[ISN] Security UPDATE, January 2, 2002

From: InfoSec News (isnat_private)
Date: Wed Jan 02 2002 - 22:13:32 PST

  • Next message: InfoSec News: "Re: [ISN] Security exec picked for board"

    ********************
    Windows & .NET Magazine Security UPDATE--brought to you by Security
    Administrator, a print newsletter bringing you practical, how-to
    articles about securing your Windows .NET, 2000, and NT systems.
       http://www.secadministrator.com
    ********************
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    VeriSign--The Value of Trust
       http://list.winnetmag.com/cgi-bin3/flo?y=eJ1H0CJgSH0CBw0Lo50AX 
    
    Connected Home Magazine
       http://list.winnetmag.com/cgi-bin3/flo?y=eJ1H0CJgSH0CBw0oUX0AH 
       (below IN FOCUS)
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: VERISIGN--THE VALUE OF TRUST ~~~~
       Secure your servers with 128-bit SSL encryption! Grab your copy of 
    VeriSign's FREE Guide, "Securing Your Web site for Business," and 
    you'll learn everything you need to know about using 128-bit SSL to 
    encrypt your e-commerce transactions, secure your corporate intranets 
    and authenticate your Web sites. 128-bit SSL is serious security for 
    your online business. Get it now!
       http://list.winnetmag.com/cgi-bin3/flo?y=eJ1H0CJgSH0CBw0Lo50AX 
    
    ********************
    
    January 2, 2002--In this issue:
    
    1. IN FOCUS
         - Microsoft's Security Initiative Misses the Most Obvious Target
    
    2. SECURITY RISKS
         - Multiple Vulnerabilities in Microsoft UPnP 
         - DoS in Microsoft Group Policy 
         - Multiple Vulnerabilities in Microsoft IE 6.0 and 5.5
    
    3. ANNOUNCEMENTS
         - Windows & .NET Magazine Spring 2002 Conference Schedule
         - If You Like Reading This UPDATE, You'll Love . . .      
    
    4. SECURITY ROUNDUP
         - News: FBI Issues Windows XP Warning; Pundits Jump on Microsoft
         - News: Datakey Partners with CA for Single Sign-On Authentication
         - News: Kaspersky Antivirus Suite Now Available in French, 
           Spanish, German, and Italian
         - News: Microsoft's New Partner Program for Security Solutions
         - News: Microsoft Releases Cumulative IE Patch
    
    5. INSTANT POLL
         - Results of Previous Poll: ISP Response
         - Instant Poll: Hunting Bugs
    
    6. SECURITY TOOLKIT
         - Virus Center
         - FAQ: How Can I Disable the New Features of the Windows XP and 
           Windows 2000 Shell?
    
    7. NEW AND IMPROVED
         - Enforce Security Configurations for Remote PCs
         - Stop Viruses Before They Hit the Network
    
    8. HOT THREADS
         - Windows 2000 Magazine Online Forums
             - Featured Thread: Lost Windows 2000 Password
         - HowTo Mailing List:
             - Featured Thread: NetBIOS Trouble
    
    9. CONTACT US
       See this section for a list of ways to contact us.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    1. ==== IN FOCUS ====
    
    * MICROSOFT'S SECURITY INITIATIVE MISSES THE MOST OBVIOUS TARGET 
    
    Hello everyone,
    
    Certainly you've heard about the recent security concerns with 
    Microsoft's Universal Plug and Play (UPnP) implementation. The problems 
    let intruders completely take over an affected system. You can read 
    more about the problems in our vulnerability report in the SECURITY 
    RISKS section of this newsletter and in Paul Thurrott's news story in 
    the SECURITY ROUNDUP section. 
    
    Microsoft originally released Security Bulletin MS01-054 about UPnP on 
    November 1, 2001, and amended the bulletin on November 13. Yet we're 
    still finding other serious problems in the UPnP service. What's wrong 
    with this picture? 
    
    On October 10, I wrote about Microsoft's new Strategic Technology 
    Protection Program (STPP), which is designed to help companies "get 
    secure and stay secure." (Go to the URL below to read the editorial.) I 
    questioned whether such a program is enough to bolster the security of 
    Windows-based networks, and Microsoft commented that it developed the 
    new tools to help its developers write better code. Obviously, the 
    efforts are just not enough, as evidenced by the company's three 
    attempts to eliminate serious problems with UPnP.
       http://www.secadministrator.com/articles/index.cfm?articleid=22860
    
    Even though Microsoft was aware of serious problems with its UPnP 
    implementation, the company didn't make an adequate effort to discover 
    and remedy all the possible bugs. This isn't the first time Microsoft 
    has failed to thoroughly examine faulty components to ensure that all 
    bugs are removed--it's happened numerous times over the years. So we're 
    still left to wonder what other services and applications still contain 
    gaping holes that leave users exposed to intruders. I suspect that when 
    Microsoft first published Security Bulletin MS01-054, intruders 
    immediately tried to discover how far Microsoft went toward correcting 
    errors in its UPnP code. eEye Digital Security (who discovered this 
    latest UPnP problem) once again reveals that Microsoft has fallen short 
    of thorough research about services known to contain faults.
    
    Why hasn't Microsoft applied its much-ballyhooed STPP program to 
    itself? How can Microsoft lead companies to believe it can help secure 
    their systems and networks through STPP when the company can't even 
    squash all the known bugs in its application and service code? Why 
    hasn't Microsoft contracted with excellent bug hunters (e.g., eEye 
    Digital Security and others) to help investigate compiled code for 
    dangerous risks? 
    
    The problem is glaring at this point, and Microsoft's lack is putting 
    all Windows users at further risk. Microsoft will probably claim once 
    again that writing bug-free code is incredibly difficult--which is 
    true--and that it's hard to hunt down bugs in code after the fact. But 
    as intruders continually prove, finding bugs is not as hard as some 
    might wish us to believe. It simply takes time, money, and lots of 
    cooperation--investments Microsoft should consider making.
       http://www.secadministrator.com/articles/index.cfm?articleid=23161
    
    Microsoft recently announced a new "Gold Certified Partner Program for 
    Security Solutions" (URL below), which through its membership 
    guidelines prevents member companies from informing anyone about newly 
    discovered security problems--presumably even their own customers--
    until Microsoft has developed and released a patch. Even after the 
    patch becomes available, Microsoft forbids partners from publicly 
    disclosing any details of vulnerabilities that might let nonpartners 
    develop code to further investigate these vulnerabilities. How would 
    those guidelines have affected the situation concerning this latest 
    UPnP risk, given the fact that the bugs let someone hijack users' 
    systems? Security consulting firms have rested on their laurels for 
    years without any "gold certification" from Microsoft, so it's rather 
    puzzling to contemplate how any partnership would benefit security 
    researchers, consultants, and Windows users.
       http://www.secadministrator.com/Articles/Index.cfm?ArticleID=23587
    
    We're conducting a new survey this week. We'd like to know if you think 
    Microsoft should continue to hunt for security bugs on its own, 
    contract with bug hunters, or release source code for public bug 
    hunting efforts? Please stop by our home page and take the Instant 
    Poll. 
    
    Before I sign off this week, I want to let you know that a reader 
    pointed out that although Microsoft's Windows Update Web site is a 
    decent and adequate service that truly helps users discover what 
    patches they need to apply, the service lacks protection for customers 
    who download and install patches. The Web-based service doesn't allow 
    Secure Sockets Layer (SSL) connections and thus leaves the Windows 
    update process more vulnerable to man-in-the-middle attacks. Surprised? 
       http://windowsupdate.microsoft.com
    
    Until next time, have a great week. 
    
    Sincerely,
    
    Mark Joseph Edwards, News Editor
    markat_private
    ********************
    
    ~~~~ SPONSOR: CONNECTED HOME MAGAZINE ~~~~
       Connected Home Magazine--Try It Free!
       Connected Home Magazine is the new magazine to help you manage all 
    the PCs, devices, and components in your home and in your life. We can 
    show you how to install a home network, tackle home automation, build a 
    home theater system, or integrate your PDA with your PC. Get a free 
    sample of the February/March issue today!
       http://list.winnetmag.com/cgi-bin3/flo?y=eJ1H0CJgSH0CBw0oUX0AH 
    
    2. ==== SECURITY RISKS ====
    
    * MULTIPLE VULNERABILITIES IN MICROSOFT UPNP
       Multiple vulnerabilities exist in Microsoft's implementation of 
    Universal Plug and Play (UPnP). The first vulnerability is a remotely 
    exploitable buffer overflow that can result in system-level access to 
    the host. This vulnerability results from an unchecked buffer in one of 
    the service's components that handles notify directives. The second 
    vulnerability involves a variant of this first vulnerability; the UPnP 
    service doesn't take sufficient steps to limit how far the service goes 
    to obtain information about a discovered service. Microsoft has 
    released a patch for the problems, and the National Infrastructure 
    Protection Center (NIPC) recommends that users disable the service. 
       http://www.secadministrator.com/articles/index.cfm?articleid=23594
    
    * DOS IN MICROSOFT GROUP POLICY 
       A Denial of Service (DoS) condition exists in Windows 2000 Group 
    Policy. Win2K's file-locking mechanism might let an application put an 
    exclusive lock on a file, making that file unavailable to another 
    application, even if that application doesn't attempt to lock the file. 
    The OS doesn't check file permissions before locking occurs, so even 
    unprivileged users can lock files. Microsoft hasn't released a fix or 
    workaround for this problem.
       http://www.secadministrator.com/articles/index.cfm?articleid=23582
    
    * MULTIPLE VULNERABILITIES IN MICROSOFT IE 6.0 AND 5.5
       Three new vulnerabilities exist in Microsoft Internet Explorer (IE) 
    6.0 and 5.5. The first vulnerability results from a problem in the way 
    that IE handles the Content-Type and Content-Disposition header fields 
    in an HTML stream. By modifying these fields in a specific way, an 
    attacker can fool IE into thinking that the file is a different file 
    type, and the attacker can insert harmful files. To work around this 
    problem, users must disable file downloads under the appropriate IE 
    security zones. The second vulnerability involves a variant of the 
    Frame Domain Verification vulnerability that lets a malicious intruder 
    use a Web site to read any file on the local computer. The third 
    vulnerability involves a problem with the filenames that IE displays in 
    the File Download dialog box. In an attempt to trick the user, an 
    attacker can use this vulnerability to misrepresent the name of the 
    file presented for download. Microsoft has released Security Bulletin 
    MS01-058 to address these vulnerabilities and recommends that affected 
    users apply the patch provided at this URL. This patch is a cumulative 
    rollup of all patches the company has previously issued for these 
    versions of IE. Microsoft no longer supports previous IE versions. 
       http://www.secadministrator.com/articles/index.cfm?articleid=23552
    
    3. ==== ANNOUNCEMENTS ====
    
    * WINDOWS & .NET MAGAZINE SPRING 2002 CONFERENCE SCHEDULE
       Save these dates! Windows & .NET Magazine LIVE! and SQL Server 
    Magazine LIVE! are scheduled for May 5 through 8, 2002, in Palm 
    Springs, California. Microsoft ASP.NET Connections and Visual Studio 
    Connections run from April 30 through May 3, 2002, in New Orleans. For 
    more information, go to the following URL. 
       http://list.winnetmag.com/cgi-bin3/flo?y=eJ1H0CJgSH0CBw0pXI0A5 
    
    * IF YOU LIKE READING THIS UPDATE, YOU'LL LOVE . . .
       Windows & .NET Magazine UPDATE. Every Tuesday, we deliver news, 
    commentary, and tips so that, in about 5 minutes, you can catch up on 
    the latest Windows industry happenings, learn a new skill, and face 
    your day a little more informed. It's free, so subscribe today! 
       http://www.winnetmag.com/email/index.cfm?id=1
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: FBI ISSUES WINDOWS XP WARNING; PUNDITS JUMP ON MICROSOFT 
       After speaking with Microsoft officials, the National Infrastructure 
    Protection Center (NIPC), an arm of the Federal Bureau of Investigation 
    (FBI), issued an advisory late last week regarding the Universal Plug 
    and Play (UPnP) vulnerability in Windows XP. To learn more, go to the 
    URL below.
       http://www.secadministrator.com/articles/index.cfm?articleid=23598
    
    * NEWS: DATAKEY PARTNERS WITH CA FOR SINGLE SIGN-ON AUTHENTICATION 
       Datakey announced that it has partnered with Computer Associates 
    (CA) and received CA's "ca smart" certification for its smart card 
    single sign-on (SSO) and authentication technology. 
       http://www.secadministrator.com/articles/index.cfm?articleid=23593
    
    * NEWS: KASPERSKY ANTIVIRUS SUITE IS NOW AVAILABLE IN FRENCH, SPANISH, 
    GERMAN, AND ITALIAN 
       Kaspersky Labs, a data-security software-development company, 
    announced that its Kaspersky Anti-Virus suite is now available in 
    French, Spanish, German, and Italian.
       http://www.secadministrator.com/articles/index.cfm?articleid=23592
    
    * NEWS: MICROSOFT'S NEW PARTNER PROGRAM FOR SECURITY SOLUTIONS 
       Microsoft announced its new Gold Certified Partner Program for 
    Security Solutions, along with a list of requirements that partners 
    must meet on an ongoing basis to maintain partner status. 
       http://www.secadministrator.com/articles/index.cfm?articleid=23587
    
    * NEWS: MICROSOFT RELEASES CUMULATIVE IE PATCH 
       Microsoft released a new patch that fixes all known security 
    vulnerabilities in Internet Explorer (IE) 6.0 and IE 5.5 Service Pack 2 
    (SP2).
       http://www.secadministrator.com/articles/index.cfm?articleid=23548
    
    5. INSTANT POLL
    
    * RESULTS OF PREVIOUS POLL: ISP RESPONSE
       The voting has closed in Windows & .NET Magazine's Security 
    Administrator Channel nonscientific Instant Poll for the question, "If 
    you caught someone intruding into your network and you reported it to 
    your ISP, did the ISP respond immediately?" Here are the results (+/-2 
    percent) from the 287 votes:
      17% a) Yes
      83% b) No
      
    * INSTANT POLL: HUNTING BUGS
       The current Instant Poll question is, "Should Microsoft continue to 
    hunt bugs alone, contract with bug hunters, or release source code for 
    public bug-hunting efforts?" The choices are 1) Continue to do it 
    alone, 2) Contract with bug hunters to assist, 3) Release source code 
    for public efforts, or 4) Answers 2 and 3 above. Go to the Security 
    Administrator Channel home page and submit your vote.
       http://www.secadministrator.com 
    
    6. ==== SECURITY TOOLKIT ====
    
    * VIRUS CENTER
       Panda Software and the Windows & .NET Magazine Network have teamed 
    to bring you the Center for Virus Control. Visit the site often to 
    remain informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    * FAQ: HOW CAN I DISABLE THE NEW FEATURES OF THE WINDOWS XP AND WINDOWS 
    2000 SHELL?
       ( contributed by John Savill, http://www.windows2000faq.com )
    
    A. You can use Group Policy to disable the new features (e.g., Active 
    Desktop, quick launch, Web view) of the XP and Win2K shell and 
    configure the classic shell. To configure the classic shell, perform 
    the following steps: 
    
       1. Open Group Policy in Group Policy Editor (GPE). 
       2. Expand User Configuration, Administrative Templates, Windows
       Components, Windows Explorer. 
       3. Double-click Enable Classic Shell. 
       4. Select Enabled, and click OK. 
       5. Close GPE. 
    
    You can also use the registry to configure this setting by performing 
    the following steps: 
    
       1. Start a registry editor (e.g., regedit.exe). 
       2. Navigate to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
    \CurrentVersion\Policies\Explorer. 
       3. From the Edit menu, select New - DWORD Value. 
       4. Enter a name of ClassicShell, and press Enter. 
       5. Double-click the new value, set it to 1, and click OK. 
       6. Close the registry editor.
    
    7. ==== NEW AND IMPROVED ====
       (contributed by Scott Firestone, IV, productsat_private)
    
    * ENFORCE SECURITY CONFIGURATIONS FOR REMOTE PCS
       InfoExpress released the CyberGatekeeper Suite, which gives users 
    one platform to define and enforce security configurations for remote 
    PCs to access corporate networks. The software proactively enforces 
    corporate security by auditing remote systems to ensure that they're 
    safe before they can access the network. If a system isn't safe, 
    CyberGatekeeper automatically shuts down access to the network. The 
    suite includes CyberGatekeeper Agent, which monitors the remote system 
    and reports back to the CyberGatekeeper Server. Prices start at $59 per 
    seat and $4995 for the server. Contact InfoExpress at 650-623-0260.
       http://www.infoexpress.com
    
    * STOP VIRUSES BEFORE THEY HIT THE NETWORK
       Ositis Software released AVStripper, a hardware product that stops 
    viruses before they penetrate the corporate network. The product is 
    self-updating and implements current antivirus files and pattern 
    updates without any intervention from the network administrator. 
    AVStripper comes bundles with Trend Micro's antivirus-scanning engine. 
    For pricing, contact Ositis Software at 925-225-8900 or 888-946-7769.
       http://www.ositis.com
    
    8. ==== HOT THREADS ====
    
    * WINDOWS 2000 MAGAZINE ONLINE FORUMS
       http://www.winnetmag.net/forums 
    
    Featured Thread: Lost Windows 2000 Password 
       (Four messages in this thread)
    
    Mark has a Win2K Professional user who has lost his logon password. The 
    user's computer is not on a network. Mark wants to know whether he can 
    recover the lost password without reinstalling the OS. Can you help? 
    Read the responses or lend a hand at the following URL: 
       http://www.secadministrator.com/forums/thread.cfm?thread_id=89511
       
    * HOWTO MAILING LIST
       http://www.secadministrator.com/listserv/page_listserv.asp?s=howto
    
    Featured Thread: NetBIOS Trouble
       (Eleven messages in this thread)
    
    Alexey has a problem with NetBIOS. He has three computers, two running 
    Windows 98 and one running Windows NT. One computer running Win98 sees 
    the other two computers on the network, but the two others (the NT 
    system and the other Win98 system) can ping but can't see each other. 
    Read the responses or lend a hand at the following URL:
       http://63.88.172.96/listserv/page_listserv.asp?a2=ind0112b&l=howto&p=189
    
    9. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- mlibbeyat_private (please
    mention the newsletter name in the subject line)
    
    * TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
    Support -- securityupdateat_private
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private
    
    ********************
    
       Receive the latest information about the Windows and .NET topics of 
    your choice. Subscribe to our other FREE email newsletters.
       http://www.winnetmag.net/email
    
    |-+-+-+-+-+-+-+-+-+-| 
    
    Thank you for reading Security UPDATE.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Jan 03 2002 - 10:29:55 PST