Sandbox Lessons

Dyck: March brought hard lessons for system security.

March was a bleak month for security and no doubt left many administrators figuratively tapping out Save Our Server signals on their wirelesses.

Advisories came out last month for root-level vulnerabilities on three major server applications: Sendmails namesake product, Microsofts Internet Information Services 5.0 Web server and the Samba Development Teams Samba file server. Together, these holes leave the vast majority of enterprises open to attack.

Looking at the vulnerabilities side by side reveals interesting similarities and also suggests the best defense tactics.

The IIS and Samba advisories stand out because in both cases, crackers were actively exploiting these holes before security bulletins could be issued. As I was writing this column, I got a call from Samba co-author Jeremy Allison to let me

know that the Samba team had just been notified of yet another root-level hole for Samba that will be fixed in Samba 2.2.8a. The newest problem was discovered through an attack on a honey pot Samba server, demonstrating that attackers are already exploiting this vulnerability and potentially have been for some time. The flaw has been in Samba since 1993, and so virtually every Samba server is affected.

Day 0 attacks such as these—for which no advisory or patch has been released before attacks are made—are the ones that prompt rapid changes of underwear. Theres no warning, no notification and no help to figure out why your servers got rooted.