messages. Avinti has extended its behavior
observation technology so that in addition to looking at attachments
for viruses, iSolation Server can search the body of a message for
URLs that link the user to Web sites that download malware in the
background. Administrators can choose to block the malicious content or
issue a warning. iSolation Server 4.0 with Blended Threat Protection
will be available in June. For more information, visit
=== RESOURCES AND EVENTS =======================================
For more security-related resources, visit
Protect your users and your network from email-borne threats. This free
eBook gives you the knowledge required to understand the real threat
that email-borne attacks pose and how to address those attacks in a way
that reduces risk while ensuring users aren't impacted.
Do you want to create a fast, user-friendly, reliable, secure, and
scalable backup strategy for your small-to-midsized business? Download
this free white paper today and learn how you can break away from tape
and move to disk-based data protection.
Did you know that 75% of corporate intellectual property resides in
email? The challenges facing this vital business application range from
spam to the costly impact of downtime and the need for effective,
centralized email storage systems. Join us for a free on-demand Web
seminar and learn the key features of a holistic approach to managing
email security, availability, and control.
Discover the New Releases with Microsoft and Industry Experts at IT Pro
IT Pro Connections offers the deepest and most relevant education
for Microsoft IT professionals, especially in this time of important
new products and technologies. Now is the time for you to quickly come
up to speed. Get prepared for the newest technologies and products
through the real-world experience of our expert presenters. "Insider"
details help you make sense of new technologies, apply them to your
environment, and master them faster and more effectively.
Immerse yourself in the latest Microsoft technologies: Windows
PowerShell, Exchange Server 2007, Windows Vista, Windows Server
"Longhorn," Sharepoint Server and Communications Server, System Center
Family (Operations Manager and Configuration Manager), Windows XP,
Forefront, and more--with experts from Microsoft and world-renowned
subject matter experts!
19-20 June 2007
Post-Conference Workshops 21 June 2007
Amsterdam, The Netherlands
=== FEATURED WHITE PAPER =======================================
You have heard that Windows Vista is the most secure platform that
Microsoft has ever produced, but when considering migration, security
is of the utmost importance. Download this free white paper now and
find out the implications of migrating to Vista in terms of messaging
and Web security. Plus, you'll get a summary of the key issues you need
=== ANNOUNCEMENTS ==============================================
Introducing a Unique Security Resource
Security Pro VIP is an online information center that delivers new
articles every week on topics such as perimeter security,
authentication, and system patches. Subscribers also receive tips,
cautionary advice, direct access to our editors, and a host of other
benefits! Order now at an exclusive charter rate and save up to $50!
Introducing a Unique Exchange and Outlook Resource
Exchange & Outlook Pro VIP is an online information center that
delivers new articles every week on messaging topics such as
administration, migration, security, and performance. Subscribers also
receive tips, cautionary advice, direct access to our editors, and a
host of other benefits! Order now at an exclusive charter rate and save
up to $50!
Security UDPATE is brought to you by the Windows IT Pro Web site's
Security page (first URL below) and Security Pro VIP (second URL
Subscribe to Security UPDATE at
Be sure to add Security_UPDATE@xxxxxxxxxxxxxxxxxxxxx
to your antispam software's list of allowed senders.
To contact us:
About Security UPDATE content -- letters@xxxxxxxxxxxxxxxx
About technical questions -- http://list.windowsitpro.com/t?ctl=573FE:57B62BBB09A69279661DBC84E7D40DD5
About your product news -- products@xxxxxxxxxxxxxxxx
About your subscription -- windowsitproupdate@xxxxxxxxxxxxxxxx
About sponsoring Security UPDATE -- salesopps@xxxxxxxxxxxxxxxx
Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department
Copyright 2007, Penton Media, Inc. All rights reserved.
Attend Black Hat USA, July 28-August 2 in Las Vegas,
the world's premier technical event for ICT security
experts. Featuring 30 hands-on training courses and
90 Briefings presentations with lots of new content
and new tools. Network with 4,000 delegates from
70 nations. Visit product displays by 30 top
sponsors in a relaxed setting. Rates increase on
June 1 so register today. http://www.blackhat.com