[ISN] Security UPDATE, January 30, 2002

From: InfoSec News (isnat_private)
Date: Thu Jan 31 2002 - 02:07:44 PST


********************
Windows & .NET Magazine Security UPDATE--brought to you by Security 
Administrator, a print newsletter bringing you practical, how-to 
articles about securing your Windows .NET, 2000, and NT systems. 
   http://www.secadministrator.com 
******************** 

~~~~ THIS ISSUE SPONSORED BY ~~~~ 

VeriSign--The Value of Trust
   http://list.winnetmag.com/cgi-bin3/flo?y=eKWS0CJgSH0CBw0p5N0AQ 

~~~~~~~~~~~~~~~~~~~~ 

~~~~ SPONSOR: VERISIGN--THE VALUE OF TRUST ~~~~
   Is your e-business secure enough? Learn why it's vital to encrypt your 
business transactions, secure your intranets, and authenticate your Web site 
with the strongest encryption available--128-bit SSL. To learn more, get 
VeriSign's FREE Guide, "Securing Your Web Site for Business" now: 
   http://list.winnetmag.com/cgi-bin3/flo?y=eKWS0CJgSH0CBw0p5N0AQ 

~~~~~~~~~~~~~~~~~~~~ 

January 30, 2002--In this issue: 

1. IN FOCUS
     - Active Directory Security: Forests and Domains

2. SECURITY RISKS
     - FTP Bounce Vulnerability in SpoonFTP 
     - Arbitrary Execution Vulnerability in PHP 4.0

3. ANNOUNCEMENTS
     - Microsoft TechEd 2002: The Definitive Microsoft Conference for Building 
Integrated Solutions
     - New! ADO.NET Webinar Series!

4. SECURITY ROUNDUP
     - News: KaVaDo Offers Web Application Security Scanner and Protection 
     - News: Central Command Offers Discount Antivirus Software to Schools 
     - News: Second Annual BNA Security Summit, February 27-28, in Washington, 
D.C. 
     - News: RapidStream Announces High-Performance Security Appliances 
     - News: Halifax Provides Security to Veteran's Affairs and IRS 
     - News: Top Stories of 2001, #8: .NET and Open Alternatives Fight for the 
       Future
     - Feature: Exchange Server Antivirus Software Buyer's Guide
     - News Correction: Reflex Magnetics ScreenMail for Outlook

5. INSTANT POLL
     - Results of Previous Poll: Performing Full Security Audits
     - Instant Poll: Single or Multiple Forests?

6. SECURITY TOOLKIT
     - Virus Center
     - FAQ: How Can I Execute Microsoft Snap-in Console Files Without Typing the 
       .msc Extension?

7. NEW AND IMPROVED
     - Test Email Vulnerabilities
     - Understand Internet Security Concepts

8. HOT THREADS
     - Windows & .NET Magazine Online Forums
         - Featured Thread: WFV Folders in the System Root Folder
     - HowTo Mailing List
         - Featured Thread: VPN Clients Not Connecting

9. CONTACT US 
   See this section for a list of ways to contact us. 
~~~~~~~~~~~~~~~~~~~~ 

1. ==== IN FOCUS ==== 

* ACTIVE DIRECTORY SECURITY: FORESTS AND DOMAINS

Hello everyone, 

Have you seen Microsoft's white paper, "Design Considerations for Delegation of 
Administration in Active Directory"? Microsoft published the paper in November 
2001, and you can download it at the company's Web site (see URL below). The 
paper discusses design concerns regarding the trust of service owners. Gartner 
Group's John Enck--former Lab Manager for Windows NT Magazine--brought the paper 
to my attention recently because of its recommendations.

http://www.microsoft.com/windows2000/techinfo/planning/activedirectory/addeladmi
n.asp

In the paper's conclusion, Microsoft says companies "can deploy a single forest 
design with a single IT organization owning all forest and domain service 
management, and delegate data autonomy or isolation to other organizations by 
using [organizational units] OUs." The paper goes on to say, "Some organizations 
have specific autonomy or isolation requirements that make trusting a central 
service owner impractical or unwise. These organizations can deploy multiple 
forest designs, and enable inter-forest collaboration through additional 
management systems such as Microsoft Metadirectory Services (MMS)."

So you need to build your Active Directory (AD) infrastructure carefully 
because, as the paper also points out, "Domain owners cannot prevent forest 
owners from controlling their services and accessing their data," and anyone 
joining a forest must trust service owners. In addition, the paper outlines 
several potentially exploitable circumstances that exist when you trust service 
owners in a single-forest model. Therefore, for maximum security with AD, you 
need to use multiple forests. Be sure to read the white paper for more details 
about the risks of a single-forest model.

We're conducting a new poll this week to learn about your AD structure. "Do you 
use a single-forest or multiple-forest design with Active Directory, and if you 
use a single-forest design, will you change to multiple?" Visit our home page 
and give us your answer. 

Until next time, have a great week. 

Sincerely, 
Mark Joseph Edwards, News Editor 
markat_private 

2. ==== SECURITY RISKS ==== 
   (contributed by Ken Pfeil, kenat_private) 

* FTP BOUNCE VULNERABLITY IN SPOONFTP
   Arne Vidstrom discovered a vulnerability in Pi-Soft's SpoonFTP that can 
result in an attacker being able to bounce a connection through the vulnerable 
server and attack a third-party host. An intruder can also launch this FTP 
bounce attack from ports lower than 1024, to which the attacker typically 
doesn't have user access. The vendor, Pi-Soft Consulting, has released version 
1.2, which fixes this vulnerability. 
   http://www.secadministrator.com/articles/index.cfm?articleid=23886

* ARBITRARY EXECUTION VULNERABILITY IN PHP 4.0
   Paul Brereton discovered a vulnerability in PHP 4.0 for Windows using Apache 
Web Server 2.0. By exploiting PHP's ability to view files residing outside the 
normal HTML root directory, an attacker can execute arbitrary code by inserting 
a malicious PHP-based command into the Apache log file. PHP has been notified, 
but no fix is currently available. 
   http://www.secadministrator.com/articles/index.cfm?articleid=23887

3. ==== ANNOUNCEMENTS ==== 

* MICROSOFT TECHED 2002: THE DEFINITIVE MICROSOFT CONFERENCE FOR BUILDING 
INTEGRATED SOLUTIONS
   Come to New Orleans April 9 through 13 for the 10th anniversary of TechEd. 
Immerse yourself in .NET Enterprise Server, Windows .NET Server, and Visual 
Studio .NET. Register by February 8, 2002, and you'll also save $400. For 
details, go to the following URL:
   http://msdn.microsoft.com/events/teched/go/2002learn

* NEW! ADO.NET WEBINAR SERIES!
   Don't miss "ADO.NET for the Developer," a new series of three separate 
Webinars brought to you by SQL Server Magazine. Each information-packed session 
is taught by noted SQL Server expert William Vaughn. Don't delay--the first 
session, "Introduction to ADO.NET for ADO Classic Developers" is February 5! For 
more information or to register, go to the following URL:
   http://list.winnetmag.com/cgi-bin3/flo?y=eKWS0CJgSH0CBw0qX50Ab 

4. ==== SECURITY ROUNDUP ==== 

* NEWS: KAVADO OFFERS WEB APPLICATION SECURITY SCANNER AND PROTECTION
   KaVaDo announced a new Web application security scanner, ScanDo, that mimics 
the actions of an attacker to help identify security weaknesses. ScanDo analyzes 
Web site content for potential vulnerabilities in forms, Web code, and scripts.
   http://www.secadministrator.com/articles/index.cfm?articleid=23869

* NEWS: CENTRAL COMMAND OFFERS DISCOUNT ANTIVIRUS SOFTWARE TO SCHOOLS
   Central Command is offering its Vexira Antivirus software to accredited 
colleges, high schools, junior high schools, and grade schools for $1.79 per 1-
year license. 
   http://www.secadministrator.com/articles/index.cfm?articleid=23874

* NEWS: SECOND ANNUAL BNA SECURITY SUMMIT, FEBRUARY 27-28, IN WASHINGTON, D.C.
   Pike & Fischer and parent company BNA announced the second annual BNA Summit 
to be held February 27 and 28 at the Omni Shoreham in Washington, D.C. 
   http://www.secadministrator.com/articles/index.cfm?articleid=23876

* NEWS: RAPIDSTREAM ANNOUNCES HIGH-PERFORMANCE SECURITY APPLIANCES
   RapidStream announced a new line of high-performance security appliances that 
it has built around Check Point Software Technologies' Check Point VPN-1 and 
Check Point Firewall software. 
   http://www.secadministrator.com/articles/index.cfm?articleid=23866

* NEWS: HALIFAX PROVIDES SECURITY TO VETERAN'S AFFAIRS AND IRS
   Halifax announced that the US Department of Veteran's Affairs and the 
Internal Revenue Service (IRS) have selected the company to provide their 
network security. 
   http://www.secadministrator.com/articles/index.cfm?articleid=23871

* NEWS: TOP STORIES OF 2001, #8: .NET AND OPEN ALTERNATIVES FIGHT FOR THE FUTURE
   After Microsoft made it clear throughout 2000 that it was moving toward a 
future of Web services originally called Next Generation Windows Services 
(NGWS), Microsoft revamped its strategy, renamed it .NET, and entered 2001 ready 
to deliver on some of its promises
   http://www.secadministrator.com/articles/index.cfm?articleid=23824

* FEATURE: EXCHANGE SERVER ANTIVIRUS SOFTWARE BUYER'S GUIDE
   Gauging how serious a threat email viruses pose is difficult because of the 
many hoaxes and relatively benign viruses that exist. But a viral infection is 
never a good thing, and email viruses are especially nefarious because they 
usually spread infection as soon as you open the attachment. Although your end 
users should maintain an antivirus solution on their desktops, ensuring that 
users' virus scanners are regularly updated--or are even running--is difficult. 
The most seamless and transparent way to maintain a virus-free Microsoft 
Exchange Server environment is to use a server-side virus scanner. This buyer's 
guide helps you learn about several great server-side scanners. 
   http://www.secadministrator.com/articles/index.cfm?articleid=23564

* NEWS CORRECTION: REFLEX MAGNETICS SCREENMAIL FOR OUTLOOK 
   Last week SECURITY ROUNDUP announced that UK-based Reflex Magnetics is 
offering its new ScreenMail plugin for Outlook free of charge. It should have 
been "free of charge to charitable organizations." We regret any inconvenience 
this might have caused you.

5. ==== INSTANT POLL ==== 

* RESULTS OF PREVIOUS POLL: PERFORMING FULL SECURITY AUDITS
   The voting has closed in Windows & .NET Magazine's Security Administrator 
Channel nonscientific Instant Poll for the question, "How often does your 
organization perform full security audits?" Here are the results (+/-2percent) 
from the 177 votes:
  10% 1) Every 3 months or more often
  10% 2) Every 3 to 6 months
  18% 3) Every 6 months to a year
  63% 4) Rarely or after a significant breach
  
* INSTANT POLL: SINGLE OR MULTIPLE FORESTS?
   The current Instant Poll question is, "Do you use a single-forest or 
multiple-forest design with Active Directory, and if you use a single-forest 
design, will you change to multiple?" The choices are 1) Single forest and won't 
change, 2) Single forest but changing to multiple, or 3) Multiple forests. Go to 
the Security Administrator Channel home page and submit your vote.
   http://www.secadministrator.com   

6. ==== SECURITY TOOLKIT ==== 

* VIRUS CENTER 
   Panda Software and the Windows & .NET Magazine Network have teamed to 
bring you the Center for Virus Control. Visit the site often to remain 
informed about the latest threats to your system security. 
   http://www.secadministrator.com/panda 

VIRUS ALERT: MYPARTY
   The MyParty worm (also known as W32/Myparty@MM) is written in Visual C++ and 
compressed with Ultimate Packer for Executables (UPX). The worm spreads in email 
by sending copies of itself to everyone listed in a user's address book. The 
worm propagates as a file attachment called www.myparty.yahoo.com.
   The worm arrives with a message subject of "New photos from my party!" with a 
message body that reads, "Hello, My party... It was absolutely amazing! I have 
attached my Web page with new photos! If you can please make color prints of my 
photos. Thanks!"
   When the recipient opens the attachment, the worm executes and copies itself 
to the C:\Recycled folder with a filename of regctrl.exe. The worm also copies a 
file called msstask.exe to the Startup directory and uses this file to spread 
itself.

http://www.secadministrator.com/panda/index.cfm?fuseaction=virus&virusid=1137

* FAQ: HOW CAN I EXECUTE MICROSOFT SNAP-IN CONSOLE FILES WITHOUT TYPING THE .MSC 
EXTENSION?
 ( contributed by John Savill, http://www.windows2000faq.com ) 

A. By default, you don't have to type the extension to run certain file types 
(e.g., .exe, .bat). To add the Microsoft Snap-in Console to this list, you need 
to add .msc to your PATHEXT variable. To change this setting for one command 
session, type 

 set pathext=%pathext%;.msc

To change this setting for all of Windows, you need to modify the system 
environment variable by performing the following steps (click OK when prompted 
to close each dialog box): 

1. Start the Control Panel System applet (go to Start, Settings, Control Panel, 
System). 
2. Select the Advanced tab. 
3. Click Environment Variables. 
4. Under "System variables," double-click PATHEXT. 
5. Click Edit and add ;.msc to the end of the string, then click OK. 

You can now start the Microsoft Snap-in Console without typing the .msc file 
extension after the snap-in filename (e.g., devmgmt).

8. ==== NEW AND IMPROVED ==== 
   (contributed by Scott Firestone, IV, productsat_private) 

* TEST EMAIL VULNERABILITIES
   GFI's Email Security Testing Zone launched two email tests that let Outlook 
XP users check whether their system is vulnerable to email threats. Both tests 
consist of an email message carrying an executable attachment in disguise. One 
test contains a Class ID (CLSID) file extension; the other test has a malformed 
HTML Application (HTA) file extension as its basis. You can sign up for the 
tests by submitting your name and email address at GFI's Email Security Testing 
Zone. You will then receive harmless tests by email that let you check for 
vulnerabilities. Contact GFI at 919-388-3373 or 888-243-4329.
   http://www.gfi.com

* UNDERSTAND INTERNET SECURITY CONCEPTS
   Apress released "Developing Trust: Online Privacy and Security," a book by 
Matt Curtin that provides an analysis of Internet security concepts. The book 
also teaches you how to catch, identify, and repair flawed security design 
techniques before you incorporate the design into the final product. The three 
sections of the book are Understanding Security and Privacy, Prevention, and The 
Cure. The 282-page book costs $39.95. Contact Apress at 510-549-5930.
   http://www.apress.com

8. ==== HOT THREADS ==== 

* WINDOWS & .NET MAGAZINE ONLINE FORUMS 
   http://www.winnetmag.net/forums 

Featured Thread: WFV Folders in the System Root Folder
   (Ten messages in this thread)

A user writes that his system has numerous folders with the prefix WFV in the 
system root folder, and the folders seem to be modified daily. He isn't sure 
what the folders are and wonders whether anyone can help him determine what 
creates and modifies them. Can you help?
   http://www.secadministrator.com/forums/thread.cfm?thread_id=83610

* HOWTO MAILING LIST 
   http://www.secadministrator.com/listserv/page_listserv.asp?s=howto 

Featured Thread: VPN Clients Not Connecting
   (Eight messages in this thread)

Jorgen has a Windows NT and RAS-based VPN established for remote workers. His 
VPN in Sweden works fine, but his VPNs established in remote offices in other 
countries don't work. He receives error messages that indicate the remote 
computer isn't responding, or that the remote port isn't negotiating. Read the 
responses or lend a hand at the following URL:
   http://63.88.172.96/listserv/page_listserv.asp?a2=ind0201d&l=howto&p=2233

9. ==== CONTACT US ==== 
   Here's how to reach us with your comments and questions: 

* ABOUT IN FOCUS -- markat_private 

* ABOUT THE NEWSLETTER IN GENERAL -- mlibbeyat_private (please 
mention the newsletter name in the subject line) 

* TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums 

* PRODUCT NEWS -- productsat_private 

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer 
Support -- securityupdateat_private 

* WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private 

******************** 

   Receive the latest information about the Windows and .NET topics of 
your choice. Subscribe to our other FREE email newsletters. 
   http://www.winnetmag.net/email 

|-+-+-+-+-+-+-+-+-+-| 

Thank you for reading Security UPDATE.


SUBSCRIBE
To subscribe, send a blank email to mailto:Security-UPDATE_Subat_private


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
of the mail.



This archive was generated by hypermail 2b30 : Thu Jan 31 2002 - 06:46:29 PST