[OPLINTECH] Network Services Customer Update - October 24, 2003

Vince.Corroto at das.state.oh.us Vince.Corroto at das.state.oh.us
Fri Oct 24 10:44:13 EDT 2003 

Network Services Customer Update - October 24, 2003


Scheduled Maintenance:

Tuesday, October 28, 3:00 - 6:00 a.m.

ITSD network engineers will be installing a new line card into a primary
Internet border router located at the State of Ohio Computer Center.  All
customer's Internet traffic will be affected.  The expected actual duration
of the outage should be less than ½ hour.

Tuesday, November 4, 3:00 - 6:00 a.m.

ITSD network engineers will be upgrading the Operating System and Memory on
BBOET1 (router) at OET 2470 NorthStar
Road.  The estimated outage should be approximately 15 minutes.  This will
only affect OET customers.


Completed Maintenance:

Tuesday, October 17, 3:00 - 6:00 a.m.

Network engineers replaced UPS batteries at the Rhodes State Office Tower.


Security Update:

Security Alerts, October 22, 2003

Buffer Overrun in Windows ListBox and ComboBox Controls

Brett Moore of Security-Assessment.com discovered that a vulnerability in
   Windows ListBox and ComboBox controls can result in
the execution of arbitrary code on the system running the vulnerable
   control. The ListBox and ComboBox controls call a function located
in the user32.dll file. A specially crafted Windows message could pass
   parameters to the function that the function can't correctly
validate, thereby causing a buffer overrun. Microsoft has released security
   bulletin MS03-045, "Buffer Overrun in the ListBox and in the
ComboBox Control Could Allow Code Execution (824141)," which addresses this
   vulnerability, and recommends that affected users
immediately apply the appropriate patch listed in the bulletin.

  http://www.win2000mag.com/windowssecurity/article/articleid/40585/40585.html

For complete details about this vulnerability, be sure to visit our Web
site at the provided URL.


Cross-Site Scripting Vulnerability in OWA

Ory Segal of Sanctum discovered that a vulnerability in Microsoft Exchange
   Server 5.5 Outlook Web Access (OWA) can result in the
execution of arbitrary code on the user's system. This vulnerability stems
   from a cross-site scripting (XSS) vulnerability in the way OWA
performs HTML encoding in the Compose New Message form. Microsoft has
   released security bulletin MS03-047, "Vulnerability in
Exchange Server 5.5 Outlook Web Access Could Allow Cross-Site Scripting
   Attack (828489)," which addresses this vulnerability, and
recommends that affected users immediately apply the appropriate patch
   listed in the bulletin.

  http://www.winnetmag.com/windowssecurity/article/articleid/40587/40587.html


For complete details about this vulnerability, be sure to visit our Web
site at the provided URL.


ITSD Network Services "Infected Devices" Policy:

With the recent increase of worms and viruses, ITSD Network Services has
implemented an "Infected Devices" Policy.  On a daily basis, we detect
infected machines trying to spread to the ITSD Enterprise Network.  This is
accomplished with our Intrusion Detection Systems that are operating at the
border of the ITSD Enterprise Network.   If these infected devices are not
removed from the ohio.gov network, they can infect other machines.  If the
infected device is disrupting the ohio.gov network, then the device will be
restricted from accessing the network immediately.  If the infected device
is not affecting the ohio.gov network, then we will notify the customer of
the infected device and ask them to remove the device from the network.
Once notified, the customer will have 24 hours to cleanse the infected
device.  If a customer fails to remove an infected device from the network
(24 hours after they've been notified), the device will be restricted from
accessing the ohio.gov network.  This policy will be updated as needed to
maintain ohio.gov network access.  Please contact the Network Operations
Center if you have any questions or concerns.

__________________________________________________________

DAS Goal -
DAS will leverage Ohio's investment in information technology by
implementing exemplary statewide governance in collaboration with its
customers.

IT Service Delivery Goal -
Provide customers with a secure, reliable, available, and stable
Information Technology environment, incorporating existing and future
architectures

Customer Suggestions:
Please send your suggestions for improving our network services to: E-mail:
suggestions at net.state.oh.us Fax: 614-644-3349

Network Operations Center (NOC):
644-0701 (Columbus Calling Area)
800-644-0701 (Outside of the Columbus Calling Area) noc at net.state.oh.us
www.ohio.gov/telecom/data.htm

More information about the OPLINTECH mailing list