TUCoPS :: Security App Flaws :: hack2595.htm

Another ISS BlackIce & RealSecure Update ?
Another ISS BlackIce & RealSecure Update ?

Word of warning-- on my machines, this update (3.6cch) changed my previous
config by enabling auto-blocking and changing settings to Paranoid (block
all inbound).  On a busy server, it didn't take long for users to start
screaming loudly when they suddenly could not connect.

ISS is real vague with their info, and they get low marks for not having an
update-notify email list.  There is no automated way of finding out if an
update is available without logging on to a machine that has BI installed
and either manually checking for updates or looking for some icon indicator
in the BI admin console window.

We update BI regularly-- but because there is NO automated notify mechanism,
NO auto-update feature, and because there was such an incredibly SHORT
amount of time (matter of hours) between when the 'ccg' update was released
and the Witty worm struck, we lost 2 servers.  What was *supposed to keep us
safe was the very mechanism that cost us a full day of downtime while the
destroyed servers were rebuilt from scrach & backups.



>it seems that a new problem was discovered in the default config of many
versions of BlackICE and RealSecure...

>

>Whats' new (26 Mar 2004) : Updated to correct a misconfiguration in the
default settings that changed the default blocking and reporting behavior
and may affect the level of protection provided by the product.

>http://blackice.iss.net/update_center/ 

>

>any details ?

>

>God bless (in)security...

>

>--------------------------------------------

>Berty Stephane - Senior Security Consultant

>Cellule Incidents & Veille Sécurité 

>http://www.k-otik.com 

>

>

>

TUCoPS is optimized to look best in Firefox® on a widescreen monitor (1440x900 or better).
Site design & layout copyright © 1986-2024 AOH