******************** Windows & .NET Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET, 2000, and NT systems. http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ VeriSign--The Value of Trust http://list.winnetmag.com/cgi-bin3/flo?y=eJ1H0CJgSH0CBw0Lo50AX Connected Home Magazine http://list.winnetmag.com/cgi-bin3/flo?y=eJ1H0CJgSH0CBw0oUX0AH (below IN FOCUS) ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: VERISIGN--THE VALUE OF TRUST ~~~~ Secure your servers with 128-bit SSL encryption! Grab your copy of VeriSign's FREE Guide, "Securing Your Web site for Business," and you'll learn everything you need to know about using 128-bit SSL to encrypt your e-commerce transactions, secure your corporate intranets and authenticate your Web sites. 128-bit SSL is serious security for your online business. Get it now! http://list.winnetmag.com/cgi-bin3/flo?y=eJ1H0CJgSH0CBw0Lo50AX ******************** January 2, 2002--In this issue: 1. IN FOCUS - Microsoft's Security Initiative Misses the Most Obvious Target 2. SECURITY RISKS - Multiple Vulnerabilities in Microsoft UPnP - DoS in Microsoft Group Policy - Multiple Vulnerabilities in Microsoft IE 6.0 and 5.5 3. ANNOUNCEMENTS - Windows & .NET Magazine Spring 2002 Conference Schedule - If You Like Reading This UPDATE, You'll Love . . . 4. SECURITY ROUNDUP - News: FBI Issues Windows XP Warning; Pundits Jump on Microsoft - News: Datakey Partners with CA for Single Sign-On Authentication - News: Kaspersky Antivirus Suite Now Available in French, Spanish, German, and Italian - News: Microsoft's New Partner Program for Security Solutions - News: Microsoft Releases Cumulative IE Patch 5. INSTANT POLL - Results of Previous Poll: ISP Response - Instant Poll: Hunting Bugs 6. SECURITY TOOLKIT - Virus Center - FAQ: How Can I Disable the New Features of the Windows XP and Windows 2000 Shell? 7. NEW AND IMPROVED - Enforce Security Configurations for Remote PCs - Stop Viruses Before They Hit the Network 8. HOT THREADS - Windows 2000 Magazine Online Forums - Featured Thread: Lost Windows 2000 Password - HowTo Mailing List: - Featured Thread: NetBIOS Trouble 9. CONTACT US See this section for a list of ways to contact us. ~~~~~~~~~~~~~~~~~~~~ 1. ==== IN FOCUS ==== * MICROSOFT'S SECURITY INITIATIVE MISSES THE MOST OBVIOUS TARGET Hello everyone, Certainly you've heard about the recent security concerns with Microsoft's Universal Plug and Play (UPnP) implementation. The problems let intruders completely take over an affected system. You can read more about the problems in our vulnerability report in the SECURITY RISKS section of this newsletter and in Paul Thurrott's news story in the SECURITY ROUNDUP section. Microsoft originally released Security Bulletin MS01-054 about UPnP on November 1, 2001, and amended the bulletin on November 13. Yet we're still finding other serious problems in the UPnP service. What's wrong with this picture? On October 10, I wrote about Microsoft's new Strategic Technology Protection Program (STPP), which is designed to help companies "get secure and stay secure." (Go to the URL below to read the editorial.) I questioned whether such a program is enough to bolster the security of Windows-based networks, and Microsoft commented that it developed the new tools to help its developers write better code. Obviously, the efforts are just not enough, as evidenced by the company's three attempts to eliminate serious problems with UPnP. http://www.secadministrator.com/articles/index.cfm?articleid=22860 Even though Microsoft was aware of serious problems with its UPnP implementation, the company didn't make an adequate effort to discover and remedy all the possible bugs. This isn't the first time Microsoft has failed to thoroughly examine faulty components to ensure that all bugs are removed--it's happened numerous times over the years. So we're still left to wonder what other services and applications still contain gaping holes that leave users exposed to intruders. I suspect that when Microsoft first published Security Bulletin MS01-054, intruders immediately tried to discover how far Microsoft went toward correcting errors in its UPnP code. eEye Digital Security (who discovered this latest UPnP problem) once again reveals that Microsoft has fallen short of thorough research about services known to contain faults. Why hasn't Microsoft applied its much-ballyhooed STPP program to itself? How can Microsoft lead companies to believe it can help secure their systems and networks through STPP when the company can't even squash all the known bugs in its application and service code? Why hasn't Microsoft contracted with excellent bug hunters (e.g., eEye Digital Security and others) to help investigate compiled code for dangerous risks? The problem is glaring at this point, and Microsoft's lack is putting all Windows users at further risk. Microsoft will probably claim once again that writing bug-free code is incredibly difficult--which is true--and that it's hard to hunt down bugs in code after the fact. But as intruders continually prove, finding bugs is not as hard as some might wish us to believe. It simply takes time, money, and lots of cooperation--investments Microsoft should consider making. http://www.secadministrator.com/articles/index.cfm?articleid=23161 Microsoft recently announced a new "Gold Certified Partner Program for Security Solutions" (URL below), which through its membership guidelines prevents member companies from informing anyone about newly discovered security problems--presumably even their own customers-- until Microsoft has developed and released a patch. Even after the patch becomes available, Microsoft forbids partners from publicly disclosing any details of vulnerabilities that might let nonpartners develop code to further investigate these vulnerabilities. How would those guidelines have affected the situation concerning this latest UPnP risk, given the fact that the bugs let someone hijack users' systems? Security consulting firms have rested on their laurels for years without any "gold certification" from Microsoft, so it's rather puzzling to contemplate how any partnership would benefit security researchers, consultants, and Windows users. http://www.secadministrator.com/Articles/Index.cfm?ArticleID=23587 We're conducting a new survey this week. We'd like to know if you think Microsoft should continue to hunt for security bugs on its own, contract with bug hunters, or release source code for public bug hunting efforts? Please stop by our home page and take the Instant Poll. Before I sign off this week, I want to let you know that a reader pointed out that although Microsoft's Windows Update Web site is a decent and adequate service that truly helps users discover what patches they need to apply, the service lacks protection for customers who download and install patches. The Web-based service doesn't allow Secure Sockets Layer (SSL) connections and thus leaves the Windows update process more vulnerable to man-in-the-middle attacks. Surprised? http://windowsupdate.microsoft.com Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor markat_private ******************** ~~~~ SPONSOR: CONNECTED HOME MAGAZINE ~~~~ Connected Home Magazine--Try It Free! Connected Home Magazine is the new magazine to help you manage all the PCs, devices, and components in your home and in your life. We can show you how to install a home network, tackle home automation, build a home theater system, or integrate your PDA with your PC. Get a free sample of the February/March issue today! http://list.winnetmag.com/cgi-bin3/flo?y=eJ1H0CJgSH0CBw0oUX0AH 2. ==== SECURITY RISKS ==== * MULTIPLE VULNERABILITIES IN MICROSOFT UPNP Multiple vulnerabilities exist in Microsoft's implementation of Universal Plug and Play (UPnP). The first vulnerability is a remotely exploitable buffer overflow that can result in system-level access to the host. This vulnerability results from an unchecked buffer in one of the service's components that handles notify directives. The second vulnerability involves a variant of this first vulnerability; the UPnP service doesn't take sufficient steps to limit how far the service goes to obtain information about a discovered service. Microsoft has released a patch for the problems, and the National Infrastructure Protection Center (NIPC) recommends that users disable the service. http://www.secadministrator.com/articles/index.cfm?articleid=23594 * DOS IN MICROSOFT GROUP POLICY A Denial of Service (DoS) condition exists in Windows 2000 Group Policy. Win2K's file-locking mechanism might let an application put an exclusive lock on a file, making that file unavailable to another application, even if that application doesn't attempt to lock the file. The OS doesn't check file permissions before locking occurs, so even unprivileged users can lock files. Microsoft hasn't released a fix or workaround for this problem. http://www.secadministrator.com/articles/index.cfm?articleid=23582 * MULTIPLE VULNERABILITIES IN MICROSOFT IE 6.0 AND 5.5 Three new vulnerabilities exist in Microsoft Internet Explorer (IE) 6.0 and 5.5. The first vulnerability results from a problem in the way that IE handles the Content-Type and Content-Disposition header fields in an HTML stream. By modifying these fields in a specific way, an attacker can fool IE into thinking that the file is a different file type, and the attacker can insert harmful files. To work around this problem, users must disable file downloads under the appropriate IE security zones. The second vulnerability involves a variant of the Frame Domain Verification vulnerability that lets a malicious intruder use a Web site to read any file on the local computer. The third vulnerability involves a problem with the filenames that IE displays in the File Download dialog box. In an attempt to trick the user, an attacker can use this vulnerability to misrepresent the name of the file presented for download. Microsoft has released Security Bulletin MS01-058 to address these vulnerabilities and recommends that affected users apply the patch provided at this URL. This patch is a cumulative rollup of all patches the company has previously issued for these versions of IE. Microsoft no longer supports previous IE versions. http://www.secadministrator.com/articles/index.cfm?articleid=23552 3. ==== ANNOUNCEMENTS ==== * WINDOWS & .NET MAGAZINE SPRING 2002 CONFERENCE SCHEDULE Save these dates! Windows & .NET Magazine LIVE! and SQL Server Magazine LIVE! are scheduled for May 5 through 8, 2002, in Palm Springs, California. Microsoft ASP.NET Connections and Visual Studio Connections run from April 30 through May 3, 2002, in New Orleans. For more information, go to the following URL. http://list.winnetmag.com/cgi-bin3/flo?y=eJ1H0CJgSH0CBw0pXI0A5 * IF YOU LIKE READING THIS UPDATE, YOU'LL LOVE . . . Windows & .NET Magazine UPDATE. Every Tuesday, we deliver news, commentary, and tips so that, in about 5 minutes, you can catch up on the latest Windows industry happenings, learn a new skill, and face your day a little more informed. It's free, so subscribe today! http://www.winnetmag.com/email/index.cfm?id=1 4. ==== SECURITY ROUNDUP ==== * NEWS: FBI ISSUES WINDOWS XP WARNING; PUNDITS JUMP ON MICROSOFT After speaking with Microsoft officials, the National Infrastructure Protection Center (NIPC), an arm of the Federal Bureau of Investigation (FBI), issued an advisory late last week regarding the Universal Plug and Play (UPnP) vulnerability in Windows XP. To learn more, go to the URL below. http://www.secadministrator.com/articles/index.cfm?articleid=23598 * NEWS: DATAKEY PARTNERS WITH CA FOR SINGLE SIGN-ON AUTHENTICATION Datakey announced that it has partnered with Computer Associates (CA) and received CA's "ca smart" certification for its smart card single sign-on (SSO) and authentication technology. http://www.secadministrator.com/articles/index.cfm?articleid=23593 * NEWS: KASPERSKY ANTIVIRUS SUITE IS NOW AVAILABLE IN FRENCH, SPANISH, GERMAN, AND ITALIAN Kaspersky Labs, a data-security software-development company, announced that its Kaspersky Anti-Virus suite is now available in French, Spanish, German, and Italian. http://www.secadministrator.com/articles/index.cfm?articleid=23592 * NEWS: MICROSOFT'S NEW PARTNER PROGRAM FOR SECURITY SOLUTIONS Microsoft announced its new Gold Certified Partner Program for Security Solutions, along with a list of requirements that partners must meet on an ongoing basis to maintain partner status. http://www.secadministrator.com/articles/index.cfm?articleid=23587 * NEWS: MICROSOFT RELEASES CUMULATIVE IE PATCH Microsoft released a new patch that fixes all known security vulnerabilities in Internet Explorer (IE) 6.0 and IE 5.5 Service Pack 2 (SP2). http://www.secadministrator.com/articles/index.cfm?articleid=23548 5. INSTANT POLL * RESULTS OF PREVIOUS POLL: ISP RESPONSE The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "If you caught someone intruding into your network and you reported it to your ISP, did the ISP respond immediately?" Here are the results (+/-2 percent) from the 287 votes: 17% a) Yes 83% b) No * INSTANT POLL: HUNTING BUGS The current Instant Poll question is, "Should Microsoft continue to hunt bugs alone, contract with bug hunters, or release source code for public bug-hunting efforts?" The choices are 1) Continue to do it alone, 2) Contract with bug hunters to assist, 3) Release source code for public efforts, or 4) Answers 2 and 3 above. Go to the Security Administrator Channel home page and submit your vote. http://www.secadministrator.com 6. ==== SECURITY TOOLKIT ==== * VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda * FAQ: HOW CAN I DISABLE THE NEW FEATURES OF THE WINDOWS XP AND WINDOWS 2000 SHELL? ( contributed by John Savill, http://www.windows2000faq.com ) A. You can use Group Policy to disable the new features (e.g., Active Desktop, quick launch, Web view) of the XP and Win2K shell and configure the classic shell. To configure the classic shell, perform the following steps: 1. Open Group Policy in Group Policy Editor (GPE). 2. Expand User Configuration, Administrative Templates, Windows Components, Windows Explorer. 3. Double-click Enable Classic Shell. 4. Select Enabled, and click OK. 5. Close GPE. You can also use the registry to configure this setting by performing the following steps: 1. Start a registry editor (e.g., regedit.exe). 2. Navigate to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows \CurrentVersion\Policies\Explorer. 3. From the Edit menu, select New - DWORD Value. 4. Enter a name of ClassicShell, and press Enter. 5. Double-click the new value, set it to 1, and click OK. 6. Close the registry editor. 7. ==== NEW AND IMPROVED ==== (contributed by Scott Firestone, IV, productsat_private) * ENFORCE SECURITY CONFIGURATIONS FOR REMOTE PCS InfoExpress released the CyberGatekeeper Suite, which gives users one platform to define and enforce security configurations for remote PCs to access corporate networks. The software proactively enforces corporate security by auditing remote systems to ensure that they're safe before they can access the network. If a system isn't safe, CyberGatekeeper automatically shuts down access to the network. The suite includes CyberGatekeeper Agent, which monitors the remote system and reports back to the CyberGatekeeper Server. Prices start at $59 per seat and $4995 for the server. Contact InfoExpress at 650-623-0260. http://www.infoexpress.com * STOP VIRUSES BEFORE THEY HIT THE NETWORK Ositis Software released AVStripper, a hardware product that stops viruses before they penetrate the corporate network. The product is self-updating and implements current antivirus files and pattern updates without any intervention from the network administrator. AVStripper comes bundles with Trend Micro's antivirus-scanning engine. For pricing, contact Ositis Software at 925-225-8900 or 888-946-7769. http://www.ositis.com 8. ==== HOT THREADS ==== * WINDOWS 2000 MAGAZINE ONLINE FORUMS http://www.winnetmag.net/forums Featured Thread: Lost Windows 2000 Password (Four messages in this thread) Mark has a Win2K Professional user who has lost his logon password. The user's computer is not on a network. Mark wants to know whether he can recover the lost password without reinstalling the OS. Can you help? Read the responses or lend a hand at the following URL: http://www.secadministrator.com/forums/thread.cfm?thread_id=89511 * HOWTO MAILING LIST http://www.secadministrator.com/listserv/page_listserv.asp?s=howto Featured Thread: NetBIOS Trouble (Eleven messages in this thread) Alexey has a problem with NetBIOS. He has three computers, two running Windows 98 and one running Windows NT. One computer running Win98 sees the other two computers on the network, but the two others (the NT system and the other Win98 system) can ping but can't see each other. Read the responses or lend a hand at the following URL: http://63.88.172.96/listserv/page_listserv.asp?a2=ind0112b&l=howto&p=189 9. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT IN FOCUS -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- mlibbeyat_private (please mention the newsletter name in the subject line) * TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer Support -- securityupdateat_private * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private ******************** Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.winnetmag.net/email |-+-+-+-+-+-+-+-+-+-| Thank you for reading Security UPDATE. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Jan 03 2002 - 10:29:55 PST