[ISN] Security UPDATE, June 13, 2001

From: InfoSec News (isnat_private)
Date: Wed Jun 13 2001 - 20:29:35 PDT

  • Next message: William Knowles: "[ISN] Hack raises fears of unsafe energy networks"

    ********************
    
    Windows 2000 Magazine Security UPDATE--brought to you by the Windows
    2000 Magazine Network
       **Watching the Watchers**
       http://www.win2000mag.net/Channels/Security
    
    ********************
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    BindView Corporation
       http://go.win2000mag.net/UM/T.asp?A2153.23115.1124.1.532985
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: BINDVIEW CORPORATION ~~~~
       Security is the key issue in today's interconnected world and
    BindView is right on top of it with a new, highly informative eBook, The
    Definitive Guide to Windows 2000 Security. This eBook covers all the
    bases of a comprehensive security methodology for your Microsoft Windows
    2000 environment. It's heavy into the detail of what goes into a great
    IT security system, and is specifically geared for Windows 2000
    platforms. Written by Paul Cooke, an Information Security professional
    with more than 10 years' experience developing and deploying security
    solutions, the tips, tricks, and info packed into this volume are
    priceless! Get it FREE at
       http://go.win2000mag.net/UM/T.asp?A2153.23115.1124.1.532985
    
    ~~~~~~~~~~~~~~~~~~~~
    
    June 13, 2001--In this issue:
    
    1. IN FOCUS
         - New Tweaks and Tools
    
    2. SECURITY RISKS
         - Script Execution Vulnerability in Microsoft Exchange OWA
         - Multiple Vulnerabilities in Microsoft Windows 2000 Telnet
    
    3. ANNOUNCEMENTS
         - Tell Us about Your Connected Home!
         - The Black Hat Briefings: The Security Event the Experts Rave
    About
    
    4. SECURITY ROUNDUP
         - News: Windows XP to Sport UNIX-like Raw Sockets
         - News: The AD Backup Bug: Monster in the Closet?
         - News: Citrix and Sierra Wireless Join Forces to Provide Wireless
    Access to Server-Based Applications
         - Review: IPSec and IKE: New VPN Standards
    
    5. SECURITY TOOLKIT
         - Book Highlight: Configuring ISA Server 2000: Building Firewalls
           for Windows 2000
         - Virus Center: Worm Alert--Choke.A
         - FAQ: How Can I Uninstall Hidden Windows Components?
         - Windows 2000 Security: IE Security Options, Part 6
         - Event Highlight: Windows 2000 Magazine Live!
    
    6. NEW AND IMPROVED
         - Defrag Your System
         - Biometric Authentication Sensor in New Keyboards
    
    7. HOT THREADS 
         - Windows 2000 Magazine Online Forums
               Disable CD-ROM Eject
         - HowTo Mailing List:
               Suspicious Entry in My Web Server Log
    
    8. CONTACT US
       See this section for a list of ways to contact us.
    
    1. ==== COMMENTARY ====
    
    Hello everyone,
    
    Over the past week, I've learned about three Microsoft tools that help
    you install Microsoft hotfixes in a more streamlined fashion and tighten
    security on your dial-up networking clients. In addition, I've come
    across some interesting articles that you might want to read. 
    
    The tools are Qchain, the Windows 9x DUN 1.4 Upgrade, and Qfecheck.
    Qchain lets you install multiple hotfixes without having to reboot after
    each one. I found out about the tool while reading the June edition of
    Microsoft's "Ask Us About Security" column on its Web site. You can find
    the column at the first URL below. Qchain runs on Windows 2000 and
    Windows NT. To use Qchain, you first install each required hotfix (in
    proper sequence) with the -z command-line switch, which tells the
    installation program not to reboot the OS after installing the fix. Then
    run Qchain, which, according to article Q296861, "cleans the Pending
    File Rename Operations key in the registry to make sure that only the
    latest version of a file is installed after the computer is rebooted."
    You can learn more about Qchain and download a copy at the second URL
    below.
       http://www.microsoft.com/technet/security/columns.asp
       http://www.microsoft.com/technet/support/kb.asp?ID=296861
    
    The DUN upgrade offers Windows 9x users support for 128-bit encryption
    with PPTP and also improves the stability of PPTP connections. According
    to Microsoft, "The DUN 1.4 release includes all of the features of all
    previous DUN releases, as well as those that are included in the
    Integrated Services Digital Network (ISDN) version 1.1 release." In
    addition, DUN 1.4 has multilink support and support for internal ISDN
    adapters and connection-time scripting, which helps automate nonstandard
    connections. You can find the DUN 1.4 upgrade at the following URL:
       http://support.microsoft.com/support/kb/articles/Q285/1/89.ASP
    
    The third tool is Qfecheck, which inspects a system to ensure that
    hotfixes are installed correctly on Win2K systems. Hotfix information is
    stored in the registry under
    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates.
    
    Qfecheck reads information from that key and compares the information to
    files on the system to ensure those files are the proper versions.
    Qfecheck also ensures that the Windows File Protection (WFP) subsystem
    has the information it needs to protect those files from tampering.
    Learn more about Qfecheck, including where to download a copy, from
    Microsoft's article.
       http://support.microsoft.com/support/kb/articles/Q282/7/84.ASP
    
    While reading this month's "Ask Us About Security" column from
    Microsoft, I also learned that the company has begun producing no-reboot
    patches for Win2K--finally! Microsoft said it now analyzes each security
    patch it produces to determine whether a user can install it without a
    system reboot; the company will release those patches as no-reboot
    patches. The company also analyzed all of its former patches and found
    it could repackage only two (MS00-067 and MS00-099) as no-reboot patches
    using its current technology. So Microsoft is working on additional
    technology that will let it repackage as many as 25 percent of the
    currently available patches. That technology should also let the company
    create a greater percentage of no-reboot patches in the future. You can
    learn more about no-reboot patches on Microsoft's TechNet Web site.
       http://www.microsoft.com/TechNet/security/noreboot.asp
    
    Before I sign off this week, I want to point out that Windows 2000
    Magazine senior contributing editor Sean Daily has discovered a
    potentially dangerous oddity with Active Directory (AD) backups. In
    certain instances, AD backups can become corrupt, and you know what
    happens when you restore corrupted data. You don't want to get bitten by
    this bug, so be sure to read about Sean's news article in the SECURITY
    ROUNDUP section of this newsletter. Until next time, have a great
    week.
    
    Sincerely,
    Mark Joseph Edwards, News Editor, markat_private
    
    2. ========== SECURITY RISKS =========
    (contributed by Ken Pfiel, kenat_private)
    
    * SCRIPT EXECUTION VULNERABILITY IN MICROSOFT EXCHANGE OWA
       Joao Gouveia discovered a flaw in the interaction between Microsoft
    Exchange Server Outlook Web Access (OWA) and Microsoft Internet Explorer
    (IE) for message attachments. If an attachment contains HTML code that
    includes script, the script will execute when the user opens the
    attachment, regardless of the attachment type. Microsoft has
    acknowledged this vulnerability and recommends that users immediately
    apply the patch mentioned in Security Bulletin MS01-030.
       http://www.windowsitsecurity.com/articles/index.cfm?articleID=21379
    
    * MULTIPLE VULNERABILITIES IN MICROSOFT WINDOWS 2000 TELNET
       Seven different vulnerabilities exist in the version of Telnet that
    Microsoft ships with Windows 2000. Two of these vulnerabilities relate
    to the way that Telnet handles the sessions that a user creates, and
    escalate the user's privilege. Four of these vulnerabilities let an
    attacker create Denial of Service (DoS) attacks, and the seventh
    vulnerability involves information disclosure that lets an attacker
    enumerate Guest accounts exposed by using the Telnet server. Guardent,
    Peter Grundl, Richard Reiner, and BindView's Razor team discovered the
    problems. Microsoft acknowledges these vulnerabilities and recommends
    that users immediately apply the patch mentioned in Security Bulletin
    MS01-031. For Windows 2000 Datacenter Server users, the patches are
    hardware specific, and users should contact the OEM.
       http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21380
    
    3. ==== ANNOUNCEMENTS ====
    
    * TELL US ABOUT YOUR CONNECTED HOME!  
       Does your computer technology savvy come in handy at home? We want to
    know how you use home networking, computer technology, and home
    automation technology for work and play. Take a few minutes to answer
    our online survey! 
       http://www.zoomerang.com/survey.zgi?EGPTKEMTH7BQRBT9YE8FN3X8
    
    * THE BLACK HAT BRIEFINGS: THE SECURITY EVENT THE EXPERTS RAVE ABOUT  
       Register now for Black Hat Briefings, the world's premier technical
    event for IT and network security experts, July 11 and 12 in Las Vegas.
    New this year is a Tools of the Trade track. Join 1500+ security experts
    and underground security specialists at this truly unique conference
    with lots of Windows 2000 sessions. 
       http://www.blackhat.com
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: WINDOWS XP TO SPORT UNIX-LIKE RAW SOCKETS
       Microsoft's new Windows XP OS will include UNIX-like raw sockets,
    expanding on its current OSs. Winsock 2 already offers some raw socket
    functionality; however, Windows XP's new functionality will allow source
    IP address spoofing. Currently, Winsock overwrites a packet's source IP
    address with the system's true IP address before sending that packet to
    its destination. Early versions of Windows let malicious users spoof IP
    addresses, but sometime during the evolution of Windows, Microsoft
    decided to remove such functionality. With the company's decision to
    reinstate the raw socket functionality in Windows XP, at least one
    person is complaining loudly.
       http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21358
    
    * NEWS: THE AD BACKUP BUG: MONSTER IN THE CLOSET?
       Making reliable backups is one of the most important tasks a network
    administrator faces daily. At a recent conference, Sean Daily came
    across some rather disturbing information--information that directly
    affects administrators who run Windows 2000 networks based on Active
    Directory (AD). An engineer for Aelita, an independent software vendor
    (ISV) that produces Win2K and Windows NT administration and migration
    tools, told Daily that roughly half of all AD backups resulted in
    corrupt backup copies. For the complete details visit the following
    URL.
       http://www.wininformant.com/Articles/Index.cfm?ArticleID=21351
    
    * NEWS: CITRIX AND SIERRA WIRELESS JOIN FORCES TO PROVIDE WIRELESS
    ACCESS TO SERVER-BASED APPLICATIONS
       Citrix Systems and Sierra Wireless have established a strategic
    relationship to deliver business applications running on Citrix
    MetaFrame servers over wireless networks to virtually any client device.
    Key terms of the agreement include product-compatibility testing and
    joint marketing and sales initiatives, beginning with Citrix
    representation in the Sierra Wireless booth at this month's PC Expo.
    Citrix has joined the Sierra Wireless WirelessReady Alliance (WRA), and
    Sierra Wireless has become a premier-level member of the Citrix Business
    Alliance (CBA).
       http://www.wininformant.com/Articles/Index.cfm?ArticleID=21346
    
    * REVIEW: IPSEC AND IKE: NEW VPN STANDARDS
       The IP Security (IPSec) and Internet Key Exchange (IKE) protocols are
    becoming standards in VPN communications. All but one of the products in
    this review--Computer Associates (CA) eTrust VPN 2.1--use IPSec for
    encapsulating sensitive IP communication. IPSec is taking its place as a
    universal standard among firewall and router manufacturers. The reasons
    for IPSec's growing popularity are its ability to work on many types of
    network devices and its strong data-protection features. IPSec is
    essentially a set of security protocols and algorithms that ensure data
    security on the network layer. Learn all about it in Michael Norian's
    comparative review on the Windows 2000 Web site.
       http://www.win2000mag.com/Articles/Index.cfm?ArticleID=20070
    
    5. ==== SECURITY TOOLKIT ====
    
    * BOOK HIGHLIGHT: CONFIGURING ISA SERVER 2000: BUILDING FIREWALLS FOR
    WINDOWS 2000
    By Tom Shinder
    List Price: $49.95
    Fatbrain Online Price: $39.96
    Hardcover; 512 pages
    Published by Syngress Publishing, April 2001
    ISBN 1928994296
    
    For more information or to purchase this book, go to
    http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=1928994296
    and enter WIN2000MAG as the discount code when you order the book.
    
    * VIRUS CENTER
       Panda Software and the Windows 2000 Magazine Network have teamed to
    bring you the Center for Virus Control. Visit the site often to remain
    informed about the latest threats to your system security.
       http://www.windowsitsecurity.com/panda
    
    WORM ALERT: CHOKE.A
       W32/Choke.A is an Internet worm written in Visual Basic (VB) 6.0 that
    uses the program MSN Messenger to propagate. If this application is not
    installed on your system, propagation isn't possible. The message body
    of this message contains the following text: "President bush shooter is
    game that allows you to shoot Bush balzz hahaha." For complete details
    on this worm, be sure to visit the Center for Virus Control 
       http://63.88.172.96/Panda/Index.cfm?FuseAction=Virus&VirusID=1102
    
    * FAQ: HOW CAN I UNINSTALL HIDDEN WINDOWS COMPONENTS?
       ( contributed by Paul Robichaux, http://www.windows2000faq.com )
    
    When you start the Add/Remove Programs Control Panel applet and select
    Add/Remove Windows components, the system doesn't display all of the
    components because Windows doesn't want some of them uninstalled.
    However, you can change which components the system displays. Perform
    the following steps: 
       1. Open the sysoc.inf file located in the %systemroot%\inf folder. 
       2. Go to the Components section. 
       3. Locate the entry you want to make uninstallable and remove the
    word "hide." For example, for MSN Messenger Service, change the line:
       msmsgs=ocgen.dll,OcEntry,msmsgs.inf,hide,7
       to
       msmsgs=ocgen.dll,OcEntry,msmsgs.inf,,7 
       4. Save the sysoc.inf file. 
    
    * WINDOWS 2000 SECURITY: IE SECURITY OPTIONS, PART 6
       In Parts 2 through 5 of this article series, Randy Franklin Smith
    described the many security settings in Microsoft Internet Explorer (IE)
    5.0. You've probably identified some areas where you need to improve
    browser security. But like many administrators, you might have hundreds
    or even thousands of workstations where you need to make these changes.
    In addition, you need to prevent users from going back and reversing
    your stricter security settings. To accomplish these tasks in Windows
    2000, you can use Group Policy Objects (GPOs) that you link to your
    Active Directory (AD) domain or to organizational units (OUs) in your
    domain. Learn how in Randy's latest column.
       http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21282
    
    * EVENT HIGHLIGHT: WINDOWS 2000 MAGAZINE LIVE!
       Microsoft TechEd 2001
       June 17 through 21, 2001
       Georgia World Congress Center
       Atlanta, Georgia
    
    Stop by the Windows 2000 Magazine booth at TechEd 2001 and meet our
    technical editors and hear what they have to say about current topics.
    Sunday, June 17, at 3:00 P.M., Tim Huckaby will discuss Web security
    auditing. Monday, June 18, at 10:00 A.M., and Tuesday, June 19, at 9:30
    A.M., Sean Daily will present some very useful--and in some cases,
    undocumented--Windows 2000 tips, tricks, and customizations. Monday at
    1:00 P.M., Mark Russinovich will discuss new stuff in the XP Kernel.
    Wednesday, June 20, at 11:00 A.M., Bob Wells will discuss some new and
    improved scripting goodies in Windows XP.
    
    6. ==== NEW AND IMPROVED ====
       (contributed by Judy Drennen, productsat_private)
    
    * DEFRAG YOUR SYSTEM
       Winternals Software released Defrag Commander Network Edition (NE),
    software that features a remote, schedulable defragmenter that can
    defrag Windows 2000 and Windows NT systems across the network without
    having to install client software. A client component of the product
    defragments Windows Me and Windows 9x systems through a logon script or
    through the Microsoft Systems Management Server (SMS). Defrag Commander
    NE is licensed by the number of simultaneous clients, and prices start
    at $169 for 10 units. Contact Winternals Software at 512-330-9130 or
    800-408-8415.
       http://www.winternals.com
    
    * BIOMETRIC AUTHENTICATION SENSOR IN NEW KEYBOARDS
       DigitalPersona announced that its U.are.U biometric authentication
    sensor will be included in a new generation of Darfon Electronics
    keyboards. Biometric security solutions are becoming more popular as
    system developers move away from expensive and time-consuming password
    systems. Fingerprints provide a nonintrusive method to guarantee that
    only authorized recipients obtain information.
       http://www.digitalpersona.com
    
    7. ==== HOT THREADS ====
    
    * WINDOWS 2000 MAGAZINE ONLINE FORUMS
       http://www.win2000mag.net/forums 
    
    Featured Thread: Disable CD-ROM Eject 
       (Six messages in this thread)
    
    This reader administers a school lab running Windows NT 4.0
    workstations. He wants to know how to keep students from inserting game
    CD-ROMs on their systems. Read the responses of others or lend a helping
    hand at the following URL:
       http://www.win2000mag.net/forums/rd.cfm?app=64&id=68658
    
    * HOWTO MAILING LIST
       http://www.windowsitsecurity.com/go/page_listserv.asp?s=HowTo
    
    Featured Thread: Suspicious Entry in My Web Server Log
       (Three messages in this thread)
    
    This user found a suspicious entry in the Web server's logs that seems
    to indicate some type of exploit was attempted against the server. The
    log entry is as follows:
    
       2001-06-03 11:55:46 xxx.yyy.32.246 - W3SVC1 SERVERNAME
    xxx.yyy.zzz.112 GET /winnt/system32/cmd.exe 401 5 80 - -
    
    According to the user, the timing corresponds with what looks like a
    scan of IP addresses on the same subnet looking for HTTP servers on port
    80.  The user is not aware of an exploit but is trying to figure out
    what the intruder was up to. Can you help? Read the responses or lend a
    hand at the following URL:
       http://63.88.172.96/go/page_listserv.asp?A2=IND0106A&L=HOWTO&P=1165
    
    8. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT THE COMMENTARY -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- tfaubionat_private; please
    mention the newsletter name in the subject line.
    
    * TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer
    Support at securityupdateat_private
    
    * WANT TO SPONSOR Security UPDATE? emedia_oppsat_private
    
    ********************
       This weekly email newsletter is brought to you by Windows 2000
    Magazine, the leading publication for Windows 2000/NT professionals who
    want to learn more and perform better. Subscribe today.
       http://www.win2000mag.com/sub.cfm?code=wswi201x1z
    
       Receive the latest information about the Windows 2000 and Windows NT
    topics of your choice. Subscribe to our other FREE email newsletters.
       http://www.win2000mag.net/email
    
    |-+-+-+-+-+-+-+-+-+-|
    
    Thank you for reading Security UPDATE.
    
    SUBSCRIBE
    To subscribe send a blank email to
    subscribe-Security_UPDATEat_private
    
    If you have questions or problems with your UPDATE subscription, please
    contact securityupdateat_private 
    ___________________________________________________________
    Copyright 2001, Penton Media, Inc.
    
    
    
    
    
    
    
    
    
    
    
    
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email isn-unsubscribeat_private
    



    This archive was generated by hypermail 2b30 : Wed Jun 13 2001 - 23:35:31 PDT