MSBlast worm Security

Chuck Frazier, Vice Provost for Information Technology

This is just a short note to keep you all informed about our most recent security incident, I sent out the memo below to the net-managers listserv just a couple of hours ago. Your IT staffs are well aware of what is going on and they have responded and cooperated well to help keep this worm contained. If you have any questions or concerns that are not addressed in the memo below or that cannot be handled by your IT staff, please feel free to contact me or Kathy Bergsma (UF – Information Security Manager) at kbergsma@ufl.edu.

MEMO to Net-Managers. As most of you already know, the UF campus was hit by the MSBlast worm Monday. At the time that the worm hit, we had 12,000 vulnerable hosts on campus. Fortunately, the worm did not spread very efficiently and only about 400 campus computers were compromised. The security team at Computing and Networking Services (CNS) applied filters to contain the worm, but we still expect other variants that will bypass the current filters.

Shands reduced their exposure by temporarily blocking NetBIOS traffic at the campus boundary. Many campus hosts have been patched, reducing the exposure on the main campus to about 1000 hosts, but this is still a serious exposure. Current scan results listing vulnerable computers are available to authorized network administrators at https://net-services.ufl.edu/security/cgi-bin/security-gl-info.cgi. Please look at the scan results dated 8-13-03.

Our security team concludes that the best approach to reducing our exposure is to pursue the problem at the edge of the network by patching vulnerable computers. Please make your best effort to ensure that any hosts that connect to your network, managed or unmanaged, are patched.

Some infected computers remain connected to the UF network. The MSBlast worm is scheduled to attack the Microsoft Windows Update web site this Saturday, August 16. Any infected computers that remain connected to the network at 8:00 am Friday morning, August 15, will be blocked from access to the network at the nearest core router. The current list of infected hosts is available to authorized network administrators at https://net-services.ufl.edu/security/cgi-bin/compromise-ip-results.cgi.

Access to Microsoft sites is strained due to widespread nature of this vulnerability in most of their operating systems. For this reason, UF security team is making patches available locally at http://net-services.ufl.edu/security/public/mspatch.shtml.