[ISN] Security UPDATE, February 27, 2002

From: InfoSec News (isnat_private)
Date: Wed Feb 27 2002 - 23:21:07 PST


********************
Security UPDATE--brought to you by Security Administrator, a print 
newsletter bringing you practical, how-to articles about securing your 
Windows .NET, 2000, and NT systems.
   http://www.secadministrator.com 
******************** 

~~~~ THIS ISSUE SPONSORED BY ~~~~ 

Security/Security Book
   http://list.winnetmag.com/cgi-bin3/flo?y=eKtd0CJgSH0CBw0rLL0AZ 

VeriSign--The Value of Trust
   http://list.winnetmag.com/cgi-bin3/flo?y=eKtd0CJgSH0CBw0p5N0AC 
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~ 

~~~~ SPONSOR: SECURITY/SECURITY BOOK ~~~~
   Learn how to keep hackers at bay. Now you can get a copy of the e-business 
security book, "Inside Internet Security: What Hackers Don't Want You to Know," 
by Jeff Crume, compliments of IBM. Inside, you'll find information on how 
hackers work to target weaknesses in your systems--and what you can do to stop 
them. You'll learn real-world strategies for protecting your infrastructure 
systems, securing your important business information, and building a trusting 
relationship with the partners, customers, and vendors so vital to your 
success. Start learning with your copy today at 
   http://list.winnetmag.com/cgi-bin3/flo?y=eKtd0CJgSH0CBw0rLL0AZ <track>

~~~~~~~~~~~~~~~~~~~~ 

February 27, 2002--In this issue: 

1. IN FOCUS
     - Microsoft Baseline Security Analyzer

2. SECURITY RISKS
     - Information Disclosure Vulnerability in Microsoft XML Core Services 
     - Information Disclosure Vulnerability in Microsoft IE 
     - Unchecked Buffer in Microsoft Commerce Server 2000 ISAPI Filter 
     - Unchecked Buffer in Microsoft SQL Server 2000 and 7.0 
     - Buffer Overrun in NetWin WebNEWS for Win2K and NT 4.0 
     - DoS in Nombas ScriptEase Mini WebServer 
     - Authentication Circumvention Vulnerability in BlueFace Falcon Web Server 
     - Multiple Vulnerabilities in CooolSoft PowerFTP 2.10

3. ANNOUNCEMENTS
     - Learn from (or Try to Stump) Top Windows Security Pros
     - Register for a Free NAS Webinar!

4. SECURITY ROUNDUP
     - News: Guarding Against Privilege Elevation on Win2K and NT
     - Feature: Trustworthy IIS
     - Review: Nessus: An Open-Source Option

5. INSTANT POLL
     - Results of Previous Poll: Honeypots
     - Instant Poll: Security Testing Tools

6. SECURITY TOOLKIT
     - Virus Center
          - Virus Alert: W32/Yarner
     - FAQ: How Can I Set the Default Domain on the Windows NT Logon 
       Screen?

7. NEW AND IMPROVED
     - Protect Your Applications
     - Identify Unauthorized Code

8. HOT THREADS
     - Windows & .NET Magazine Online Forums
         - Featured Thread: How Do I Crack or Delete a Directory That I 
Don't Have Rights to Access?
     - HowTo Mailing List
         - Featured Thread: Unable to Add New Machines to Domain

9. CONTACT US 
   See this section for a list of ways to contact us.
 
~~~~~~~~~~~~~~~~~~~~ 

1. ==== IN FOCUS ==== 

* MICROSOFT BASELINE SECURITY ANALYZER

Hello everyone, 

Microsoft recently demonstrated a new tool at the RSA Security Conference. The 
tool, Microsoft Baseline Security Analyzer (MBSA), isn't available yet, but a 
spokesperson at the conference said the tool inspects a PC to determine whether 
any patches are missing and whether the system is configured correctly.

I don't know when the tool will be available, and I didn't find any data about 
MBSA on Microsoft's TechNet Web site. The tool sounds remarkably similar to 
Microsoft's HFNetChk tool, with MBSA's added ability to check configurations. 
As I mentioned in a previous Security UPDATE, Shavlik Technologies worked with 
Microsoft to develop HFNetChk, and Shavlik recently released HFNetChk Pro, 
which goes well beyond the capabilities of HFNetChk. 
   http://www.secadministrator.com/articles/index.cfm?articleid=23844

Computerworld reported that the release of MBSA might mean Microsoft is inching 
into the security test-tool market. If nothing else, by MBSA's adding an 
ability to check specific configuration settings, the move to release MBSA 
draws a distinction between Shavlik's HFNetChk Pro tool and Microsoft's less-
capable HFNetChk but at the same time introduces some confusion about the 
amount of overlap between MBSA and the current HFNetChk tool. I'll let you know 
when I find out more about MBSA and its impending release to the public.
   http://www.microsoft.com/presspass/features/2002/feb02/02-20mundieqa.asp

We're conducting a new poll this week: How would you feel about Microsoft 
entering the security test-tool market--would you rely on Microsoft's tools to 
test the security of your systems and network? Stop by the Security 
Administrator Web site and give us your answer.
   http://www.secadministrator.com 

Microsoft Senior Vice President and Chief Technical Officer of Advanced 
Strategies and Policy Craig Mundie recently conducted an interview with 
Microsoft's inhouse PressPass staff. The interview is online at the company's 
Web site and helps explain how Microsoft is steering its "Trustworthy 
Computing" campaign. Part of the campaign's goal is to help Microsoft users 
realize that security is about more than systems and network configuration--it 
also entails privacy, availability, reliability, integrity, and other aspects 
related to computer use.

One interesting comment in the interview relates to how the recent terrorist 
attacks on America caused Microsoft to take a closer look at the security of 
its products, especially because security vulnerabilities in Microsoft's code, 
by the company's own admission, could cost people's lives in certain instances--
for example, if a hospital network crashed or suffered significant intrustion. 
Microsoft said in the weeks leading up to the Visual .NET Studio launch, the 
company required its team of project developers to perform an in-depth code 
review. The team targeted the review specifically at security concerns. As a 
result, the company made significant changes to the product before its release, 
without missing its projected release deadline. Now if the company had only had 
that attitude when it released Windows XP ... 

Maybe Microsoft's refocus on security matters will result in more secure 
products right out of the box, especially given the memo from Microsoft 
Chairman and Chief Software Architect Bill Gates informing employees to place 
security at the top of their agenda and thought processes. If the new security 
focus helps, we'll either have to buy licenses to Microsoft's .NET technology 
to find out, or watch to see what attackers discover when the technology 
becomes more widely used. You can read the interview with Craig Mundie on 
Microsoft's Web site.
   http://www.microsoft.com/presspass/features/2002/feb02/02-20mundieqa.asp

One final note: Microsoft released a new document that helps users understand 
how to better secure their "always-on" DSL and cable modem connections by 
configuring and using XP's built-in Internet Connection Firewall. The paper, 
which you can read on Microsoft's Web site, also points to several other sites 
that help users learn about third-party firewalls. Noticeably missing from 
Microsoft's list of Web resources is our own Windows & .NET Magazine. In any 
case, we've discussed and reviewed many firewall products--both enterprise and 
personal--and we even have a buyer's guide online. You can find the information 
and reports we published by searching our Security Administrator Web site using 
the keyword "firewall." 
   http://www.microsoft.com//technet/columns/security/aus1001.asp

Until next time, have a great week. 

Sincerely, 
Mark Joseph Edwards, News Editor 
markat_private 

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: VERISIGN--THE VALUE OF TRUST ~~~~
   Is your e-business secure enough? Learn why it's vital to encrypt your 
business transactions, secure your intranets, and authenticate your Web site 
with the strongest encryption available--128-bit SSL. To learn more, get 
VeriSign's FREE Guide, "Securing Your Web Site for Business," now: 
   http://list.winnetmag.com/cgi-bin3/flo?y=eKtd0CJgSH0CBw0p5N0AC 

~~~~~~~~~~~~~~~~~~~~

2. ==== SECURITY RISKS ==== 
   (contributed by Ken Pfeil, kenat_private) 

* INFORMATION DISCLOSURE VULNERABILITY IN MICROSOFT XML CORE SERVICES 
   A vulnerability exists in how the XMLHTTP control applies Microsoft Internet 
Explorer (IE) security-zone settings to a redirected data stream that XMLHTTP 
returns as a response to a request for data from a Web site. An attacker can 
exploit this problem and specify a data source on the user's local system. 
   http://www.secadministrator.com/articles/index.cfm?articleid=24258

* INFORMATION DISCLOSURE VULNERABILITY IN MICROSOFT IE 
   Peter Aron Zentai of Ivy Hungary discovered a vulnerability in IE that can 
lead to information disclosure. This problem stems from the way IE handles 
VBScript when validating cross-domain access, letting one domain's scripts 
access another domain's contents within a frame. An attacker can use scripts to 
exploit the vulnerability by extracting other domains' frame contents to send 
to the attacker's Web site. The attacker can view files located on the user's 
local machine or capture the contents of third-party Web sites the user visited 
after leaving the attacker's site. The vulnerability lets an intruder learn 
personal information about the user, such as usernames, passwords, and credit 
card information.
   http://www.secadministrator.com/articles/index.cfm?articleid=24259

* UNCHECKED BUFFER IN MICROSOFT COMMERCE SERVER 2000 ISAPI FILTER 
   An unchecked buffer in the Internet Server API (ISAPI) AuthFilter can lead 
to a buffer overrun condition. An attacker can exploit this vulnerability to 
run arbitrary code in the LocalSystem security context, leading to remote 
compromise of the vulnerable server.
   http://www.secadministrator.com/articles/index.cfm?articleid=24260

* UNCHECKED BUFFER IN MICROSOFT SQL SERVER 2000 AND 7.0 
   An unchecked buffer in the handling of OLE database provider names used in 
ad hoc connections exists in Microsoft SQL Server 2000 and 7.0. Depending on 
the server's configuration, the unchecked buffer can lead to a buffer overrun 
condition and remote compromise of the vulnerable server.
   http://www.secadministrator.com/articles/index.cfm?articleid=24215

* BUFFER OVERRUN IN NETWIN WEBNEWS FOR WIN2K AND NT 4.0
   Mark Litchfield discovered a buffer-overrun vulnerability in NetWin's 
WebNEWS for Windows 2000 and NT 4.0 that lets an attacker execute code under 
the same security context that Microsoft IIS is running (typically, 
IUSR_MACHINENAME). By sending a long string (1500 bytes or more) supplied in 
the group parameter of the query string when the server receives a valid 
"utoken," it's possible to trigger this condition. Visit the discoverer's 
advisory for more details.
   http://www.secadministrator.com/articles/index.cfm?articleid=24200

* DOS IN NOMBAS SCRIPTEASE MINI WEBSERVER 
   Tamer Sahin of Security Office discovered that a Denial of Dervice (DoS) 
condition exists in Nombas ScriptEase Mini WebServer. By sending a long 
request, such as http://host/AAAAAA...(Ax2000)...AAAAAA, an attacker can 
remotely crash the vulnerable server. The vendor, Nombas, has been notified but 
hasn't issued a patch.
   http://www.secadministrator.com/articles/index.cfm?articleid=24201

* AUTHENTICATION CIRCUMVENTION VULNERABILITY IN BLUEFACE FALCON WEB SERVER 
   SNS Research discovered an authentication circumvention vulnerability in 
BlueFace's Falcon Web Server for Windows. A problem in the parsing of requests 
made to protected directories can let an attacker circumvent the Web server's 
authentication scheme and access any file in a protected directory without 
supplying proper credentials. By supplying an additional backslash at the 
beginning of the virtual path, an intruder can bypass authentication. For 
example, an attacker can bypass authentication of the http://localhost/test 
protected directory by accessing http://localhost//test.
   http://www.secadministrator.com/articles/index.cfm?articleid=24188

* MULTIPLE VULNERABILITIES IN COOOLSOFT POWERFTP 2.10
   SNS Research discovered several vulnerabilities in CooolSoft PowerFTP 2.10 
for Windows. The first vulnerability lets an attacker traverse the user 
directory by either a direct-path request (such as DIR C:\) or a double-dot 
notation (such as DIR \..\*.*) and permits access to any file on the system. A 
second vulnerability results from the way the system stores all account 
information unencrypted in the ftpserver.ini file. Access to this file through 
the directory traversal vulnerability gives an intruder elevated privileges on 
the system. A third vulnerability involves a DoS attack condition created when 
the server receives a string of 2050 or more bytes. The vendor, CooolSoft, has 
been notified but hasn't issued a patch.
   http://www.secadministrator.com/articles/index.cfm?articleid=24189

3. ==== ANNOUNCEMENTS ==== 

* LEARN FROM (OR TRY TO STUMP) TOP WINDOWS SECURITY PROS
   Windows & .NET Magazine LIVE! brings together the gurus who have taken 
security seriously and have lived to talk about it. Topics include Microsoft 
IIS security, securing SQL Server, deploying public key infrastructure (PKI), 
designing Group Policies to enhance security, tips for securing Windows 2000 
networks, security pitfalls (and solutions) for your mobile workforce, and 
more. Register now before this event sells out!
   http://list.winnetmag.com/cgi-bin3/flo?y=eKtd0CJgSH0CBw0rFx0AD 

* REGISTER FOR A FREE NAS WEBINAR!
   Join our free Webinar, "NAS Emerges as a Prime Storage Solution" (sponsored 
by Dell and Microsoft), and discover how Network Attached Storage (NAS) can 
meet your enterprise's demands for high availability, manageability, 
scalability, and performance. Also, learn more about how Win2K is optimized for 
developing specialized NAS applications, and hear about real-world solutions 
for NAS and emerging NAS applications. Register today!
   http://list.winnetmag.com/cgi-bin3/flo?y=eKtd0CJgSH0CBw0rHs0AA 

4. ==== SECURITY ROUNDUP ==== 

* NEWS: GUARDING AGAINST PRIVILEGE ELEVATION ON WIN2K AND NT
   According to Microsoft Security Bulletin MS02-002, which Microsoft released 
on January 30, administrators in one Windows 2000 or Windows NT 4.0 domain can 
elevate their privileges in a trusted domain without the permission of 
administrators in the trusted domain. Microsoft has developed a mechanism 
called Security Identifier (SID) Filtering to help prevent this type of 
unauthorized privilege elevation. Aelita's "Protecting Active Directory from 
'Domain Trust' Vulnerability," which you can find on Aelita's Web site in HTML 
and PDF formats, explains the nature of the vulnerability. Read all about it in 
this news story on our Web site.
   http://www.secadministrator.com/articles/index.cfm?articleid=24214
 
* FEATURE: TRUSTWORTHY IIS
   In Windows .NET Server, you enable only the Microsoft IIS 6.0 services you 
want. Security vulnerabilities are one of the key hindrances to the acceptance 
of Microsoft products as enterprise-level tools. Rival companies (e.g., Sun 
Microsystems, Oracle) have a heyday with the security breaches in Microsoft 
products that intruders and viruses regularly expose. Read more about creating 
a trustworthy IIS system in Michael Otey's feature on our Web site.
   http://www.secadministrator.com/articles/index.cfm?articleid=23838

* REVIEW: NESSUS: AN OPEN-SOURCE OPTION
   Nessus is an open-source, UNIX-based vulnerability scanner available for 
free download from http://www.nessus.org. The solution uses the classic 
client/server model: a server-based scan engine (similar to Network Associates' 
Distributed CyberCop Scanner 2.0) to probe network clients and a client that 
collects and monitors scan data. Learn more about Nessus in Tom Iwanski's 
review. 
   http://www.secadministrator.com/articles/index.cfm?articleid=23850

5. ==== INSTANT POLL ==== 

* RESULTS OF PREVIOUS POLL: HONEYPOTS
   The voting has closed in Windows & .NET Magazine's Security Administrator 
Channel nonscientific Instant Poll for the question, "Do you use a honeypot on 
your network?" Here are the results (+/-2 percent) from the 216 votes:
  13% 1) Yes, a freeware package
   4% 2) Yes, a commercial package
  83% 3) No
  
* INSTANT POLL: SECURITY TESTING TOOLS
   The current Instant Poll question is, "Microsoft has shown increased interest 
in the security testing-tools market. If Microsoft entered this market, would 
you rely on its tools to test the security of your systems and network?" The 
choices are 1) Yes, 2) Yes, but we'd also use another testing tool, or 3) No. Go 
to the Security Administrator Channel home page and submit your vote.
   http://www.secadministrator.com

6. ==== SECURITY TOOLKIT ==== 

* VIRUS CENTER 
   Panda Software and the Windows & .NET Magazine Network have teamed to 
bring you the Center for Virus Control. Visit the site often to remain 
informed about the latest threats to your system security. 
   http://www.secadministrator.com/panda 

Virus Alert: W32/Yarner
   W32/Yarner is a mass-mailing worm that, unlike similar worms, uses its own 
code to propagate instead of using Outlook functionality. The worm deletes 
every file in the C drive that's not currently in use. The worm arrives with a 
message subject of "Trojaner-Info Newsletter [current date]" where "[current 
date]" is the current calendar date. The message includes an extensive message 
body that appears to be a popular newsletter, but in reality the message is 
spoofed and isn't a genuine newsletter. The worm message carries a file 
attachment called yawsetup.exe that, when a user executes the file, installs 
itself to appear as the built-in Notepad application. The worm renames 
notepad.exe to notedpad.exe and, in the process, copies itself into the system 
directory under the filename of notepad.exe.
   http://63.88.172.96/panda/index.cfm?fuseaction=virus&virusid=1139

* FAQ: HOW CAN I SET THE DEFAULT DOMAIN ON THE WINDOWS NT LOGON SCREEN?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. To set the default domain each time you log on, follow these steps: 

   1. Start a registry editor (e.g., regedit.exe). 
   2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows 
NT\CurrentVersion\Winlogon subkey. 
   3. Double-click DefaultDomainName (or create this value of type String if it 
doesn't exist), and set the value to the preferred domain. 
   4. Double-click AltDefaultDomainName (or create this value of type String if 
it doesn't exist), and set the value to the preferred domain. 
   5. Close the registry editor. 

7. ==== NEW AND IMPROVED ==== 
   (contributed by Scott Firestone IV, productsat_private) 

* PROTECT YOUR APPLICATIONS
   OKENA released StormSystem, a system of integrated products acting in unison 
to protect applications from threats. OKENA's INCORE architecture powers 
StormSystem, which correlates an application's use of file, network, registry, 
and COM functions to define and enforce safe behavior. StormSystem includes 
StormWatch, which provides overall intrusion prevention for host systems, and 
StormFront, which ensures protection for any standard or custom application 
that OKENA doesn't provide out of the box. For pricing, contact OKENA at 781-
209-3200.
   http://www.okena.com

* IDENTIFY UNAUTHORIZED CODE
   Tiny Software released Trojan Trap 3.0, software that provides an extra 
layer of protection against worms, Trojan horses, Java applets, and other 
malicious code by trapping all unauthorized content. The software features 
detailed, realtime monitoring of all activities on users' PCs; sends out alerts 
that inform users of each violation and let them react before damage occurs; 
and contains a cache manager that users can configure to automatically remove 
session information in the browser cache. Trojan Trap runs on Windows XP, 
Windows 2000, Windows NT, Windows Me, and Windows 9x systems and costs $39.95. 
Contact Tiny Software at 408-919-7360 or 888-994-8469.
   http://www.tinysoftware.com

8. ==== HOT THREADS ==== 

* WINDOWS & .NET MAGAZINE ONLINE FORUMS 
   http://www.winnetmag.net/forums

Featured Thread: How Do I Crack or Delete a Directory That I Don't Have Rights 
to Access?
   (Six messages in this thread)

Cody writes that he had an employee who created a directory on one of 
his file servers. The employee filled it up with 20GB of data, then 
removed all permissions to this directory except for a user account 
that he created. When the employee left the company, the account was 
deleted. Cody doesn't know the name of this user account, so he can't 
recreate it to access the files. How can Cody delete this directory? 
Can you help? Read more about the problem at the 
following URL: 
   http://www.secadministrator.com/forums/thread.cfm?thread_id=96859

* HOWTO MAILING LIST 
   http://www.secadministrator.com/listserv/page_listserv.asp?s=howto 

Featured Thread: Unable to Add New Machines to Domain
   (Eleven messages in this thread)

A user writes that he recently worked with a client who has not been able to add 
any Windows NT machines to the network by using the Networking Properties Join 
the Domain dialogue box. The customer has a simple NT network setup with a 
variety of NT Workstation and Windows 9x machines. The user has triple-checked 
all the TCP/IP settings, and they're correct. The NICs are working using loop-
back pings, but he can't find the network domain. Can you help? Read the 
responses or lend a hand at the following URL:
   
http://63.88.172.96/listserv/page_listserv.asp?a2=ind0202c&l=howto&p=84

9. ==== CONTACT US ==== 
   Here's how to reach us with your comments and questions: 

* ABOUT IN FOCUS -- markat_private 

* ABOUT THE NEWSLETTER IN GENERAL -- mlibbeyat_private (please 
mention the newsletter name in the subject line) 

* TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums 

* PRODUCT NEWS -- productsat_private 

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer 
Support -- securityupdateat_private

* WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private 

******************** 

   Receive the latest information about the Windows and .NET topics of 
your choice. Subscribe to our other FREE email newsletters. 
   http://www.winnetmag.net/email

|-+-+-+-+-+-+-+-+-+-| 

Thank you for reading Security UPDATE.


SUBSCRIBE
To subscribe, send a blank email to mailto:Security-UPDATE_Subat_private



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
of the mail.



This archive was generated by hypermail 2b30 : Thu Feb 28 2002 - 03:22:12 PST