[ISN] Security UPDATE, October 10, 2001

From: InfoSec News (isnat_private)
Date: Thu Oct 11 2001 - 04:16:03 PDT

  • Next message: InfoSec News: "[ISN] Hacker's war on terrorism draws tepid response from experts"

    ********************
    Windows 2000 Magazine Security UPDATE--brought to you by Security
    Administrator, a print newsletter bringing you practical, how-to
    articles about securing your Windows 2000 and NT systems.
       http://www.secadministrator.com
    ********************
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    Close Massive Local Security Hole in NT/2000/XP
       http://lists.win2000mag.net/cgi-bin3/flo?y=eH5b0CJgSH0BVg0gDY0AO 
    
    Connected Home Magazine Virtual Tour
       http://lists.win2000mag.net/cgi-bin3/flo?y=eH5b0CJgSH0BVg0LTe0AP 
       (below SECURITY RISKS)
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: CLOSE MASSIVE LOCAL SECURITY HOLE IN NT/2000/XP ~~~~
       Did you ever consider that the same local administrator account and 
    password is stored on every NT/2000/XP workstation in your 
    organization?
       If this account were to become compromised, or one of your 
    administrators were to leave, how would you change this backdoor 
    account on all of your workstations? User Manager Pro for Windows 
    NT/2000/XP makes mass changes to the local security of your 
    workstations in minutes.
       FREE TRIAL: http://lists.win2000mag.net/cgi-bin3/flo?y=eH5b0CJgSH0BVg0gDY0AO 
    
    ********************
    
    October 10, 2001--In this issue:
    
    1. IN FOCUS
         - The New Microsoft STPP: Is It Enough?
    
    2. SECURITY RISKS
         - Excel and PowerPoint Macro-Checking Bypass
         - DoS in AOL Instant Messenger
         - DoS in Cisco Secure PIX Firewall
    
    3. ANNOUNCEMENT
         - Test Your Windows XP Knowledge--Free!
    
    4. INSTANT POLL
         - Results of Previous Poll: Nimda Worm
         - Instant Poll: Drop Microsoft IIS?
    
    5. SECURITY ROUNDUP
         - News: Microsoft Announces Major Changes to Security Practices
         - News: Sun Lowers Costs to Woo IIS Customers
         - News: Sun and AOL Announce Passport Competitors
         - Feature: 20 Tips for Exchange 2000 Migration 
         - Review: Enterprise Backup Solutions 
    
    6. HOT RELEASE (ADVERTISEMENT)
         - Sponsored by Stop Password Hackers with Password Bouncer! 
    
    7. SECURITY TOOLKIT
         - Virus Center
         - FAQ: Why Do I Receive Microsoft Passport-related Errors When I 
    Visit Some Web Sites?
    
    8. NEW AND IMPROVED
         - Manage Passwords
         - Establish a Secure Channel
    
    9. HOT THREADS
         - Windows 2000 Magazine Online Forums
             - Featured Thread: Recommended Antivirus Program
         - HowTo Mailing List:
             - Featured Thread: Outlook/Exchange Connection
    
    10. CONTACT US
       See this section for a list of ways to contact us.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    1. ==== COMMENTARY ====
    
    Hello everyone,
    
    You've no doubt heard the news by now: Microsoft launched the Strategic 
    Technology Protection Program (STPP) to help companies get secure and 
    stay secure. STPP consists of five offerings in consulting services and 
    software that companies can use to change how they handle network 
    security. The software helps lock down systems and services and helps 
    automate patch installation. The consulting services help users deal 
    with design, planning, and serious security threats, such as the Nimda 
    worm, which affects multiple products. You can learn more about STPP by 
    reading the related news item in the SECURITY ROUNDUP section of this 
    newsletter. 
    
    STPP is a good step forward for Microsoft and its customers, but is it 
    enough? The STPP announcement comes after Gartner Group issued its 
    stern statements 2 weeks ago. Gartner recommends that users who've been 
    affected by security intrusions due to Microsoft IIS bugs should 
    consider migrating to another Web server platform, such as iPlanet or 
    Apache. You can read about Gartner's comments in Paul Thurrott's 
    related news story on our Web site.
       http://www.secadministrator.com/articles/index.cfm?articleid=22587
    
    Gartner's comments stem from the number of exploitable vulnerabilities 
    in the IIS source code. For example, as of October 9, 2001, the 
    Microsoft security Web site lists 22 bulletins about Internet 
    Information Services (IIS) 5.0 security vulnerabilities and 36 
    bulletins about Internet Information Server (IIS) 4.0 security 
    vulnerabilities. STPP will help Microsoft guard against security 
    vulnerabilities, but the fact that users need so many patches clearly 
    indicates a deeper problem: faulty coding practices. 
    
    Granted, Microsoft released URLScan, which is a fantastic way to 
    prevent unknown bugs from becoming exploitable security risks, but even 
    so, many people view URLScan as just another patch. As you'll learn by 
    reading our news story about STPP, Microsoft designed new analysis 
    tools to use when developing Windows XP code--tools that help find bugs 
    that can become security risks. Microsoft is also using those tools to 
    analyze Windows 2000 patches and service pack code. So we can expect 
    IIS 5.0 to become more secure as Microsoft releases new service packs, 
    and IIS 6.0 should be more secure than its predecessors. URLScan will 
    be built into IIS 6.0
    
    Before you take Gartner's advice, you might give Microsoft a chance to 
    show how its new code analysis provides increased security in IIS 6.0. 
    Of course, to use IIS 6.0, you must move to XP, in which case you might 
    be interested to learn that Microsoft has again postponed its 
    controversial new licensing program. Read about it in Paul Thurrott's 
    new story on our WinInformant Web site at the URL below. 
       http://www.wininformant.com/articles/index.cfm?articleid=22808
    
    I asked Scott Culp, manager of Microsoft's Security Response Center, if 
    IIS 6.0 is stronger code than its predecessors. As you know, IIS 5.1 
    ships with XP, and Culp said Microsoft believes that the quality of the 
    code in IIS 5.1 is in fact better than what is in IIS 5.0. 
    
    "IIS 5.1 was built using the processes and tools that were developed as 
    part of the Secure Windows Initiative [SWI], and we're seeing dramatic 
    improvements in products built under SWI, across the board. Fewer 
    coding errors means fewer vulnerabilities, which should mean better 
    security. But as you know, security is about more than just code 
    quality," Culp said. "That's where IIS 6.0 (which will be part of 
    Windows .Net Server) comes in. The primary difference between IIS 5.1 
    and IIS 5.0 is the code quality--most other aspects of the product are 
    the same or only changed in minor ways. In contrast, IIS 6.0 contains 
    code quality improvements, but also includes significant architectural 
    changes as well. For instance, IIS 6.0 won't install by default. When 
    you do install it, the setup wizard will interview you to find out what 
    you're planning to do with the server, and only enable the services 
    you'll need. The net is that IIS 5.1 should be more secure than its 
    predecessors because of the code quality improvements. But IIS 6.0 will 
    encompass code changes, architectural improvements, and new features. 
    As a result, the security improvements there should be much more 
    dramatic."
    
    Nevertheless, if you're considering a move away from IIS, you'll be 
    interested to know that Sun Microsystems lowered the cost of iPlanet to 
    woo IIS customers. Formerly, iPlanet cost $1495 per CPU; however, Sun 
    now offers the platform for $940 per CPU to any customer who moves from 
    a competing platform. See the news story in the SECURITY ROUNDUP 
    section of this newsletter. 
    
    According to Netcraft's September Web survey results, 49.6 percent of 
    all Web systems polled run a Microsoft OS and probably IIS. Results 
    also show that many of those systems exhibit known security risks. As 
    of September 1, 8.5 percent of the systems Netcraft surveyed still have 
    the root.exe program, which is a backdoor associated with the Code Red 
    worm, installed; 37.14 percent still have the IIS-related WebDAV 
    functionality overly exposed; and 17.14 percent have their 
    administration Web pages open to the public and are vulnerable to known 
    URL-encoding exploits and known bugs in IIS-related sample pages and 
    scripts. Overall, one out of every five IIS servers is vulnerable to 
    attack. You can read Netcraft's survey results on its Web site. 
       http://www.netcraft.com/survey
    
    Speaking of surveys, be sure to stop by our Security Administrator home 
    page to take our new poll concerning Gartner's comments. Are you 
    planning to switch Web server platforms? We're interested to know how 
    Gartner's comments might affect your decisions. 
       http://www.secadministrator.com
    
    Last week, I mentioned the Eraser tool, which helps users prevent 
    unauthorized recovery of deleted files. Norman Samuelson wrote to 
    remind me that to keep data safe, users should be aware that some disk-
    defragmentation software can inadvertently expose some or all of your 
    sensitive data. This scenario might occur when you move sensitive files 
    during a defragmentation process and the software doesn't wipe the data 
    sufficiently clean from the disk's formerly occupied sectors. It's a 
    good idea either to mark your sensitive data files as unmovable within 
    your defragmentation software or to configure the defragmentation 
    software to wipe disk data after moving files, if your software offers 
    such functionality. Otherwise, use a disk-wiping tool that wipes all 
    unused disk sectors after you've completed the defragmentation process. 
    Eraser can do that on demand or based on your defined schedule (see URL 
    below). Until next time, have great week. 
       http://www.tolvanen.com/eraser/download.shtml
    
    Sincerely,
    
    Mark Joseph Edwards, News Editor, markat_private
    
    2. ==== SECURITY RISKS ====
       (contributed by Ken Pfeil, kenat_private)
    
    * EXCEL AND POWERPOINT MACRO-CHECKING BYPASS
       Peter Ferrie of Symantec Security Response reported a vulnerability 
    in Microsoft Excel and PowerPoint (for Windows and Macintosh) that 
    might let a malicious user bypass macro-checking to automatically 
    execute a script when opening a document. Microsoft released Security 
    Bulletin MS01-050 to address this problem. The bulletin lists the 
    patches and patch-installation instructions.
       http://www.secadministrator.com/articles/index.cfm?articleid=22789
    
    * DOS IN AOL INSTANT MESSENGER
       Matthew Sachs reported a Denial of Service (DoS) condition in AOL 
    Instant Messenger. An attacker who can send instant messages to a user 
    signed on to the AOL Instant Messenger service can crash that user's 
    AOL Instant Messenger. The default settings let anyone send instant 
    messages to the user. When an attacker sends a text message with 
    certain symbols repeatedly (approximately 640 or more times), the 
    Instant Messenger client crashes. To minimize exposure to this 
    vulnerability, users should restrict the ability to receive instant 
    messages to only the people the users select. AOL has been notified of 
    this vulnerability.
       http://www.secadministrator.com/articles/index.cfm?articleid=22757
    
    * DOS IN CISCO SECURE PIX FIREWALL
       A vulnerability in the Cisco Secure PIX Firewall Authentication lets 
    a Denial of Service (DoS) condition exist. When a user configures AAA 
    (Authentication, Authorization, Accounting) authentication services on 
    the Cisco Secure PIX Firewall, a single-source address can consume all 
    authentication resources, preventing other legitimate users from 
    authenticating. This DoS affects only the authentication resources; 
    other established traffic continues unaffected, and the DoS prevents 
    only new authentication requests. Cisco issued a notice about this 
    vulnerability and recommends that customers obtain a firmware upgrade 
    through Cisco distribution channels.
       http://www.secadministrator.com/articles/Index.cfm?articleid=22758
    
    ********************
    
    ~~~~ SPONSOR: CONNECTED HOME MAGAZINE VIRTUAL TOUR ~~~~
       What Does The Home Of The Not-Too-Distant Future Look Like?
       You've never seen anything like the Connected Home Magazine Virtual 
    Tour. Experience (room by room) the latest home entertainment, home 
    networking, and home automation options that are going to change how 
    you work and play. While you're there, sign up for a free copy of 
    Windows XP!  
       http://lists.win2000mag.net/cgi-bin3/flo?y=eH5b0CJgSH0BVg0LTe0AP 
    
    ~~~~~~~~~~~~~~~~~~~~
    
    3. ==== ANNOUNCEMENT ====
    
    * TEST YOUR WINDOWS XP KNOWLEDGE--FREE!
       Our MCSE Exam 70-270 Question-of-the-Day email dives into the new 
    Windows XP topics such as installing and configuring handheld devices 
    and managing mobile users, while also measuring your skills in 
    networking basics, TCP/IP fundamentals, user accounts, protocol 
    features, and much more. Sign up (for FREE) today!
       http://lists.win2000mag.net/cgi-bin3/flo?y=eH5b0CJgSH0BVg0KrD0AL 
    
    4. ==== INSTANT POLL ==== 
    
    * RESULTS OF PREVIOUS POLL: NIMDA WORM 
       The voting has closed in Windows 2000 Magazine's Security 
    Administrator Channel nonscientific Instant Poll for the question, "Has 
    your system become infected by the Nimda worm?" Here are the results 
    (+/-2 percent) from the 715 votes:
       - 31% Significantly--we've lost days disinfecting systems 
       - 37% Not at all 
       - 18% Somewhat 
       - 14% Hardly at all
    
    * INSTANT POLL: DROP MICROSOFT IIS?
       The Gartner Group is recommending that companies affected by 
    security problems in Microsoft IIS drop IIS in favor of other "Web-
    server platforms. The current Instant Poll question is, "Does your 
    company plan to do one of the following? a) Move to a yet-to-be-
    determined platform, b) Move to Apache? c) Move to iPlanet, d) Consider 
    the recommendation, or e) Not change--you need Microsoft technology?" 
    Go to the Security Administrator Channel home page and submit your 
    vote.
       http://www.secadministrator.com
    
    5. ==== SECURITY ROUNDUP ====
    
    * NEWS: MICROSOFT ANNOUNCES MAJOR CHANGES TO SECURITY PRACTICES
       Microsoft announced several major changes to its security practices 
    designed to help mitigate unpatched systems that the Code Red and Nimda 
    worms recently affected. Microsoft also hopes these practices will help 
    companies build security into any future networks from the outset. 
    Brian Valentine, senior vice president of the Windows division at 
    Microsoft, said that the company will make an unprecedented effort to 
    help customers secure their systems from Internet-based threats by 
    using the new Microsoft Strategic Technology Protection Program (STPP).
       http://www.secadministrator.com/articles/index.cfm?articleid=22751
    
    * NEWS: SUN LOWERS COSTS TO WOO IIS CUSTOMERS
       In a bid to take advantage of the recent Microsoft product security 
    scares, Sun Microsystems has lowered the price of its iPlanet Web 
    Server by 37 percent. The company hopes that Microsoft IIS customers, 
    worried about constant security breaches, will move to the Sun 
    platform. Sun will provide additional tools that ease the process. The 
    price reduction cuts the cost of iPlanet from $1495 per processor to 
    $940 per processor, for any customer moving from a competing platform.
       http://www.secadministrator.com/Articles/Index.cfm?ArticleID=22809
    
    * NEWS: SUN AND AOL ANNOUNCE PASSPORT COMPETITORS
       A growing feeling in the computer industry is that, where Microsoft 
    is concerned, you should strike when the company is down. In light of 
    the amount of negative press this year about Microsoft Windows XP, 
    HailStorm (now called .NET My Services), and Passport, we shouldn't be 
    surprised that the company's competitors--such as AOL, Oracle, Sun 
    Microsystems, and IBM--recently announced initiatives that will compete 
    with Microsoft's plans for the .NET future. Two of these competitors, 
    Sun and AOL, announced services that the companies hope will supplant 
    Passport.
       http://www.secadministrator.com/articles/index.cfm?articleid=22783
    
    * FEATURE: 20 TIPS FOR EXCHANGE 2000 MIGRATION
       The move from Microsoft Exchange Server 5.5 to Exchange 2000 Server 
    and the corresponding move from Windows NT to Windows 2000 are among 
    the most significant changes you'll make to your infrastructure in the 
    near future. Because an Exchange 2000 migration requires some 
    fundamental changes to your environment, setting out on the road to 
    Exchange 2000 without understanding every detail of the migration isn't 
    smart. Read Kieran McCorry's article for Windows 2000 Magazine (October 
    2001) to be sure you don't overlook anything crucial.
       http://secadministrator.com/articles/index.cfm?articleid=22252
    
    * REVIEW: ENTERPRISE BACKUP SOLUTIONS
       Enterprise-level backup programs can provide peace of mind that the 
    data on your servers is safe and secure. If your backup software 
    doesn't give that protected feeling, you might want to invest in a 
    solid insurance policy for your data. Ed Roth found seven products that 
    offer the comprehensive client support and advanced features necessary 
    to enable centralized backup in an enterprise.
       The products that Roth considered for this comparative review needed 
    to offer backup and restoration capabilities on Windows 2000, Windows 
    NT, Novell NetWare 5.1, and Sun Microsystems' Solaris 8 platforms. The 
    products also needed to be able to perform online backups and restores 
    of SQL Server 7.0 databases and Microsoft Exchange Server 5.5's 
    Directory Store, Information Store (IS), and individual mailboxes. Read 
    the review to learn what Roth found regarding base capabilities, 
    performance, media-control features, and manageability.
       http://secadministrator.com/articles/index.cfm?articleid=22239
    
    6. ==== HOT RELEASE (ADVERTISEMENT) ====
    
    * SPONSORED BY STOP PASSWORD HACKERS WITH PASSWORD BOUNCER!
       Are your employees and contractors unwittingly leaving your 
    enterprise exposed to password attacks? Password Bouncer screens new 
    passwords against "Hacker Wordlists" and prevents users from choosing 
    vulnerable passwords. Defend your network today with Password Bouncer!
       http://lists.win2000mag.net/cgi-bin3/flo?y=eH5b0CJgSH0BVg0gDZ0AP 
    
    7. ==== SECURITY TOOLKIT ====
    
    * VIRUS CENTER
       Panda Software and the Windows 2000 Magazine Network have teamed to 
    bring you the Center for Virus Control. Visit the site often to remain 
    informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    * FAQ: WHY DO I RECEIVE MICROSOFT PASSPORT-RELATED ERRORS WHEN I VISIT 
    SOME WEB SITES?
       ( contributed by John Savill, http://www.windows2000faq.com )
    
    A. I recently encountered this problem in the Microsoft Developer 
    Network (MSDN) subscriber download area. I can connect to several 
    Microsoft Passport-related Web sites, but I was unable to use my 
    Microsoft Passport to connect to the MSDN site. To remedy this 
    situation, I had to delete my MSDN Microsoft Passport cookie. Your Web 
    browser stores cookies on your computer in the Cookies subfolder of 
    your user profile using the following format:
    
       <username>@<site name>  
    
    If you're running Microsoft Internet Explorer (IE) 5.5 or IE 6.0, you 
    can choose to delete all cookies simultaneously. However, if you remove 
    all your cookies, you'll lose any information contained within your Web 
    site profiles. To remove all cookies in IE 5.5 or IE 6.0, perform the 
    following steps:
    
       1. Start IE. 
       2. From the Tools menu, select Internet Options. 
       3. In the Temporary Internet files section of the General tab, click 
    Delete Cookies. 
       4. Click OK. 
       5. Close IE.
    
    8. ==== NEW AND IMPROVED ====
       (contributed by Scott Firestone, IV, productsat_private)
    
    * MANAGE PASSWORDS
       Zemerick Software released myPasswords Professional, password-
    managing software. The Password Recovery tool lets you recover the 
    passwords that asterisks have hidden in a program's dialogs. The 
    Password Generator tool creates complex passwords of any length 
    containing any combination of letters, numbers, and symbols. The 
    software can handle unlimited databases and entries, and users can 
    protect each database with a unique password. The software runs on 
    Windows 2000, Windows NT, Windows Me, Windows 9x, and other systems and 
    costs $30. Contact Zemerick Software at 304-469-4031.
       http://www.zemericks.com
    
    * ESTABLISH A SECURE CHANNEL
       Pragma Systems released SecureShell 2.0, a dual, secure-shell server 
    that supports Secure Shell 1 (SSH1) and Secure Shell 2 (SSH2) protocols 
    with Advanced Encryption Standard (AES) Rijndael encryption. The 
    software establishes a secure channel over any TCP/IP-based connection 
    for both client and server applications by encrypting data and file 
    transfers over the Internet. SecureShell 2.0 uses RSA/DSA public-key 
    encryption and runs on Windows 2000, Windows NT, and Windows 9x 
    systems. The software costs $799 per server for unlimited client 
    connections. Contact Pragma Systems at 512-219-7270.
       http://www.pragmasys.com
    
    9. ==== HOT THREADS ====
    
    * WINDOWS 2000 MAGAZINE ONLINE FORUMS
       http://www.win2000mag.net/forums 
    
    Featured Thread: Recommended Antivirus Program
       (Six messages in this thread)
    
    Brett wants to know what antivirus program he should use to protect 
    Windows NT servers. He's using Norton Antivirus but isn't happy with it 
    and wants suggestions. Read more about the questions and responses, or 
    lend a hand at the following URL:
       http://www.win2000mag.net/forums/rd.cfm?app=64&id=79459
    
    * HOWTO MAILING LIST
    http://www.secadministrator.com/listserv/page_listserv.asp?s=howto
    
    Featured Thread: Outlook/Exchange Connection
       (Eight messages in this thread)
       
    This user is having a problem with his Microsoft Outlook client when 
    receiving mail from an Exchange Server. His Outlook client doesn't 
    notify him when new mail arrives, yet the notification functionality 
    works on other Outlook clients running on other workstations on his 
    network. Can you help? Read the responses or lend a hand at the 
    following URL:
    http://63.88.172.96/listserv/page_listserv.asp?a2=ind0110a&l=howto&p=181
    
    10. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT THE COMMENTARY -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- mlibbeyat_private; please
    mention the newsletter name in the subject line.
    
    * TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer
    Support at securityupdateat_private
    
    * WANT TO SPONSOR SECURITY UPDATE? -- emedia_oppsat_private
    
    ********************
    
       Receive the latest information about the Windows 2000 and Windows NT
    topics of your choice. Subscribe to our other FREE email newsletters.
       http://lists.win2000mag.net/cgi-bin3/flo?y=eH5b0CJgSH0BVg0KrD0AL
    
    |-+-+-+-+-+-+-+-+-+-| 
    
    Thank you for reading Storage UPDATE.
    
    SUBSCRIBE
    To subscribe, send a blank email to mailto:Security_UPDATE_Subat_private
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Oct 11 2001 - 06:15:56 PDT