[ISN] Security UPDATE, June 27, 2001

From: InfoSec News (isnat_private)
Date: Wed Jun 27 2001 - 23:46:24 PDT

  • Next message: InfoSec News: "Re: [ISN] WWW.huh?: You Are the First Line of Defense"

    Windows 2000 Magazine Security UPDATE--brought to you by the Windows
    2000 Magazine Network
       **Watching the Watchers**
    Webtrends Firewall Suite -- Download Free Trial!
       Experienced IT Managers know security requires insight! 
    With WebTrends Firewall Suite, you'll get in-depth analysis of both
    incoming and outgoing traffic through your network. Monitor bandwidth
    usage, measure VPN activity, and receive alerts by email or pager
    whenever critical security events occur. Firewall Suite 3.1 provides
    support for 35 leading firewall and proxy servers, including Cisco and
    Check Point. Currently a featured download on Tech Republic.  
    Click here for your FREE trial, download now:
    June 27, 2001--In this issue:
    1. IN FOCUS
         - To Disclose or Not to Disclose, That Is the Question
         - Malformed Word Document Lets Macro Run Automatically
         - Unchecked Buffer in FrontPage Server Extension Sub-component
         - Learn to Use Problem-Solving Scripts That Simplify Life
         - Check Out This Great Email Newsletter Search Engine
         - News: TRUSTe Launches Icon-Based Privacy Initiative
         - News: AD Backup Bug: Microsoft Comes Clean
         - News: Massive Compaq Reorganization to Include Alpha Death
         - News: Microsoft Hotmail Service in New Privacy Flap
         - News: Buyer's Guide: 802.11 Wireless Devices
         - Book Highlight: Cisco Secure Internet Security Solutions
         - Virus Center
             - Virus Alert: W32/MSInit.B
         - Tip: A Licensing Problem 
         - Win2K  Security: IP Security Filtering
         - Protect Your Data After Someone Steals Your Mobile Device
         - Protect Your Information
         - Windows 2000 Magazine Online Forums
             - Featured Thread: Changing the Time Privilege in NT
         - Win2KsecAdvice Mailing List:
             - Featured Thread: Warning to McAfee.com VirusScan Online
       See this section for a list of ways to contact us.
    1. ==== COMMENTARY ====
    Hello everyone,
    The practice of full disclosure of security risk information is again
    under attack. According to an article at MSNBC (linked below), Russ
    Cooper, moderator of the NTBugTraq mailing list, has undertaken a
    project to create what he calls the "Responsible Disclosure Forum."
    Cooper thinks such a forum will better govern the release of security
    risk information to the public because the forum will decide what
    information to release and when to release it. Cooper didn't say how the
    forum will entice membership from the worldwide hacker community, but
    nonetheless, its objective seems clear: Curb the release of risk details
    in a manner that prevents exploitation.
    In the article, Cooper said, "It's better for everyone if we keep [this
    data] to ourselves. Why not keep it among the people who are considered
    responsible security practitioners? Most attackers aren't smart enough
    to write exploits themselves, so they rely on other people to release
    Actually, Cooper's statements make sense to me, but such a forum simply
    won't work. The rogues of the hacker community have already proven that
    when given only minor details about a bug, they can produce a working
    exploit in a relatively short amount of time. Also, heated discussions
    have taken place in past years about full disclosure of security risk
    details. Those discussions eventually led to several written policies
    that suggest a proper course of action that hackers should take with any
    release of security risk information. Russ Cooper has such a policy
    posted on his Web site (linked at the first URL below); however, a
    policy known as RFPolicy, authored by a person using the alias "rain
    forest puppy," is probably the most widely used standard in the hacker
    community today.
    According to either policy, the basic course of action is for the hacker
    to notify the vendor about the alleged bug, give the vendor a reasonable
    response time, give the vendor time to produce a patch, and release the
    bug information in relative unison (not beforehand) with the company
    suffering from the bug. Both policies seem reasonable, and many hackers
    adhere to the policies. But now it seems those practices are no longer
    good enough. 
    Case in point: eEye Digital Security. When eEye recently produced a
    sample program that demonstrates a security problem with Microsoft IIS,
    many users frowned on the company for doing so. Even though eEye worked
    with Microsoft to correct the problem and timed the release of its
    research with the release of Microsoft's own security bulletin and
    patch, certain circles still chastised eEye because the company's
    information included a working example. Certain people prefer that this
    practice--the open sharing of security-related scientific research and
    working models--be completely eliminated. Why? Because it's too easy for
    someone to turn such a model into a weapon. That's a weak argument in my
    The problems with network intrusion aren't based on the number of script
    kiddies using hand-me-down code snagged from a full-disclosure mailing
    list or Web site. The problems actually seem to be based on only two
    factors: the quality of the code and the quality of the network
    administration. With solid code and solid network administration in
    place, the actions of script kiddies, and even many of the best hackers,
    become relatively moot. The reality is that if someone intrudes on a
    computer system and the intrusion is because of a bug for which there is
    no patch, the code's vendor is at fault because the vendor wrote the
    code. Certainly, software vendors disclaim legal liability, but such
    disclaimers don't change where the fault truly lies. A faulty product is
    a faulty product, so trying to reduce a person's ability to obtain
    usable exploit code is like placing a Band-Aid on the wounds from a
    shotgun blast to the head. It only masks a small part of an incredibly
    serious problem.
    And that problem is firmly in vendors' hands. It's up to them to stop
    bug-related intrusion by producing better code before releasing that
    code into production. Typically, hackers do a lot of research to figure
    out all the details about a security risk they've discovered. When they
    hand that research over to a vendor in its entirety, they generally
    don't receive any compensation other than a simple written thanks from
    the vendor. These hackers are left to generate a living from their work
    in some other manner while the vendor freely enjoys the results of the
    hackers' labor. That's the way the security bug discovery game works
    If vendors want to see an end to full disclosure, they just might get a
    lot more than they bargained for. What if vendors no longer received
    full disclosure offerings from bug hunters? What if bug hunters change
    their policies so that they typically go to a vendor and say, for
    example, "We've been researching your product XYZ123 for 3 months and
    have found two dangerous holes in the ABC321 component of that product
    that grant complete system access to a remote user. We'll release full
    details of our research to the public in exactly 30 days unless you
    release a patch first, in which case, we'll release our details to
    coincide with your own release. Happy hunting!"? How would vendors react
    to that kind of cessation of full disclosure? If nothing else, it would
    teach vendors to become better bug hunters, if only after the fact.
    Instead of creating a "Responsible Disclosure Forum," I think Cooper
    would better spend his time trying to help vendors develop better
    debugging practices--especially more extensive beta testing programs.
    Why don't companies such as Microsoft develop tailored beta programs
    that seriously entice top-notch bug hunters to find holes in their
    products before releasing the products? Why can't a beta program remain
    operational even after a vendor releases a product into production?
    After all, a large number of security problems are found after vendors
    release products to the public. Why shouldn't a beta program also
    compensate bug hunters handsomely for their efforts? Microsoft and other
    software vendors certainly have the money to do so, and frankly, I think
    that'd be a fantastic investment on their part--everyone benefits. But
    will such a program come into existence? Don't hold your breath. Until
    next time, have a great week.
    Mark Joseph Edwards, News Editor, markat_private
    2. ==== SECURITY RISKS ====
       (contributed by Ken Pfeil, kenat_private)
       Steve McLeod discovered a vulnerability in Microsoft Word that lets
    an attacker modify a Word document in a way that prevents the security
    scanner from recognizing an embedded macro while still letting the macro
    execute. This vulnerability lets an attacker run a macro automatically
    when a user opens the document. Such a macro can take any action that
    the user can take, including disabling the user's Word security settings
    so that the user can no longer check subsequently opened Word documents
    for macros. Microsoft has acknowledged this vulnerability and recommends
    that users immediately apply the applicable patch contained in Security
    Bulletin MS01-034, which is linked at the URL below.  
       Nsfocus discovered that a buffer overflow condition exists in the
    optional sub-component of the FrontPage server extension called Visual
    Studio RAD (Remote Application Deployment) Support. This sub-component
    contains an unchecked buffer in a section that processes input
    information. An attacker can exploit this vulnerability to execute code
    on the server by sending a specially malformed packet to this component
    and can execute this code under the IUSR_machinename security context.
    Under the right circumstances, the attacker can also run the code under
    the system's security context, letting the attacker take any desired
    action on the server, including assuming full control of the server.
    This optional component of the FrontPage server extensions is not part
    of the default installation. Microsoft has released security bulletin
    MS01-035 for this vulnerability and recommends that users of this
    optional component immediately apply the patch.
    3. ==== ANNOUNCEMENTS ====
       OK, so you're not a programmer. But if you read Windows Scripting
    Solutions, a monthly print newsletter, you don't need to be. Tackle
    common problems and automate everyday, time-consuming tasks with our
    simple tools, tricks, and scripts. Subscribe today!
       Now there's a better way to find the perfect IT vendor or
    solution--absolutely free! The IT Buyer's Network (ITBN) lets you search
    through thousands of vendor solutions. You'll love the ITBN's one-stop
    shopping approach for hardware, network and systems software, IT
    services, and much more! Visit the ITBN today! 
    4. ==== SECURITY ROUNDUP ====
       To help consumers better understand how Web sites use their personal
    information, TRUSTe launched a new initiative called the Privacy Symbols
    and Labels Initiative. TRUSTe also hopes to expand its privacy
    protection beyond the Internet to other electronic devices, such as cell
    phones and Personal Digital Assistants (PDAs), that can gather personal
       (contributed by Sean Daily, Senior Contributing Editor, Windows 2000
    Magazine, seanat_private)
    In my guest article in the June 6 issue of WinInfo Daily UPDATE, I
    discussed a major bug in the Active Directory (AD) backup and restore
    API that affects a vast number of Windows 2000-based organizations. The
    bug, which Aelita Software first discovered, corrupts a high percent--in
    some cases, as high as 50 percent--of all AD backups. When you restore
    these corrupt backups to a Win2K domain controller (DC), the directory
    services won't start, and the system records several errors in the
    system event log. The problem affects all applications that use these
    APIs to perform AD backups (including system state backups performed
    with Win2K's built-in Ntbackup.exe utility and most third-party backup
    When I wrote that column, Microsoft hadn't documented the issue, either
    in the Microsoft Product Support Services (PSS) Knowledge Base or
    elsewhere. Given the problem's severity, I thought the omission was
    rather peculiar. Even more peculiar was that empirical data seemed to
    support the fact that Win2K Service Pack 2 (SP2) silently resolved the
    problem as quickly as it appeared--although Microsoft doesn't mention
    the problem or that SP2 provides a resolution in the SP2 documentation.
    On June 13, Microsoft officially acknowledged the problem with a PSS
    article (Q295932) titled "Windows 2000 Domain Controllers Restored with
    System State Backups Made Prior to SP2 May Not Boot." The article
    describes the symptoms I mentioned in my June 6 article and acknowledges
    that SP2 does provide a fix. The article also sheds light on the
    underlying reasons for when and why the problem occurs. 
    In the article, Microsoft states that the problem occurs in this
    situation: When you perform an AD backup on one Win2K DC, enough changes
    occur to the AD replica (because of local changes or replication) that
    the backup generates additional transaction logs, which in turn advance
    the Joint Engine Technology (JET) database checkpoint. Simultaneously,
    the system performs a second backup on another, relatively inactive DC,
    during which time the log-file generation and JET-checkpoint advancement
    don't occur. The second backup completes before the first backup can
    generate log files and advance the checkpoint. In this situation, the
    second DC backup is corrupt; if it's restored, the restored DC can't
    initialize the directory service. As a result, the problem will more
    likely occur when the first backup is relatively large because a
    commensurately larger window of time is available for the second backup
    to complete (and for the JET checkpoint to advance on the first DC).
    According to Microsoft, the situation is less likely to happen in busy
    AD network environments because in those situations, the usual, steady
    advancement of the JET checkpoint creates a lower exposure of risk for
    the second backup (if there are no additional logs and no advancement of
    the checkpoint). The end result--and the core of the problem--is that
    the system writes an outdated record of required transaction log files
    and checkpoint data to the backup media, then later restores it in the
    second backup. When the system restores the data, the header in the
    restored database references logs that aren't required for AD recovery,
    and some of these log files aren't included in the backup. This explains
    the appearance of "Log files are missing from system state" log entries.
    However, this information is misleading because the log files aren't
    missing; the number of log files referenced in the restored database
    header is incorrect.
    You'll find the article that discusses this problem on Microsoft's Web
    site (see URL below). If you've already updated your Win2K DCs to SP2,
    you don't need to worry. However, if you aren't planning to upgrade to
    SP2 immediately, you should seriously consider installing the hotfix
    Microsoft mentions in the article. (You'll need to contact Microsoft
    directly to obtain the hotfix, which works with both base-release and
    SP1 systems).  
       Compaq Computer will announce a massive reorganization today,
    retargeting itself at the service market and specific PC markets. The
    most controversial part of this plan, however, includes a de-emphasis of
    Compaq's current focus on hardware. Specifically, the company will
    announce that it's dropping its Alpha microprocessor in lieu of Intel's
    64-bit Itanium, which was announced earlier this month. The move is a
    disappointment for Alpha fans, who suffered through an acrimonious split
    with Windows 2000/NT support a few years back, only to be left in a
    high-end UNIX niche.
       This spring, privacy activists revealed that Microsoft's free email
    service, Hotmail, sends its subscribers' email address, city, and state
    information to InfoSpace, an Internet white pages service. InfoSpace
    then combines this information with the subscribers' telephone numbers
    and home addresses. The result is a user database that spam advertisers
    (advertisers that send bulk mailings) can--and do--access.
       Buyer's Guide: 802.11 Wireless Devices consists of products in two
    general categories: wireless NICs and wireless network infrastructure
    devices, which are generally known as access points (APs). The APs in
    this guide cover environments from the home office to the enterprise,
    but before you choose an 802.11b solution, be sure to assess your
    performance requirements and expectations. Wall and ceiling composition
    and other potential obstructions can contribute to interference, which
    can degrade performance of wireless networks. You should look also at
    relationships between speed and range and at the environmental factors
    that can affect these relationships. As with any product purchase, be
    sure to do your homework ahead of time, and choose the vendor that can
    satisfy your performance, reliability, and service requirements.
    5. ==== SECURITY TOOLKIT ====
       By Andrew G. Mason, Mark J. Newcomb
       Fatbrain Online Price: $55.00
       Hardcover; 528 pages
       Published by Cisco Press, June 2001
       ISBN 1587050161
    For more information or to purchase this book, go to
    and enter WIN2000MAG as the discount code when you order the book.
       Panda Software and the Windows 2000 Magazine Network have teamed to
    bring you the Center for Virus Control. Visit the site often to remain
    informed about the latest threats to your system security.
    Virus Alert: W32/Msinit.B
       W32/MSInit.B is a worm that uses a TCP/IP connection to access other
    systems. To do this, it searches for IP addresses at random. When it
    finds an IP address that allows access to a disk where Windows is
    installed, the worm creates a copy of itself in the Windows\System
    directory in the form of a file called Wininit.exe. Visit the following
    URL for complete details about this worm.
       ( contributed by David Carroll, dcarrollat_private )
    Q. Why do we have license-related issues after upgrading from Windows NT
    to Windows 2000? Our company upgraded its client machines to Windows
    2000 Professional, and we decided to upgrade from NT Server 4.0,
    Terminal Server Edition (TSE) to Win2K Server Terminal Services at the
    same time. Now, however, when some users try to access the terminal
    server from Win2K Pro machines, they can't connect. According to the
    Event Viewer, the temporary licenses have expired. I didn't think that
    Win2K Pro clients needed terminal services client access licenses
    (TSCALs). What am I missing, and how do I fix this problem?
    A. Win2K Pro clients have built-in TSCALs. Nevertheless, if you don't
    have a Terminal Services licensing server set up and registered on your
    network, your Win2K Pro clients might still experience the problems you
    described. The first time the clients connect, they grab 90-day
    temporary licenses. The next time they connect, they try to upgrade
    those temporary licenses to full TSCALs. Consult the Terminal Services
    licensing tool to see which licenses your terminal server has issued.
    Get more information about this issue on our Web site.
       One of the lesser-known features of Windows 2000's IP Security
    (IPSec) is packet filtering based on IP addresses and port filtering.
    With IPSec filtering, you wrap your servers or workstations with another
    layer of security that protects them against attackers who try to
    connect from elsewhere on your internal network or from the Internet.
    You can use this technology in many ways, but in this article, Randy
    Franklin Smith shows you how to protect onsite workstations exposed to
    the Internet, laptops that employees use to dial into an ISP when
    traveling off site, and computers that employees use to telecommute.
    6. ========== NEW AND IMPROVED ==========
       (contributed by Scott Firestone, IV, productsat_private)
       Solagent released Solagent Secure, software that lets you protect and
    manage data on your mobile computing devices after someone steals your
    device. The software lets you remotely encrypt data and determine
    whether anyone compromised the data on your laptop or Personal Digital
    Assistant (PDA) without alerting the unauthorized user. The software is
    available on a subscription basis and costs $29.95 per year for an
    individual subscription. Contact Solagent at 800-229-8661.
       Auscomp released Auscomp Fort Knox 3.0, software that uses one master
    password to securely encrypt and protect any private files or
    information--PINs, passwords, accounts, documents, passports, images,
    programs, and spreadsheets. The software features network and Internet
    synchronization capability, password repository, file locker, and an
    auto-logon feature. Auscomp Fort Knox 3.0 runs on Windows 2000, Windows
    NT, Windows Me, and Windows 9x systems. The software is available in
    free, personal, and network licenses. Contact Auscomp at
    7. ==== HOT THREADS ====
    Featured Thread: Changing the Time Privilege in NT
       (Ten messages in this thread)
    This user has problems with other users in a domain not being able to
    change the system time because they don't have the proper privilege
    level. The user has set up the users' profiles in User Manager
    (Policies\user rights\change the system time), but the other users are
    still unable to change the time. Read the responses of others or lend a
    helping hand at the following URL:
    Featured Thread: Warning to McAfee.com VirusScan Online Users
       (One message in this thread)
    This user is experiencing permission problems that prevent McAfee
    VirusScan Online from starting up. As a result, the user might think
    that virus protection is active on his or her system when in fact it
    might not be active. The problems began to happen after a recent
    upgrade, when the user went to download the most recent virus signature
    files. Have you experienced a similar condition on your system? Read the
    responses or lend a hand at the following URL:

    8. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    * ABOUT THE COMMENTARY -- markat_private
    * ABOUT THE NEWSLETTER IN GENERAL -- tfaubionat_private; please
    mention the newsletter name in the subject line.
    * TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums
    * PRODUCT NEWS -- productsat_private
    Support at securityupdateat_private
    * WANT TO SPONSOR Security UPDATE? emedia_oppsat_private
       This weekly email newsletter is brought to you by Windows 2000
    Magazine, the leading publication for Windows 2000/NT professionals who
    want to learn more and perform better. Subscribe today.
       Receive the latest information about the Windows 2000 and Windows NT
    topics of your choice. Subscribe to our other FREE email newsletters.
    Thank you for reading Security UPDATE.
    To subscribe send a blank email to
    If you have questions or problems with your UPDATE subscription, please
    contact securityupdateat_private 
    ISN is hosted by SecurityFocus.com
    To unsubscribe email isn-unsubscribeat_private

    This archive was generated by hypermail 2b30 : Thu Jun 28 2001 - 03:05:51 PDT