********************
Security UPDATE--brought to you by Security Administrator, a print
newsletter bringing you practical, how-to articles about securing your
Windows .NET, 2000, and NT systems.
http://www.secadministrator.com
********************
~~~~ THIS ISSUE SPONSORED BY ~~~~
Security/Security Book
http://list.winnetmag.com/cgi-bin3/flo?y=eKtd0CJgSH0CBw0rLL0AZ
VeriSign--The Value of Trust
http://list.winnetmag.com/cgi-bin3/flo?y=eKtd0CJgSH0CBw0p5N0AC
(below IN FOCUS)
~~~~~~~~~~~~~~~~~~~~
~~~~ SPONSOR: SECURITY/SECURITY BOOK ~~~~
Learn how to keep hackers at bay. Now you can get a copy of the e-business
security book, "Inside Internet Security: What Hackers Don't Want You to Know,"
by Jeff Crume, compliments of IBM. Inside, you'll find information on how
hackers work to target weaknesses in your systems--and what you can do to stop
them. You'll learn real-world strategies for protecting your infrastructure
systems, securing your important business information, and building a trusting
relationship with the partners, customers, and vendors so vital to your
success. Start learning with your copy today at
http://list.winnetmag.com/cgi-bin3/flo?y=eKtd0CJgSH0CBw0rLL0AZ <track>
~~~~~~~~~~~~~~~~~~~~
February 27, 2002--In this issue:
1. IN FOCUS
- Microsoft Baseline Security Analyzer
2. SECURITY RISKS
- Information Disclosure Vulnerability in Microsoft XML Core Services
- Information Disclosure Vulnerability in Microsoft IE
- Unchecked Buffer in Microsoft Commerce Server 2000 ISAPI Filter
- Unchecked Buffer in Microsoft SQL Server 2000 and 7.0
- Buffer Overrun in NetWin WebNEWS for Win2K and NT 4.0
- DoS in Nombas ScriptEase Mini WebServer
- Authentication Circumvention Vulnerability in BlueFace Falcon Web Server
- Multiple Vulnerabilities in CooolSoft PowerFTP 2.10
3. ANNOUNCEMENTS
- Learn from (or Try to Stump) Top Windows Security Pros
- Register for a Free NAS Webinar!
4. SECURITY ROUNDUP
- News: Guarding Against Privilege Elevation on Win2K and NT
- Feature: Trustworthy IIS
- Review: Nessus: An Open-Source Option
5. INSTANT POLL
- Results of Previous Poll: Honeypots
- Instant Poll: Security Testing Tools
6. SECURITY TOOLKIT
- Virus Center
- Virus Alert: W32/Yarner
- FAQ: How Can I Set the Default Domain on the Windows NT Logon
Screen?
7. NEW AND IMPROVED
- Protect Your Applications
- Identify Unauthorized Code
8. HOT THREADS
- Windows & .NET Magazine Online Forums
- Featured Thread: How Do I Crack or Delete a Directory That I
Don't Have Rights to Access?
- HowTo Mailing List
- Featured Thread: Unable to Add New Machines to Domain
9. CONTACT US
See this section for a list of ways to contact us.
~~~~~~~~~~~~~~~~~~~~
1. ==== IN FOCUS ====
* MICROSOFT BASELINE SECURITY ANALYZER
Hello everyone,
Microsoft recently demonstrated a new tool at the RSA Security Conference. The
tool, Microsoft Baseline Security Analyzer (MBSA), isn't available yet, but a
spokesperson at the conference said the tool inspects a PC to determine whether
any patches are missing and whether the system is configured correctly.
I don't know when the tool will be available, and I didn't find any data about
MBSA on Microsoft's TechNet Web site. The tool sounds remarkably similar to
Microsoft's HFNetChk tool, with MBSA's added ability to check configurations.
As I mentioned in a previous Security UPDATE, Shavlik Technologies worked with
Microsoft to develop HFNetChk, and Shavlik recently released HFNetChk Pro,
which goes well beyond the capabilities of HFNetChk.
http://www.secadministrator.com/articles/index.cfm?articleid=23844
Computerworld reported that the release of MBSA might mean Microsoft is inching
into the security test-tool market. If nothing else, by MBSA's adding an
ability to check specific configuration settings, the move to release MBSA
draws a distinction between Shavlik's HFNetChk Pro tool and Microsoft's less-
capable HFNetChk but at the same time introduces some confusion about the
amount of overlap between MBSA and the current HFNetChk tool. I'll let you know
when I find out more about MBSA and its impending release to the public.
http://www.microsoft.com/presspass/features/2002/feb02/02-20mundieqa.asp
We're conducting a new poll this week: How would you feel about Microsoft
entering the security test-tool market--would you rely on Microsoft's tools to
test the security of your systems and network? Stop by the Security
Administrator Web site and give us your answer.
http://www.secadministrator.com
Microsoft Senior Vice President and Chief Technical Officer of Advanced
Strategies and Policy Craig Mundie recently conducted an interview with
Microsoft's inhouse PressPass staff. The interview is online at the company's
Web site and helps explain how Microsoft is steering its "Trustworthy
Computing" campaign. Part of the campaign's goal is to help Microsoft users
realize that security is about more than systems and network configuration--it
also entails privacy, availability, reliability, integrity, and other aspects
related to computer use.
One interesting comment in the interview relates to how the recent terrorist
attacks on America caused Microsoft to take a closer look at the security of
its products, especially because security vulnerabilities in Microsoft's code,
by the company's own admission, could cost people's lives in certain instances--
for example, if a hospital network crashed or suffered significant intrustion.
Microsoft said in the weeks leading up to the Visual .NET Studio launch, the
company required its team of project developers to perform an in-depth code
review. The team targeted the review specifically at security concerns. As a
result, the company made significant changes to the product before its release,
without missing its projected release deadline. Now if the company had only had
that attitude when it released Windows XP ...
Maybe Microsoft's refocus on security matters will result in more secure
products right out of the box, especially given the memo from Microsoft
Chairman and Chief Software Architect Bill Gates informing employees to place
security at the top of their agenda and thought processes. If the new security
focus helps, we'll either have to buy licenses to Microsoft's .NET technology
to find out, or watch to see what attackers discover when the technology
becomes more widely used. You can read the interview with Craig Mundie on
Microsoft's Web site.
http://www.microsoft.com/presspass/features/2002/feb02/02-20mundieqa.asp
One final note: Microsoft released a new document that helps users understand
how to better secure their "always-on" DSL and cable modem connections by
configuring and using XP's built-in Internet Connection Firewall. The paper,
which you can read on Microsoft's Web site, also points to several other sites
that help users learn about third-party firewalls. Noticeably missing from
Microsoft's list of Web resources is our own Windows & .NET Magazine. In any
case, we've discussed and reviewed many firewall products--both enterprise and
personal--and we even have a buyer's guide online. You can find the information
and reports we published by searching our Security Administrator Web site using
the keyword "firewall."
http://www.microsoft.com//technet/columns/security/aus1001.asp
Until next time, have a great week.
Sincerely,
Mark Joseph Edwards, News Editor
markat_private
~~~~~~~~~~~~~~~~~~~~
~~~~ SPONSOR: VERISIGN--THE VALUE OF TRUST ~~~~
Is your e-business secure enough? Learn why it's vital to encrypt your
business transactions, secure your intranets, and authenticate your Web site
with the strongest encryption available--128-bit SSL. To learn more, get
VeriSign's FREE Guide, "Securing Your Web Site for Business," now:
http://list.winnetmag.com/cgi-bin3/flo?y=eKtd0CJgSH0CBw0p5N0AC
~~~~~~~~~~~~~~~~~~~~
2. ==== SECURITY RISKS ====
(contributed by Ken Pfeil, kenat_private)
* INFORMATION DISCLOSURE VULNERABILITY IN MICROSOFT XML CORE SERVICES
A vulnerability exists in how the XMLHTTP control applies Microsoft Internet
Explorer (IE) security-zone settings to a redirected data stream that XMLHTTP
returns as a response to a request for data from a Web site. An attacker can
exploit this problem and specify a data source on the user's local system.
http://www.secadministrator.com/articles/index.cfm?articleid=24258
* INFORMATION DISCLOSURE VULNERABILITY IN MICROSOFT IE
Peter Aron Zentai of Ivy Hungary discovered a vulnerability in IE that can
lead to information disclosure. This problem stems from the way IE handles
VBScript when validating cross-domain access, letting one domain's scripts
access another domain's contents within a frame. An attacker can use scripts to
exploit the vulnerability by extracting other domains' frame contents to send
to the attacker's Web site. The attacker can view files located on the user's
local machine or capture the contents of third-party Web sites the user visited
after leaving the attacker's site. The vulnerability lets an intruder learn
personal information about the user, such as usernames, passwords, and credit
card information.
http://www.secadministrator.com/articles/index.cfm?articleid=24259
* UNCHECKED BUFFER IN MICROSOFT COMMERCE SERVER 2000 ISAPI FILTER
An unchecked buffer in the Internet Server API (ISAPI) AuthFilter can lead
to a buffer overrun condition. An attacker can exploit this vulnerability to
run arbitrary code in the LocalSystem security context, leading to remote
compromise of the vulnerable server.
http://www.secadministrator.com/articles/index.cfm?articleid=24260
* UNCHECKED BUFFER IN MICROSOFT SQL SERVER 2000 AND 7.0
An unchecked buffer in the handling of OLE database provider names used in
ad hoc connections exists in Microsoft SQL Server 2000 and 7.0. Depending on
the server's configuration, the unchecked buffer can lead to a buffer overrun
condition and remote compromise of the vulnerable server.
http://www.secadministrator.com/articles/index.cfm?articleid=24215
* BUFFER OVERRUN IN NETWIN WEBNEWS FOR WIN2K AND NT 4.0
Mark Litchfield discovered a buffer-overrun vulnerability in NetWin's
WebNEWS for Windows 2000 and NT 4.0 that lets an attacker execute code under
the same security context that Microsoft IIS is running (typically,
IUSR_MACHINENAME). By sending a long string (1500 bytes or more) supplied in
the group parameter of the query string when the server receives a valid
"utoken," it's possible to trigger this condition. Visit the discoverer's
advisory for more details.
http://www.secadministrator.com/articles/index.cfm?articleid=24200
* DOS IN NOMBAS SCRIPTEASE MINI WEBSERVER
Tamer Sahin of Security Office discovered that a Denial of Dervice (DoS)
condition exists in Nombas ScriptEase Mini WebServer. By sending a long
request, such as http://host/AAAAAA...(Ax2000)...AAAAAA, an attacker can
remotely crash the vulnerable server. The vendor, Nombas, has been notified but
hasn't issued a patch.
http://www.secadministrator.com/articles/index.cfm?articleid=24201
* AUTHENTICATION CIRCUMVENTION VULNERABILITY IN BLUEFACE FALCON WEB SERVER
SNS Research discovered an authentication circumvention vulnerability in
BlueFace's Falcon Web Server for Windows. A problem in the parsing of requests
made to protected directories can let an attacker circumvent the Web server's
authentication scheme and access any file in a protected directory without
supplying proper credentials. By supplying an additional backslash at the
beginning of the virtual path, an intruder can bypass authentication. For
example, an attacker can bypass authentication of the http://localhost/test
protected directory by accessing http://localhost//test.
http://www.secadministrator.com/articles/index.cfm?articleid=24188
* MULTIPLE VULNERABILITIES IN COOOLSOFT POWERFTP 2.10
SNS Research discovered several vulnerabilities in CooolSoft PowerFTP 2.10
for Windows. The first vulnerability lets an attacker traverse the user
directory by either a direct-path request (such as DIR C:\) or a double-dot
notation (such as DIR \..\*.*) and permits access to any file on the system. A
second vulnerability results from the way the system stores all account
information unencrypted in the ftpserver.ini file. Access to this file through
the directory traversal vulnerability gives an intruder elevated privileges on
the system. A third vulnerability involves a DoS attack condition created when
the server receives a string of 2050 or more bytes. The vendor, CooolSoft, has
been notified but hasn't issued a patch.
http://www.secadministrator.com/articles/index.cfm?articleid=24189
3. ==== ANNOUNCEMENTS ====
* LEARN FROM (OR TRY TO STUMP) TOP WINDOWS SECURITY PROS
Windows & .NET Magazine LIVE! brings together the gurus who have taken
security seriously and have lived to talk about it. Topics include Microsoft
IIS security, securing SQL Server, deploying public key infrastructure (PKI),
designing Group Policies to enhance security, tips for securing Windows 2000
networks, security pitfalls (and solutions) for your mobile workforce, and
more. Register now before this event sells out!
http://list.winnetmag.com/cgi-bin3/flo?y=eKtd0CJgSH0CBw0rFx0AD
* REGISTER FOR A FREE NAS WEBINAR!
Join our free Webinar, "NAS Emerges as a Prime Storage Solution" (sponsored
by Dell and Microsoft), and discover how Network Attached Storage (NAS) can
meet your enterprise's demands for high availability, manageability,
scalability, and performance. Also, learn more about how Win2K is optimized for
developing specialized NAS applications, and hear about real-world solutions
for NAS and emerging NAS applications. Register today!
http://list.winnetmag.com/cgi-bin3/flo?y=eKtd0CJgSH0CBw0rHs0AA
4. ==== SECURITY ROUNDUP ====
* NEWS: GUARDING AGAINST PRIVILEGE ELEVATION ON WIN2K AND NT
According to Microsoft Security Bulletin MS02-002, which Microsoft released
on January 30, administrators in one Windows 2000 or Windows NT 4.0 domain can
elevate their privileges in a trusted domain without the permission of
administrators in the trusted domain. Microsoft has developed a mechanism
called Security Identifier (SID) Filtering to help prevent this type of
unauthorized privilege elevation. Aelita's "Protecting Active Directory from
'Domain Trust' Vulnerability," which you can find on Aelita's Web site in HTML
and PDF formats, explains the nature of the vulnerability. Read all about it in
this news story on our Web site.
http://www.secadministrator.com/articles/index.cfm?articleid=24214
* FEATURE: TRUSTWORTHY IIS
In Windows .NET Server, you enable only the Microsoft IIS 6.0 services you
want. Security vulnerabilities are one of the key hindrances to the acceptance
of Microsoft products as enterprise-level tools. Rival companies (e.g., Sun
Microsystems, Oracle) have a heyday with the security breaches in Microsoft
products that intruders and viruses regularly expose. Read more about creating
a trustworthy IIS system in Michael Otey's feature on our Web site.
http://www.secadministrator.com/articles/index.cfm?articleid=23838
* REVIEW: NESSUS: AN OPEN-SOURCE OPTION
Nessus is an open-source, UNIX-based vulnerability scanner available for
free download from http://www.nessus.org. The solution uses the classic
client/server model: a server-based scan engine (similar to Network Associates'
Distributed CyberCop Scanner 2.0) to probe network clients and a client that
collects and monitors scan data. Learn more about Nessus in Tom Iwanski's
review.
http://www.secadministrator.com/articles/index.cfm?articleid=23850
5. ==== INSTANT POLL ====
* RESULTS OF PREVIOUS POLL: HONEYPOTS
The voting has closed in Windows & .NET Magazine's Security Administrator
Channel nonscientific Instant Poll for the question, "Do you use a honeypot on
your network?" Here are the results (+/-2 percent) from the 216 votes:
13% 1) Yes, a freeware package
4% 2) Yes, a commercial package
83% 3) No
* INSTANT POLL: SECURITY TESTING TOOLS
The current Instant Poll question is, "Microsoft has shown increased interest
in the security testing-tools market. If Microsoft entered this market, would
you rely on its tools to test the security of your systems and network?" The
choices are 1) Yes, 2) Yes, but we'd also use another testing tool, or 3) No. Go
to the Security Administrator Channel home page and submit your vote.
http://www.secadministrator.com
6. ==== SECURITY TOOLKIT ====
* VIRUS CENTER
Panda Software and the Windows & .NET Magazine Network have teamed to
bring you the Center for Virus Control. Visit the site often to remain
informed about the latest threats to your system security.
http://www.secadministrator.com/panda
Virus Alert: W32/Yarner
W32/Yarner is a mass-mailing worm that, unlike similar worms, uses its own
code to propagate instead of using Outlook functionality. The worm deletes
every file in the C drive that's not currently in use. The worm arrives with a
message subject of "Trojaner-Info Newsletter [current date]" where "[current
date]" is the current calendar date. The message includes an extensive message
body that appears to be a popular newsletter, but in reality the message is
spoofed and isn't a genuine newsletter. The worm message carries a file
attachment called yawsetup.exe that, when a user executes the file, installs
itself to appear as the built-in Notepad application. The worm renames
notepad.exe to notedpad.exe and, in the process, copies itself into the system
directory under the filename of notepad.exe.
http://63.88.172.96/panda/index.cfm?fuseaction=virus&virusid=1139
* FAQ: HOW CAN I SET THE DEFAULT DOMAIN ON THE WINDOWS NT LOGON SCREEN?
( contributed by John Savill, http://www.windows2000faq.com )
A. To set the default domain each time you log on, follow these steps:
1. Start a registry editor (e.g., regedit.exe).
2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon subkey.
3. Double-click DefaultDomainName (or create this value of type String if it
doesn't exist), and set the value to the preferred domain.
4. Double-click AltDefaultDomainName (or create this value of type String if
it doesn't exist), and set the value to the preferred domain.
5. Close the registry editor.
7. ==== NEW AND IMPROVED ====
(contributed by Scott Firestone IV, productsat_private)
* PROTECT YOUR APPLICATIONS
OKENA released StormSystem, a system of integrated products acting in unison
to protect applications from threats. OKENA's INCORE architecture powers
StormSystem, which correlates an application's use of file, network, registry,
and COM functions to define and enforce safe behavior. StormSystem includes
StormWatch, which provides overall intrusion prevention for host systems, and
StormFront, which ensures protection for any standard or custom application
that OKENA doesn't provide out of the box. For pricing, contact OKENA at 781-
209-3200.
http://www.okena.com
* IDENTIFY UNAUTHORIZED CODE
Tiny Software released Trojan Trap 3.0, software that provides an extra
layer of protection against worms, Trojan horses, Java applets, and other
malicious code by trapping all unauthorized content. The software features
detailed, realtime monitoring of all activities on users' PCs; sends out alerts
that inform users of each violation and let them react before damage occurs;
and contains a cache manager that users can configure to automatically remove
session information in the browser cache. Trojan Trap runs on Windows XP,
Windows 2000, Windows NT, Windows Me, and Windows 9x systems and costs $39.95.
Contact Tiny Software at 408-919-7360 or 888-994-8469.
http://www.tinysoftware.com
8. ==== HOT THREADS ====
* WINDOWS & .NET MAGAZINE ONLINE FORUMS
http://www.winnetmag.net/forums
Featured Thread: How Do I Crack or Delete a Directory That I Don't Have Rights
to Access?
(Six messages in this thread)
Cody writes that he had an employee who created a directory on one of
his file servers. The employee filled it up with 20GB of data, then
removed all permissions to this directory except for a user account
that he created. When the employee left the company, the account was
deleted. Cody doesn't know the name of this user account, so he can't
recreate it to access the files. How can Cody delete this directory?
Can you help? Read more about the problem at the
following URL:
http://www.secadministrator.com/forums/thread.cfm?thread_id=96859
* HOWTO MAILING LIST
http://www.secadministrator.com/listserv/page_listserv.asp?s=howto
Featured Thread: Unable to Add New Machines to Domain
(Eleven messages in this thread)
A user writes that he recently worked with a client who has not been able to add
any Windows NT machines to the network by using the Networking Properties Join
the Domain dialogue box. The customer has a simple NT network setup with a
variety of NT Workstation and Windows 9x machines. The user has triple-checked
all the TCP/IP settings, and they're correct. The NICs are working using loop-
back pings, but he can't find the network domain. Can you help? Read the
responses or lend a hand at the following URL:
http://63.88.172.96/listserv/page_listserv.asp?a2=ind0202c&l=howto&p=84
9. ==== CONTACT US ====
Here's how to reach us with your comments and questions:
* ABOUT IN FOCUS -- markat_private
* ABOUT THE NEWSLETTER IN GENERAL -- mlibbeyat_private (please
mention the newsletter name in the subject line)
* TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums
* PRODUCT NEWS -- productsat_private
* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdateat_private
* WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private
********************
Receive the latest information about the Windows and .NET topics of
your choice. Subscribe to our other FREE email newsletters.
http://www.winnetmag.net/email
|-+-+-+-+-+-+-+-+-+-|
Thank you for reading Security UPDATE.
SUBSCRIBE
To subscribe, send a blank email to mailto:Security-UPDATE_Subat_private
-
ISN is currently hosted by Attrition.org
To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
of the mail.
This archive was generated by hypermail 2b30 : Thu Feb 28 2002 - 03:22:12 PST