******************** Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET, 2000, and NT systems. http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ Security/Security Book http://list.winnetmag.com/cgi-bin3/flo?y=eKtd0CJgSH0CBw0rLL0AZ VeriSign--The Value of Trust http://list.winnetmag.com/cgi-bin3/flo?y=eKtd0CJgSH0CBw0p5N0AC (below IN FOCUS) ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: SECURITY/SECURITY BOOK ~~~~ Learn how to keep hackers at bay. Now you can get a copy of the e-business security book, "Inside Internet Security: What Hackers Don't Want You to Know," by Jeff Crume, compliments of IBM. Inside, you'll find information on how hackers work to target weaknesses in your systems--and what you can do to stop them. You'll learn real-world strategies for protecting your infrastructure systems, securing your important business information, and building a trusting relationship with the partners, customers, and vendors so vital to your success. Start learning with your copy today at http://list.winnetmag.com/cgi-bin3/flo?y=eKtd0CJgSH0CBw0rLL0AZ <track> ~~~~~~~~~~~~~~~~~~~~ February 27, 2002--In this issue: 1. IN FOCUS - Microsoft Baseline Security Analyzer 2. SECURITY RISKS - Information Disclosure Vulnerability in Microsoft XML Core Services - Information Disclosure Vulnerability in Microsoft IE - Unchecked Buffer in Microsoft Commerce Server 2000 ISAPI Filter - Unchecked Buffer in Microsoft SQL Server 2000 and 7.0 - Buffer Overrun in NetWin WebNEWS for Win2K and NT 4.0 - DoS in Nombas ScriptEase Mini WebServer - Authentication Circumvention Vulnerability in BlueFace Falcon Web Server - Multiple Vulnerabilities in CooolSoft PowerFTP 2.10 3. ANNOUNCEMENTS - Learn from (or Try to Stump) Top Windows Security Pros - Register for a Free NAS Webinar! 4. SECURITY ROUNDUP - News: Guarding Against Privilege Elevation on Win2K and NT - Feature: Trustworthy IIS - Review: Nessus: An Open-Source Option 5. INSTANT POLL - Results of Previous Poll: Honeypots - Instant Poll: Security Testing Tools 6. SECURITY TOOLKIT - Virus Center - Virus Alert: W32/Yarner - FAQ: How Can I Set the Default Domain on the Windows NT Logon Screen? 7. NEW AND IMPROVED - Protect Your Applications - Identify Unauthorized Code 8. HOT THREADS - Windows & .NET Magazine Online Forums - Featured Thread: How Do I Crack or Delete a Directory That I Don't Have Rights to Access? - HowTo Mailing List - Featured Thread: Unable to Add New Machines to Domain 9. CONTACT US See this section for a list of ways to contact us. ~~~~~~~~~~~~~~~~~~~~ 1. ==== IN FOCUS ==== * MICROSOFT BASELINE SECURITY ANALYZER Hello everyone, Microsoft recently demonstrated a new tool at the RSA Security Conference. The tool, Microsoft Baseline Security Analyzer (MBSA), isn't available yet, but a spokesperson at the conference said the tool inspects a PC to determine whether any patches are missing and whether the system is configured correctly. I don't know when the tool will be available, and I didn't find any data about MBSA on Microsoft's TechNet Web site. The tool sounds remarkably similar to Microsoft's HFNetChk tool, with MBSA's added ability to check configurations. As I mentioned in a previous Security UPDATE, Shavlik Technologies worked with Microsoft to develop HFNetChk, and Shavlik recently released HFNetChk Pro, which goes well beyond the capabilities of HFNetChk. http://www.secadministrator.com/articles/index.cfm?articleid=23844 Computerworld reported that the release of MBSA might mean Microsoft is inching into the security test-tool market. If nothing else, by MBSA's adding an ability to check specific configuration settings, the move to release MBSA draws a distinction between Shavlik's HFNetChk Pro tool and Microsoft's less- capable HFNetChk but at the same time introduces some confusion about the amount of overlap between MBSA and the current HFNetChk tool. I'll let you know when I find out more about MBSA and its impending release to the public. http://www.microsoft.com/presspass/features/2002/feb02/02-20mundieqa.asp We're conducting a new poll this week: How would you feel about Microsoft entering the security test-tool market--would you rely on Microsoft's tools to test the security of your systems and network? Stop by the Security Administrator Web site and give us your answer. http://www.secadministrator.com Microsoft Senior Vice President and Chief Technical Officer of Advanced Strategies and Policy Craig Mundie recently conducted an interview with Microsoft's inhouse PressPass staff. The interview is online at the company's Web site and helps explain how Microsoft is steering its "Trustworthy Computing" campaign. Part of the campaign's goal is to help Microsoft users realize that security is about more than systems and network configuration--it also entails privacy, availability, reliability, integrity, and other aspects related to computer use. One interesting comment in the interview relates to how the recent terrorist attacks on America caused Microsoft to take a closer look at the security of its products, especially because security vulnerabilities in Microsoft's code, by the company's own admission, could cost people's lives in certain instances-- for example, if a hospital network crashed or suffered significant intrustion. Microsoft said in the weeks leading up to the Visual .NET Studio launch, the company required its team of project developers to perform an in-depth code review. The team targeted the review specifically at security concerns. As a result, the company made significant changes to the product before its release, without missing its projected release deadline. Now if the company had only had that attitude when it released Windows XP ... Maybe Microsoft's refocus on security matters will result in more secure products right out of the box, especially given the memo from Microsoft Chairman and Chief Software Architect Bill Gates informing employees to place security at the top of their agenda and thought processes. If the new security focus helps, we'll either have to buy licenses to Microsoft's .NET technology to find out, or watch to see what attackers discover when the technology becomes more widely used. You can read the interview with Craig Mundie on Microsoft's Web site. http://www.microsoft.com/presspass/features/2002/feb02/02-20mundieqa.asp One final note: Microsoft released a new document that helps users understand how to better secure their "always-on" DSL and cable modem connections by configuring and using XP's built-in Internet Connection Firewall. The paper, which you can read on Microsoft's Web site, also points to several other sites that help users learn about third-party firewalls. Noticeably missing from Microsoft's list of Web resources is our own Windows & .NET Magazine. In any case, we've discussed and reviewed many firewall products--both enterprise and personal--and we even have a buyer's guide online. You can find the information and reports we published by searching our Security Administrator Web site using the keyword "firewall." http://www.microsoft.com//technet/columns/security/aus1001.asp Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor markat_private ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: VERISIGN--THE VALUE OF TRUST ~~~~ Is your e-business secure enough? Learn why it's vital to encrypt your business transactions, secure your intranets, and authenticate your Web site with the strongest encryption available--128-bit SSL. To learn more, get VeriSign's FREE Guide, "Securing Your Web Site for Business," now: http://list.winnetmag.com/cgi-bin3/flo?y=eKtd0CJgSH0CBw0p5N0AC ~~~~~~~~~~~~~~~~~~~~ 2. ==== SECURITY RISKS ==== (contributed by Ken Pfeil, kenat_private) * INFORMATION DISCLOSURE VULNERABILITY IN MICROSOFT XML CORE SERVICES A vulnerability exists in how the XMLHTTP control applies Microsoft Internet Explorer (IE) security-zone settings to a redirected data stream that XMLHTTP returns as a response to a request for data from a Web site. An attacker can exploit this problem and specify a data source on the user's local system. http://www.secadministrator.com/articles/index.cfm?articleid=24258 * INFORMATION DISCLOSURE VULNERABILITY IN MICROSOFT IE Peter Aron Zentai of Ivy Hungary discovered a vulnerability in IE that can lead to information disclosure. This problem stems from the way IE handles VBScript when validating cross-domain access, letting one domain's scripts access another domain's contents within a frame. An attacker can use scripts to exploit the vulnerability by extracting other domains' frame contents to send to the attacker's Web site. The attacker can view files located on the user's local machine or capture the contents of third-party Web sites the user visited after leaving the attacker's site. The vulnerability lets an intruder learn personal information about the user, such as usernames, passwords, and credit card information. http://www.secadministrator.com/articles/index.cfm?articleid=24259 * UNCHECKED BUFFER IN MICROSOFT COMMERCE SERVER 2000 ISAPI FILTER An unchecked buffer in the Internet Server API (ISAPI) AuthFilter can lead to a buffer overrun condition. An attacker can exploit this vulnerability to run arbitrary code in the LocalSystem security context, leading to remote compromise of the vulnerable server. http://www.secadministrator.com/articles/index.cfm?articleid=24260 * UNCHECKED BUFFER IN MICROSOFT SQL SERVER 2000 AND 7.0 An unchecked buffer in the handling of OLE database provider names used in ad hoc connections exists in Microsoft SQL Server 2000 and 7.0. Depending on the server's configuration, the unchecked buffer can lead to a buffer overrun condition and remote compromise of the vulnerable server. http://www.secadministrator.com/articles/index.cfm?articleid=24215 * BUFFER OVERRUN IN NETWIN WEBNEWS FOR WIN2K AND NT 4.0 Mark Litchfield discovered a buffer-overrun vulnerability in NetWin's WebNEWS for Windows 2000 and NT 4.0 that lets an attacker execute code under the same security context that Microsoft IIS is running (typically, IUSR_MACHINENAME). By sending a long string (1500 bytes or more) supplied in the group parameter of the query string when the server receives a valid "utoken," it's possible to trigger this condition. Visit the discoverer's advisory for more details. http://www.secadministrator.com/articles/index.cfm?articleid=24200 * DOS IN NOMBAS SCRIPTEASE MINI WEBSERVER Tamer Sahin of Security Office discovered that a Denial of Dervice (DoS) condition exists in Nombas ScriptEase Mini WebServer. By sending a long request, such as http://host/AAAAAA...(Ax2000)...AAAAAA, an attacker can remotely crash the vulnerable server. The vendor, Nombas, has been notified but hasn't issued a patch. http://www.secadministrator.com/articles/index.cfm?articleid=24201 * AUTHENTICATION CIRCUMVENTION VULNERABILITY IN BLUEFACE FALCON WEB SERVER SNS Research discovered an authentication circumvention vulnerability in BlueFace's Falcon Web Server for Windows. A problem in the parsing of requests made to protected directories can let an attacker circumvent the Web server's authentication scheme and access any file in a protected directory without supplying proper credentials. By supplying an additional backslash at the beginning of the virtual path, an intruder can bypass authentication. For example, an attacker can bypass authentication of the http://localhost/test protected directory by accessing http://localhost//test. http://www.secadministrator.com/articles/index.cfm?articleid=24188 * MULTIPLE VULNERABILITIES IN COOOLSOFT POWERFTP 2.10 SNS Research discovered several vulnerabilities in CooolSoft PowerFTP 2.10 for Windows. The first vulnerability lets an attacker traverse the user directory by either a direct-path request (such as DIR C:\) or a double-dot notation (such as DIR \..\*.*) and permits access to any file on the system. A second vulnerability results from the way the system stores all account information unencrypted in the ftpserver.ini file. Access to this file through the directory traversal vulnerability gives an intruder elevated privileges on the system. A third vulnerability involves a DoS attack condition created when the server receives a string of 2050 or more bytes. The vendor, CooolSoft, has been notified but hasn't issued a patch. http://www.secadministrator.com/articles/index.cfm?articleid=24189 3. ==== ANNOUNCEMENTS ==== * LEARN FROM (OR TRY TO STUMP) TOP WINDOWS SECURITY PROS Windows & .NET Magazine LIVE! brings together the gurus who have taken security seriously and have lived to talk about it. Topics include Microsoft IIS security, securing SQL Server, deploying public key infrastructure (PKI), designing Group Policies to enhance security, tips for securing Windows 2000 networks, security pitfalls (and solutions) for your mobile workforce, and more. Register now before this event sells out! http://list.winnetmag.com/cgi-bin3/flo?y=eKtd0CJgSH0CBw0rFx0AD * REGISTER FOR A FREE NAS WEBINAR! Join our free Webinar, "NAS Emerges as a Prime Storage Solution" (sponsored by Dell and Microsoft), and discover how Network Attached Storage (NAS) can meet your enterprise's demands for high availability, manageability, scalability, and performance. Also, learn more about how Win2K is optimized for developing specialized NAS applications, and hear about real-world solutions for NAS and emerging NAS applications. Register today! http://list.winnetmag.com/cgi-bin3/flo?y=eKtd0CJgSH0CBw0rHs0AA 4. ==== SECURITY ROUNDUP ==== * NEWS: GUARDING AGAINST PRIVILEGE ELEVATION ON WIN2K AND NT According to Microsoft Security Bulletin MS02-002, which Microsoft released on January 30, administrators in one Windows 2000 or Windows NT 4.0 domain can elevate their privileges in a trusted domain without the permission of administrators in the trusted domain. Microsoft has developed a mechanism called Security Identifier (SID) Filtering to help prevent this type of unauthorized privilege elevation. Aelita's "Protecting Active Directory from 'Domain Trust' Vulnerability," which you can find on Aelita's Web site in HTML and PDF formats, explains the nature of the vulnerability. Read all about it in this news story on our Web site. http://www.secadministrator.com/articles/index.cfm?articleid=24214 * FEATURE: TRUSTWORTHY IIS In Windows .NET Server, you enable only the Microsoft IIS 6.0 services you want. Security vulnerabilities are one of the key hindrances to the acceptance of Microsoft products as enterprise-level tools. Rival companies (e.g., Sun Microsystems, Oracle) have a heyday with the security breaches in Microsoft products that intruders and viruses regularly expose. Read more about creating a trustworthy IIS system in Michael Otey's feature on our Web site. http://www.secadministrator.com/articles/index.cfm?articleid=23838 * REVIEW: NESSUS: AN OPEN-SOURCE OPTION Nessus is an open-source, UNIX-based vulnerability scanner available for free download from http://www.nessus.org. The solution uses the classic client/server model: a server-based scan engine (similar to Network Associates' Distributed CyberCop Scanner 2.0) to probe network clients and a client that collects and monitors scan data. Learn more about Nessus in Tom Iwanski's review. http://www.secadministrator.com/articles/index.cfm?articleid=23850 5. ==== INSTANT POLL ==== * RESULTS OF PREVIOUS POLL: HONEYPOTS The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Do you use a honeypot on your network?" Here are the results (+/-2 percent) from the 216 votes: 13% 1) Yes, a freeware package 4% 2) Yes, a commercial package 83% 3) No * INSTANT POLL: SECURITY TESTING TOOLS The current Instant Poll question is, "Microsoft has shown increased interest in the security testing-tools market. If Microsoft entered this market, would you rely on its tools to test the security of your systems and network?" The choices are 1) Yes, 2) Yes, but we'd also use another testing tool, or 3) No. Go to the Security Administrator Channel home page and submit your vote. http://www.secadministrator.com 6. ==== SECURITY TOOLKIT ==== * VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda Virus Alert: W32/Yarner W32/Yarner is a mass-mailing worm that, unlike similar worms, uses its own code to propagate instead of using Outlook functionality. The worm deletes every file in the C drive that's not currently in use. The worm arrives with a message subject of "Trojaner-Info Newsletter [current date]" where "[current date]" is the current calendar date. The message includes an extensive message body that appears to be a popular newsletter, but in reality the message is spoofed and isn't a genuine newsletter. The worm message carries a file attachment called yawsetup.exe that, when a user executes the file, installs itself to appear as the built-in Notepad application. The worm renames notepad.exe to notedpad.exe and, in the process, copies itself into the system directory under the filename of notepad.exe. http://188.8.131.52/panda/index.cfm?fuseaction=virus&virusid=1139 * FAQ: HOW CAN I SET THE DEFAULT DOMAIN ON THE WINDOWS NT LOGON SCREEN? ( contributed by John Savill, http://www.windows2000faq.com ) A. To set the default domain each time you log on, follow these steps: 1. Start a registry editor (e.g., regedit.exe). 2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon subkey. 3. Double-click DefaultDomainName (or create this value of type String if it doesn't exist), and set the value to the preferred domain. 4. Double-click AltDefaultDomainName (or create this value of type String if it doesn't exist), and set the value to the preferred domain. 5. Close the registry editor. 7. ==== NEW AND IMPROVED ==== (contributed by Scott Firestone IV, productsat_private) * PROTECT YOUR APPLICATIONS OKENA released StormSystem, a system of integrated products acting in unison to protect applications from threats. OKENA's INCORE architecture powers StormSystem, which correlates an application's use of file, network, registry, and COM functions to define and enforce safe behavior. StormSystem includes StormWatch, which provides overall intrusion prevention for host systems, and StormFront, which ensures protection for any standard or custom application that OKENA doesn't provide out of the box. For pricing, contact OKENA at 781- 209-3200. http://www.okena.com * IDENTIFY UNAUTHORIZED CODE Tiny Software released Trojan Trap 3.0, software that provides an extra layer of protection against worms, Trojan horses, Java applets, and other malicious code by trapping all unauthorized content. The software features detailed, realtime monitoring of all activities on users' PCs; sends out alerts that inform users of each violation and let them react before damage occurs; and contains a cache manager that users can configure to automatically remove session information in the browser cache. Trojan Trap runs on Windows XP, Windows 2000, Windows NT, Windows Me, and Windows 9x systems and costs $39.95. Contact Tiny Software at 408-919-7360 or 888-994-8469. http://www.tinysoftware.com 8. ==== HOT THREADS ==== * WINDOWS & .NET MAGAZINE ONLINE FORUMS http://www.winnetmag.net/forums Featured Thread: How Do I Crack or Delete a Directory That I Don't Have Rights to Access? (Six messages in this thread) Cody writes that he had an employee who created a directory on one of his file servers. The employee filled it up with 20GB of data, then removed all permissions to this directory except for a user account that he created. When the employee left the company, the account was deleted. Cody doesn't know the name of this user account, so he can't recreate it to access the files. How can Cody delete this directory? Can you help? Read more about the problem at the following URL: http://www.secadministrator.com/forums/thread.cfm?thread_id=96859 * HOWTO MAILING LIST http://www.secadministrator.com/listserv/page_listserv.asp?s=howto Featured Thread: Unable to Add New Machines to Domain (Eleven messages in this thread) A user writes that he recently worked with a client who has not been able to add any Windows NT machines to the network by using the Networking Properties Join the Domain dialogue box. The customer has a simple NT network setup with a variety of NT Workstation and Windows 9x machines. The user has triple-checked all the TCP/IP settings, and they're correct. The NICs are working using loop- back pings, but he can't find the network domain. Can you help? Read the responses or lend a hand at the following URL: http://184.108.40.206/listserv/page_listserv.asp?a2=ind0202c&l=howto&p=84 9. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT IN FOCUS -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- mlibbeyat_private (please mention the newsletter name in the subject line) * TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer Support -- securityupdateat_private * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private ******************** Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.winnetmag.net/email |-+-+-+-+-+-+-+-+-+-| Thank you for reading Security UPDATE. SUBSCRIBE To subscribe, send a blank email to mailto:Security-UPDATE_Subat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Feb 28 2002 - 03:22:12 PST