******************** Windows & .NET Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems. http://www.secadministrator.com ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ Learn How to Secure Your Windows Environment! http://list.winnetmag.com/cgi-bin3/flo?y=eLVY0CJgSH0CBw0sIZ0A6 VeriSign--The Value of Trust http://list.winnetmag.com/cgi-bin3/flo?y=eLVY0CJgSH0CBw0rYZ0AM (below IN FOCUS) ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: LEARN HOW TO SECURE YOUR WINDOWS ENVIRONMENT! ~~~~ Security is the key issue in today's interconnected world and BindView is right on top of it with a highly informative eBook, "The Definitive Guide to Windows 2000 Security." This eBook offers a comprehensive security methodology for your Microsoft Windows environment. It's heavy into the detail of what goes into a great IT security system, and is specifically geared for Windows platforms. Written by Paul Cooke, an Information Security professional with more than 10 years' experience developing and deploying security solutions, the information packed into these 10 chapters is priceless! Get it FREE at http://list.winnetmag.com/cgi-bin3/flo?y=eLVY0CJgSH0CBw0sIZ0A6 ~~~~~~~~~~~~~~~~~~~~ April 10, 2002--In this issue: 1. IN FOCUS - Responsible Disclosure: Contingency Plan Needed 2. SECURITY RISKS - Buffer Overrun in Microsoft Universal Naming Convention Provider Service - Multiple Vulnerabilities in Cisco Secure Access Control Server for Windows 3. ANNOUNCEMENTS - Windows News in a Hurry - Get Valuable Info for Free with IT Consultant Newsletter 4. SECURITY ROUNDUP - News: Dangerous Hole in Win2K and NT Grants Users Full Control - News: Microsoft Will Produce Line of Security Products 5. INSTANT POLL - Results of Previous Poll: Written and Enforced Password Policy - New Instant Poll: Hotfix Availability Notification 6. SECURITY TOOLKIT - Virus Center - FAQ: How Can I Collect All Security Event Logs into One Database? 7. NEW AND IMPROVED - Protect Against Attacks - Securely Access WLANs 8. HOT THREADS - Windows & .NET Magazine Online Forums - Featured Thread: Protecting Executables - HowTo Mailing List - Featured Thread: Reliable Fix for Windows XP, Win2K, and NT Session Manager Vulnerability 9. CONTACT US See this section for a list of ways to contact us. ~~~~~~~~~~~~~~~~~~~~ 1. ==== IN FOCUS ==== (contributed by Mark Joseph Edwards, News Editor, markat_private) * RESPONSIBLE DISCLOSURE: CONTINGENCY PLAN NEEDED More than 3 weeks ago, Radim Picha discovered a serious security vulnerability in Windows 2000 and Windows NT systems. The vulnerability lets users gain system-level access, even with the Guest account. To date, Microsoft hasn't alerted its customers about the exposure--as you'll read in the related news story "Dangerous Hole in Windows 2000 and Windows NT Grants Users Full Control" in this issue of Security UPDATE. http://www.secadministrator.com/articles/index.cfm?articleid=24694 When I contacted Microsoft to ask why the company hasn't alerted its customers, a spokesperson informed me that the company is working on the problem but doesn't yet have a fix. Microsoft also said that although Picha alerted the company to the problem, he waited only 2 days before posting his discovery--complete with source code that demonstrates the problem--to a public mailing list. I agree that 2 days isn't a lot of time for a company as large as Microsoft to produce a hotfix, especially given the nature of the vulnerability. But this security exposure and Microsoft's response to it does, in fact, raise some important questions. As you know, in December 2001, we reported Microsoft's launch of a new Gold Certified Partner Program for Security Solutions, which, among other things, requires that program participants report security problems to Microsoft and not alert the public until Microsoft has a fix available. In November 2001, we reported that Microsoft and five other companies (Guardent, Foundstone, BindView, @stake, and Internet Security Systems--ISS) had teamed to draft a proposal that the companies hope will become an industry standard for handling security vulnerabilities--but only after the Internet Engineering Task Force (IETF) has reviewed the draft (see the first URL below). That draft is now available on the IETF Web site (see the second URL below). However, noticeably missing from both Microsoft's new program and the draft proposal to the IETF (see the third URL below) are contingency plans for those instances in which someone reports a security vulnerability to the public before a fix is available. http://www.secadministrator.com/articles/index.cfm?articleid=23307 http://www.secadministrator.com/articles/index.cfm?articleid=24321 http://www.ietf.org/internet-drafts/draft-christey-wysopal-vuln-disclosure-00.txt Should a company remain silent about security vulnerabilities when someone has already informed the public about an exposure? Should a company remain silent when someone offers source code that demonstrates the exposure? Shouldn't a company at least issue a bulletin telling customers what the basic exposure is, how the company plans to address it, and, most importantly, when the company estimates that it can make a fix available? Let's face it: IETF standards can't be legally enforced, and Microsoft's Gold Certified Partner Program requirements can't be enforced beyond the program's membership. The bottom line is that although Picha's posting full details about the security vulnerability might have been hasty, Microsoft's silence is also questionable. Microsoft should reconsider its practice of remaining silent until a fix is available. The company needs to make public a contingency plan for how it will react under circumstances such as these--in which vulnerabilities are exposed before a fix is available. Unfortunately, Microsoft's silence does say a lot. I think Microsoft customers would like to be assured that the company's security technicians aren't sitting around having coffee and donuts while intruders look for ways to reshape any available demonstration code into nasty exploits against Microsoft customers. I also think that those who shape the impending IETF Request for Comments (RFC) should include contingency plans in the RFC that specifically state how all vendors should react when those who discover exploits ignore the guidelines. Go to the IETF Web site, click the overview, and read "The Tao of the IETF" to learn how you can take part in shaping the RFC. http://www.ietf.org ~~~~~~~~~~~~~~~~~~~~ ~~~~ SPONSOR: VERISIGN--THE VALUE OF TRUST ~~~~ Do you need to encrypt all your online transactions? Secure corporate intranets? Authenticate your Web site? Whatever security your site needs, you'll find the perfect solution in this FREE Guide from VeriSign, "Securing Your Web site for Business." Get your copy today to learn the facts! Click here! http://list.winnetmag.com/cgi-bin3/flo?y=eLVY0CJgSH0CBw0rYZ0AM ~~~~~~~~~~~~~~~~~~~~ 2. ==== SECURITY RISKS ==== * BUFFER OVERRUN IN MICROSOFT UIVERSAL NAMING CONVENTION PROVIDER SERVICE A buffer-overrun vulnerability in the Microsoft Multiple Universal Naming Convention Provider (MUP) service lets an attacker use the Local System security context to execute code on a vulnerable system. This vulnerability stems from the fact that the MUP service doesn't check inputs correctly before sending the second copy of the buffer contents to the redirector. The company has released Microsoft Security Bulletin MS02-017 (Unchecked buffer in the Multiple UNC Provider Could Enable Code Execution), which addresses this vulnerability. http://www.secadministrator.com/articles/index.cfm?articleid=24710 * MULTIPLE VULNERABILITIES IN CISCO SECURE ACCESS CONTROL SERVER FOR WINDOWS Two vulnerabilities exist in Cisco Systems' Secure Access Control Server for Windows. The first vulnerability can lead to arbitrary code execution on the server, and the second problem can lead to information disclosure. The first vulnerability lets an attacker connect to port 2002 and send a specially crafted URL to kill the CSADMIN module or execute arbitrary user-supplied code. The second vulnerability lets an attacker use "..\.." in the URL to access data in any directory outside the Web root directory (but only on the same hard disk or disk partition) by accessing the following file types: HTML, HTM, CLASS, JPG, JPEG, and GIF. An attacker must also know the exact location and filename to access the data--the attacker can't use this vulnerability to browse a directory. http://www.secadministrator.com/articles/index.cfm?articleid=24712 3. ==== ANNOUNCEMENTS ==== * WINDOWS NEWS IN A HURRY The simplest way to take a quick pulse of the Windows industry is to make a regular stop at our WinInformant Web site! Whether you're a key decision maker or a down-in-the-trenches administrator, WinInfo is the quick daily dose of news and analysis that you need to face your day informed and armed to the teeth. Check it out! http://list.winnetmag.com/cgi-bin3/flo?y=eLVY0CJgSH0CBw0rQA0An * GET VALUABLE INFO FOR FREE WITH IT CONSULTANT NEWSLETTER Sign up today for ITConsultantWire, a FREE email newsletter from Penton Media. This newsletter is specifically designed for IT consultants, bringing you news, product analysis, project management and business logic trends, industry events, and more. Find out more about this solution-packed resource at http://list.winnetmag.com/cgi-bin3/flo?y=eLVY0CJgSH0CBw0rfb0Ah and sign up for FREE! 4. ==== SECURITY ROUNDUP ==== * NEWS: DANGEROUS HOLE IN WIN2K AND NT GRANTS USERS FULL CONTROL Three weeks after a user discovered and disclosed information about a dangerous security hole in Windows 2000 and Windows NT, Microsoft still hasn't uttered a peep to its customers about the problem. The exploit, known as DebPloit, lets an intruder gain system-level access-- even with the Guest account. http://www.secadministrator.com/articles/index.cfm?articleid=24694 * NEWS: MICROSOFT WILL PRODUCE LINE OF SECURITY PRODUCTS Microsoft has established a new Security Business Unit (SBU) under the direction of Vice President Mike Nash. The SBU will develop a line of security products and solutions for desktops, servers, and networks. Microsoft's new SBU will first determine what types of products and services customers need, then be responsible for delivering those solutions. http://www.secadministrator.com/articles/index.cfm?articleid=24695 5. ==== INSTANT POLL ==== * RESULTS OF PREVIOUS POLL: WRITTEN AND ENFORCED PASSWORD POLICY The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Does your organization have a written and enforced password policy?" Here are the results (+/- 2 percent) from the 291 votes: - 53% We have a written password policy, and we enforce it - 11% We have a written password policy, but we don't enforce it - 36% We don't have a written password policy * NEW INSTANT POLL: HOTFIX AVAILABILITY NOTIFICATION The next Instant Poll question is, "If someone makes information about a security vulnerability public before the company whose product is involved has developed a fix, should that company notify customers about an estimated time when a fix will be available?" Go to the Security Administrator Channel home page and submit your vote for a) Yes, b) No, or c) Not sure. http://www.secadministrator.com 6. ==== SECURITY TOOLKIT ==== * VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda * FAQ: HOW CAN I COLLECT ALL SECURITY EVENT LOGS INTO ONE DATABASE? ( contributed by John Savill, http://www.windows2000faq.com ) A. Windows 2000 and Windows NT don't provide a way to collect Security logs from individual machines into a central repository. However, several third-party products do. GFI's LANguard Security Event Log Monitor (S.E.L.M.) and TNT Software's ELM Log Manager 3.0 are two such products. http://www.gfi.com/lanselm http://www.tntsoftware.com/products/elm3/elm30 7. ==== NEW AND IMPROVED ==== (contributed by Carolyn Mascarenas, productsat_private) * PROTECT AGAINST ATTACKS Agnitum released Outpost Firewall, a personal firewall that can eliminate threats from cookies, banner ads, email viruses, spyware, and other Internet dangers. Outpost performs Web filtering to let parents control computer content. Outpost can prevent dangerous attachments from executing. You can get free updates to Outpost by using the program's built-in update utility. Outpost Firewall runs on Windows XP, Windows 2000, Windows NT, Windows Me, and Windows 9x systems. The software is free. Contact Agnitum at supportat_private http://www.agnitum.com * SECURELY ACCESS WLANs Funk Software announced Odyssey, an 802.1x security solution that lets users securely access wireless LANs (WLANs). Odyssey secures the authentication and connection of WLAN users, secures connection credentials, and maintains data privacy. Odyssey Client runs on Windows XP, Windows 2000, Windows Me, and Windows 98 systems. Odyssey Client can communicate with Odyssey Server or any authentication server that supports an Odyssey authentication type. Odyssey Server is a Remote Authentication Dial-In User Service (RADIUS) server that handles connection requests. Odyssey Server with 25 Odyssey Client licenses costs $2500. Contact Funk Software at 617-497-6339 or 800-828-4146. http://www.funk.com 8. ==== HOT THREADS ==== * WINDOWS & .NET MAGAZINE ONLINE FORUMS http://www.winnetmag.net/forums Featured Thread: Protecting Executables (Five messages in this thread) Les has an executable running in RAM on a laptop. The executable is sensitive and must never be written to the local machine's disk. He wants to know how to prevent that from occurring. Can he use a registry key to prevent the executable from being written to disk or to let Windows NT execute the image but still prevent any caching to disk? http://www.secadministrator.com/forums/thread.cfm?thread_id=101438 * HOWTO MAILING LIST http://www.secadministrator.com/listserv/page_listserv.asp?s=howto Featured Thread: Reliable Fix for Windows XP, Win2K, and NT Session Manager Vulnerability (One message in this thread) A user wants to know whether anyone has come across a program that reliably fixes the DebPloit exploit (Session Manager vulnerability) for all the current versions/flavors of smss.exe? Can you help? http://63.88.172.96/listserv/page_listserv.asp?a2=ind0204a&l=howto&p=188 9. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT IN FOCUS -- markat_private * ABOUT THE NEWSLETTER IN GENERAL -- vpattersonat_private (please mention the newsletter name in the subject line) * TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums * PRODUCT NEWS -- productsat_private * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer Support -- securityupdateat_private * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private ******************** This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today! http://www.secadministrator.com/sub.cfm?code=saei25xxup Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.winnetmag.net/email |-+-+-+-+-+-+-+-+-+-| Thank you for reading Security UPDATE. SUBSCRIBE To subscribe, send a blank email to mailto:Security-UPDATE_Subat_private - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Thu Apr 11 2002 - 04:03:46 PDT