[OPLINTECH] Network Services Customer Update - October 24, 2003

Vince.Corroto@das.state.oh.us Vince.Corroto@das.state.oh.us
Fri, 24 Oct 2003 10:44:13 -0400 

Network Services Customer Update - October 24, 2003


Scheduled Maintenance:

Tuesday, October 28, 3:00 - 6:00 a.m.

ITSD network engineers will be installing a new line card into a primar=
y
Internet border router located at the State of Ohio Computer Center.  A=
ll
customer's Internet traffic will be affected.  The expected actual dura=
tion
of the outage should be less than =BD hour.

Tuesday, November 4, 3:00 - 6:00 a.m.

ITSD network engineers will be upgrading the Operating System and Memor=
y on
BBOET1 (router) at OET 2470 NorthStar
Road.  The estimated outage should be approximately 15 minutes.  This w=
ill
only affect OET customers.


Completed Maintenance:

Tuesday, October 17, 3:00 - 6:00 a.m.

Network engineers replaced UPS batteries at the Rhodes State Office Tow=
er.


Security Update:

Security Alerts, October 22, 2003

Buffer Overrun in Windows ListBox and ComboBox Controls

Brett Moore of Security-Assessment.com discovered that a vulnerability =
in
   Windows ListBox and ComboBox controls can result in
the execution of arbitrary code on the system running the vulnerable
   control. The ListBox and ComboBox controls call a function located
in the user32.dll file. A specially crafted Windows message could pass
   parameters to the function that the function can't correctly
validate, thereby causing a buffer overrun. Microsoft has released secu=
rity
   bulletin MS03-045, "Buffer Overrun in the ListBox and in the
ComboBox Control Could Allow Code Execution (824141)," which addresses =
this
   vulnerability, and recommends that affected users
immediately apply the appropriate patch listed in the bulletin.

  http://www.win2000mag.com/windowssecurity/article/articleid/40585/405=
85.html

For complete details about this vulnerability, be sure to visit our Web=

site at the provided URL.


Cross-Site Scripting Vulnerability in OWA

Ory Segal of Sanctum discovered that a vulnerability in Microsoft Excha=
nge
   Server 5.5 Outlook Web Access (OWA) can result in the
execution of arbitrary code on the user's system. This vulnerability st=
ems
   from a cross-site scripting (XSS) vulnerability in the way OWA
performs HTML encoding in the Compose New Message form. Microsoft has
   released security bulletin MS03-047, "Vulnerability in
Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting=

   Attack (828489)," which addresses this vulnerability, and
recommends that affected users immediately apply the appropriate patch
   listed in the bulletin.

  http://www.winnetmag.com/windowssecurity/article/articleid/40587/4058=
7.html


For complete details about this vulnerability, be sure to visit our Web=

site at the provided URL.


ITSD Network Services "Infected Devices" Policy:

With the recent increase of worms and viruses, ITSD Network Services ha=
s
implemented an "Infected Devices" Policy.  On a daily basis, we detect
infected machines trying to spread to the ITSD Enterprise Network.  Thi=
s is
accomplished with our Intrusion Detection Systems that are operating at=
 the
border of the ITSD Enterprise Network.   If these infected devices are =
not
removed from the ohio.gov network, they can infect other machines.  If =
the
infected device is disrupting the ohio.gov network, then the device wil=
l be
restricted from accessing the network immediately.  If the infected dev=
ice
is not affecting the ohio.gov network, then we will notify the customer=
 of
the infected device and ask them to remove the device from the network.=

Once notified, the customer will have 24 hours to cleanse the infected
device.  If a customer fails to remove an infected device from the netw=
ork
(24 hours after they've been notified), the device will be restricted f=
rom
accessing the ohio.gov network.  This policy will be updated as needed =
to
maintain ohio.gov network access.  Please contact the Network Operation=
s
Center if you have any questions or concerns.

__________________________________________________________

DAS Goal -
DAS will leverage Ohio's investment in information technology by
implementing exemplary statewide governance in collaboration with its
customers.

IT Service Delivery Goal -
Provide customers with a secure, reliable, available, and stable
Information Technology environment, incorporating existing and future
architectures

Customer Suggestions:
Please send your suggestions for improving our network services to: E-m=
ail:
suggestions@net.state.oh.us Fax: 614-644-3349

Network Operations Center (NOC):
644-0701 (Columbus Calling Area)
800-644-0701 (Outside of the Columbus Calling Area) noc@net.state.oh.us=

www.ohio.gov/telecom/data.htm
=