[ISN] Security UPDATE, April 10, 2002

From: InfoSec News (isnat_private)
Date: Thu Apr 11 2002 - 01:04:28 PDT

  • Next message: InfoSec News: "[ISN] Murdoch company 'leaked rival's TV codes'"

    ******************** 
    Windows & .NET Magazine Security UPDATE--brought to you by Security 
    Administrator, a print newsletter bringing you practical, how-to 
    articles about securing your Windows .NET Server, Windows 2000, and 
    Windows NT systems. 
       http://www.secadministrator.com 
    ******************** 
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    Learn How to Secure Your Windows Environment!
       http://list.winnetmag.com/cgi-bin3/flo?y=eLVY0CJgSH0CBw0sIZ0A6
    
    VeriSign--The Value of Trust
       http://list.winnetmag.com/cgi-bin3/flo?y=eLVY0CJgSH0CBw0rYZ0AM
       (below IN FOCUS)
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    ~~~~ SPONSOR: LEARN HOW TO SECURE YOUR WINDOWS ENVIRONMENT! ~~~~ 
       Security is the key issue in today's interconnected world and 
    BindView is right on top of it with a highly informative eBook, "The 
    Definitive Guide to Windows 2000 Security." This eBook offers a 
    comprehensive security methodology for your Microsoft Windows 
    environment. It's heavy into the detail of what goes into a great IT 
    security system, and is specifically geared for Windows platforms. 
    Written by Paul Cooke, an Information Security professional with more 
    than 10 years' experience developing and deploying security solutions, 
    the information packed into these 10 chapters is priceless! Get it FREE 
    at http://list.winnetmag.com/cgi-bin3/flo?y=eLVY0CJgSH0CBw0sIZ0A6
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    April 10, 2002--In this issue: 
    
    1. IN FOCUS 
         - Responsible Disclosure: Contingency Plan Needed
    
    2. SECURITY RISKS
         - Buffer Overrun in Microsoft Universal Naming Convention Provider 
           Service 
         - Multiple Vulnerabilities in Cisco Secure Access Control Server 
           for Windows
    
    3. ANNOUNCEMENTS
         - Windows News in a Hurry 
         - Get Valuable Info for Free with IT Consultant Newsletter 
    
    4. SECURITY ROUNDUP
         - News: Dangerous Hole in Win2K and NT Grants Users Full Control
         - News: Microsoft Will Produce Line of Security Products
    
    5. INSTANT POLL
         - Results of Previous Poll: Written and Enforced Password Policy
         - New Instant Poll: Hotfix Availability Notification
    
    6. SECURITY TOOLKIT
         - Virus Center
         - FAQ: How Can I Collect All Security Event Logs into One 
           Database?
    
    7. NEW AND IMPROVED
         - Protect Against Attacks
         - Securely Access WLANs
    
    8. HOT THREADS 
         - Windows & .NET Magazine Online Forums
             - Featured Thread: Protecting Executables
         - HowTo Mailing List
             - Featured Thread: Reliable Fix for Windows XP, Win2K, and NT 
               Session Manager Vulnerability
    
    9. CONTACT US 
       See this section for a list of ways to contact us. 
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    1. ==== IN FOCUS ====
       (contributed by Mark Joseph Edwards, News Editor, 
    markat_private) 
    
    * RESPONSIBLE DISCLOSURE: CONTINGENCY PLAN NEEDED
    
    More than 3 weeks ago, Radim Picha discovered a serious security 
    vulnerability in Windows 2000 and Windows NT systems. The vulnerability 
    lets users gain system-level access, even with the Guest account. To 
    date, Microsoft hasn't alerted its customers about the exposure--as 
    you'll read in the related news story "Dangerous Hole in Windows 2000 
    and Windows NT Grants Users Full Control" in this issue of Security 
    UPDATE. 
       http://www.secadministrator.com/articles/index.cfm?articleid=24694
    
    When I contacted Microsoft to ask why the company hasn't alerted its 
    customers, a spokesperson informed me that the company is working on 
    the problem but doesn't yet have a fix. Microsoft also said that 
    although Picha alerted the company to the problem, he waited only 2 
    days before posting his discovery--complete with source code that 
    demonstrates the problem--to a public mailing list. I agree that 2 days 
    isn't a lot of time for a company as large as Microsoft to produce a 
    hotfix, especially given the nature of the vulnerability. But this 
    security exposure and Microsoft's response to it does, in fact, raise 
    some important questions.
    
    As you know, in December 2001, we reported Microsoft's launch of a new 
    Gold Certified Partner Program for Security Solutions, which, among 
    other things, requires that program participants report security 
    problems to Microsoft and not alert the public until Microsoft has a 
    fix available. In November 2001, we reported that Microsoft and five 
    other companies (Guardent, Foundstone, BindView, @stake, and Internet 
    Security Systems--ISS) had teamed to draft a proposal that the 
    companies hope will become an industry standard for handling security 
    vulnerabilities--but only after the Internet Engineering Task Force 
    (IETF) has reviewed the draft (see the first URL below). That draft is 
    now available on the IETF Web site (see the second URL below). However, 
    noticeably missing from both Microsoft's new program and the draft 
    proposal to the IETF (see the third URL below) are contingency plans 
    for those instances in which someone reports a security vulnerability 
    to the public before a fix is available. 
       http://www.secadministrator.com/articles/index.cfm?articleid=23307
       http://www.secadministrator.com/articles/index.cfm?articleid=24321
       http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosure-00.txt
    
    Should a company remain silent about security vulnerabilities when 
    someone has already informed the public about an exposure? Should a  
    company remain silent when someone offers source code that demonstrates 
    the exposure? Shouldn't a company at least issue a bulletin telling 
    customers what the basic exposure is, how the company plans to address 
    it, and, most importantly, when the company estimates that it can make 
    a fix available?
    
    Let's face it: IETF standards can't be legally enforced, and 
    Microsoft's Gold Certified Partner Program requirements can't be 
    enforced beyond the program's membership. The bottom line is that 
    although Picha's posting full details about the security vulnerability 
    might have been hasty, Microsoft's silence is also questionable. 
    
    Microsoft should reconsider its practice of remaining silent until a 
    fix is available. The company needs to make public a contingency plan 
    for how it will react under circumstances such as these--in which 
    vulnerabilities are exposed before a fix is available. Unfortunately, 
    Microsoft's silence does say a lot. I think Microsoft customers would 
    like to be assured that the company's security technicians aren't 
    sitting around having coffee and donuts while intruders look for ways 
    to reshape any available demonstration code into nasty exploits against 
    Microsoft customers. I also think that those who shape the impending 
    IETF Request for Comments (RFC) should include contingency plans in the 
    RFC that specifically state how all vendors should react when those who 
    discover exploits ignore the guidelines. Go to the IETF Web site, click 
    the overview, and read "The Tao of the IETF" to learn how you can take 
    part in shaping the RFC.
       http://www.ietf.org
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    ~~~~ SPONSOR: VERISIGN--THE VALUE OF TRUST ~~~~ 
       Do you need to encrypt all your online transactions? Secure 
    corporate intranets? Authenticate your Web site? Whatever security your 
    site needs, you'll find the perfect solution in this FREE Guide from 
    VeriSign, "Securing Your Web site for Business." Get your copy today to 
    learn the facts! Click here!
       http://list.winnetmag.com/cgi-bin3/flo?y=eLVY0CJgSH0CBw0rYZ0AM
       
    ~~~~~~~~~~~~~~~~~~~~ 
    
    2. ==== SECURITY RISKS ====
     
    * BUFFER OVERRUN IN MICROSOFT UIVERSAL NAMING CONVENTION PROVIDER 
    SERVICE
       A buffer-overrun vulnerability in the Microsoft Multiple Universal 
    Naming Convention Provider (MUP) service lets an attacker use the Local 
    System security context to execute code on a vulnerable system. This 
    vulnerability stems from the fact that the MUP service doesn't check 
    inputs correctly before sending the second copy of the buffer contents 
    to the redirector. The company has released Microsoft Security Bulletin 
    MS02-017 (Unchecked buffer in the Multiple UNC Provider Could Enable 
    Code Execution), which addresses this vulnerability.
       http://www.secadministrator.com/articles/index.cfm?articleid=24710
    
    * MULTIPLE VULNERABILITIES IN CISCO SECURE ACCESS CONTROL SERVER FOR 
    WINDOWS
       Two vulnerabilities exist in Cisco Systems' Secure Access Control 
    Server for Windows. The first vulnerability can lead to arbitrary code 
    execution on the server, and the second problem can lead to information 
    disclosure. The first vulnerability lets an attacker connect to port 
    2002 and send a specially crafted URL to kill the CSADMIN module or 
    execute arbitrary user-supplied code. The second vulnerability lets an 
    attacker use "..\.." in the URL to access data in any directory outside 
    the Web root directory (but only on the same hard disk or disk 
    partition) by accessing the following file types: HTML, HTM, CLASS, 
    JPG, JPEG, and GIF. An attacker must also know the exact location and 
    filename to access the data--the attacker can't use this vulnerability 
    to browse a directory. 
       http://www.secadministrator.com/articles/index.cfm?articleid=24712
    
    3. ==== ANNOUNCEMENTS ==== 
    
    * WINDOWS NEWS IN A HURRY
       The simplest way to take a quick pulse of the Windows industry is to 
    make a regular stop at our WinInformant Web site! Whether you're a key 
    decision maker or a down-in-the-trenches administrator, WinInfo is the 
    quick daily dose of news and analysis that you need to face your day 
    informed and armed to the teeth. Check it out!
       http://list.winnetmag.com/cgi-bin3/flo?y=eLVY0CJgSH0CBw0rQA0An
    
    * GET VALUABLE INFO FOR FREE WITH IT CONSULTANT NEWSLETTER
       Sign up today for ITConsultantWire, a FREE email newsletter from 
    Penton Media. This newsletter is specifically designed for IT 
    consultants, bringing you news, product analysis, project management 
    and business logic trends, industry events, and more. Find out more 
    about this solution-packed resource at http://list.winnetmag.com/cgi-bin3/flo?y=eLVY0CJgSH0CBw0rfb0Ah and 
    sign up for FREE!
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: DANGEROUS HOLE IN WIN2K AND NT GRANTS USERS FULL CONTROL
       Three weeks after a user discovered and disclosed information about 
    a dangerous security hole in Windows 2000 and Windows NT, Microsoft 
    still hasn't uttered a peep to its customers about the problem. The 
    exploit, known as DebPloit, lets an intruder gain system-level access--
    even with the Guest account.
       http://www.secadministrator.com/articles/index.cfm?articleid=24694
    
    * NEWS: MICROSOFT WILL PRODUCE LINE OF SECURITY PRODUCTS
       Microsoft has established a new Security Business Unit (SBU) under 
    the direction of Vice President Mike Nash. The SBU will develop a line 
    of security products and solutions for desktops, servers, and networks. 
    Microsoft's new SBU will first determine what types of products and 
    services customers need, then be responsible for delivering those 
    solutions.
       http://www.secadministrator.com/articles/index.cfm?articleid=24695
    
    5. ==== INSTANT POLL ====
    
    * RESULTS OF PREVIOUS POLL: WRITTEN AND ENFORCED PASSWORD POLICY
       The voting has closed in Windows & .NET Magazine's Security 
    Administrator Channel nonscientific Instant Poll for the question, "Does 
    your organization have a written and enforced password policy?" Here are 
    the results (+/- 2 percent) from the 291 votes:
       - 53% We have a written password policy, and we enforce it
       - 11% We have a written password policy, but we don't enforce it
       - 36% We don't have a written password policy
    
    * NEW INSTANT POLL: HOTFIX AVAILABILITY NOTIFICATION
       The next Instant Poll question is, "If someone makes information 
    about a security vulnerability public before the company whose product 
    is involved has developed a fix, should that company notify customers 
    about an estimated time when a fix will be available?" Go to the 
    Security Administrator Channel home page and submit your vote for a) 
    Yes, b) No, or c) Not sure.
       http://www.secadministrator.com
    
    6. ==== SECURITY TOOLKIT ==== 
    
    * VIRUS CENTER
       Panda Software and the Windows & .NET Magazine Network have teamed to 
    bring you the Center for Virus Control. Visit the site often to remain 
    informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    * FAQ: HOW CAN I COLLECT ALL SECURITY EVENT LOGS INTO ONE DATABASE?
       ( contributed by John Savill, http://www.windows2000faq.com )
    
    A. Windows 2000 and Windows NT don't provide a way to collect Security 
    logs from individual machines into a central repository. However, 
    several third-party products do. GFI's LANguard Security Event Log 
    Monitor (S.E.L.M.) and TNT Software's ELM Log Manager 3.0 are two such 
    products.
       http://www.gfi.com/lanselm
       http://www.tntsoftware.com/products/elm3/elm30
    
    7. ==== NEW AND IMPROVED ==== 
       (contributed by Carolyn Mascarenas, productsat_private) 
    
    * PROTECT AGAINST ATTACKS
       Agnitum released Outpost Firewall, a personal firewall that can 
    eliminate threats from cookies, banner ads, email viruses, spyware, and 
    other Internet dangers. Outpost performs Web filtering to let parents 
    control computer content. Outpost can prevent dangerous attachments 
    from executing. You can get free updates to Outpost by using the 
    program's built-in update utility. Outpost Firewall runs on Windows XP, 
    Windows 2000, Windows NT, Windows Me, and Windows 9x systems. The 
    software is free. Contact Agnitum at supportat_private
       http://www.agnitum.com
    
    * SECURELY ACCESS WLANs
       Funk Software announced Odyssey, an 802.1x security solution that 
    lets users securely access wireless LANs (WLANs). Odyssey secures the 
    authentication and connection of WLAN users, secures connection 
    credentials, and maintains data privacy. Odyssey Client runs on Windows 
    XP, Windows 2000, Windows Me, and Windows 98 systems. Odyssey Client 
    can communicate with Odyssey Server or any authentication server that 
    supports an Odyssey authentication type. Odyssey Server is a Remote 
    Authentication Dial-In User Service (RADIUS) server that handles 
    connection requests. Odyssey Server with 25 Odyssey Client licenses 
    costs $2500. Contact Funk Software at 617-497-6339 or 800-828-4146.
       http://www.funk.com
    
    8. ==== HOT THREADS ==== 
    
    * WINDOWS & .NET MAGAZINE ONLINE FORUMS 
       http://www.winnetmag.net/forums
    
    Featured Thread: Protecting Executables
       (Five messages in this thread)
    
    Les has an executable running in RAM on a laptop. The executable is 
    sensitive and must never be written to the local machine's disk. He 
    wants to know how to prevent that from occurring. Can he use a registry 
    key to prevent the executable from being written to disk or to let 
    Windows NT execute the image but still prevent any caching to disk? 
       http://www.secadministrator.com/forums/thread.cfm?thread_id=101438
    
    * HOWTO MAILING LIST 
       http://www.secadministrator.com/listserv/page_listserv.asp?s=howto 
    
    Featured Thread: Reliable Fix for Windows XP, Win2K, and NT Session 
    Manager Vulnerability
       (One message in this thread)
    
    A user wants to know whether anyone has come across a program that 
    reliably fixes the DebPloit exploit (Session Manager vulnerability) for 
    all the current versions/flavors of smss.exe? Can you help?
       http://63.88.172.96/listserv/page_listserv.asp?a2=ind0204a&l=howto&p=188
    
    9. ==== CONTACT US ==== 
       Here's how to reach us with your comments and questions: 
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- vpattersonat_private (please 
    mention the newsletter name in the subject line) 
    
    * TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums 
    
    * PRODUCT NEWS -- productsat_private 
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer 
    Support -- securityupdateat_private 
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private 
    
    ******************** 
    
       This email newsletter is brought to you by Security Administrator, 
    the print newsletter with independent, impartial advice for IT 
    administrators securing a Windows 2000/Windows NT enterprise. Subscribe 
    today!
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
       Receive the latest information about the Windows and .NET topics of 
    your choice. Subscribe to our other FREE email newsletters. 
       http://www.winnetmag.net/email 
    
    |-+-+-+-+-+-+-+-+-+-| 
    
    Thank you for reading Security UPDATE.
    
    SUBSCRIBE
    To subscribe, send a blank email to mailto:Security-UPDATE_Subat_private
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Apr 11 2002 - 04:03:46 PDT