[ISN] Security UPDATE, May 15, 2002

From: InfoSec News (isnat_private)
Date: Thu May 16 2002 - 00:11:43 PDT

  • Next message: InfoSec News: "[ISN] DOD tightening security buys"

    ******************** 
    Windows & .NET Magazine Security UPDATE--brought to you by Security 
    Administrator, a print newsletter bringing you practical, how-to 
    articles about securing your Windows .NET Server, Windows 2000, and 
    Windows NT systems. 
       http://www.secadministrator.com 
    ******************** 
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    FREE Security eBook from NetIQ--HOT off the Press!
       http://list.winnetmag.com/cgi-bin3/flo?y=eLxo0CJgSH0CBw01ux0AB
    
    Windows & .NET Magazine Webinar: Understanding PKI
       http://list.winnetmag.com/cgi-bin3/flo?y=eLxo0CJgSH0CBw0rcc0Ab 
       (below IN FOCUS)
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    ~~~~ SPONSOR: FREE SECURITY EBOOK FROM NETIQ--HOT OFF THE PRESS! ~~~~
       Need real-world, in-the-trenches advice on securing your Microsoft 
    Windows .NET servers? Register now for "The Tips and Tricks Guide to 
    Securing .NET Server." You'll gain best practices and technical advice 
    that will open your eyes to Microsoft Windows .NET security. Get the 
    inside scoop on legacy systems, .NET group policy, resource management, 
    secure remote access and emerging .NET enhancements. Don't take chances 
    with your .NET security. Register for the FREE eBook now!
       http://list.winnetmag.com/cgi-bin3/flo?y=eLxo0CJgSH0CBw01ux0AB
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    May 15, 2002--In this issue: 
    
    1. IN FOCUS
         - IM Security Considerations in the Enterprise
    2. SECURITY RISKS
         - Unchecked Buffer in MSN Messenger Chat ActiveX Control
         - Buffer Overflow in Macromedia's Flash Player ActiveX Control
    
    3. ANNOUNCEMENTS
         - Get Valuable Info for Free with IT Consultant Newsletter
         - Immediate Access to T-SQL Solutions!
    
    4. SECURITY ROUNDUP
         - News: Microsoft Remedy Hearings: Allchin Explains Genesis, Scope 
           of Trustworthy Computing
         - Feature: Guarding Your CAs
         - Feature: Using the MBSA
    
    5. INSTANT POLL
         - Results of Previous Poll: Security Information Notification
         - New Instant Poll: IM Use
    
    6. SECURITY TOOLKIT
         - Virus Center
         - FAQ: How Can I Modify the Installation Credential Settings in 
           Win2K?
    
    7. NEW AND IMPROVED
         - Integrated Security Appliance
         - Universal Antivirus Rescue System
    
    8. HOT THREADS 
         - Windows & .NET Magazine Online Forums
             - Featured Thread: Blocking IM
         - HowTo Mailing List
             - Featured Thread: Not Recovering from a Missing SAM Database
    
    9. CONTACT US 
       See this section for a list of ways to contact us. 
    
    ~~~~~~~~~~~~~~~~~~~~ 
    
    1. ==== IN FOCUS ====
       (contributed by Mark Joseph Edwards, News Editor, 
    markat_private) 
    
    * IM SECURITY CONSIDERATIONS IN THE ENTERPRISE
    
    Does your organization use Instant Messaging (IM) software? IM has 
    become an incredibly popular tool in the corporate world. Several 
    companies that offer IM networks, including AOL, ICQ ("I Seek You"), 
    Microsoft, and Yahoo!, have IM client packages with various features 
    and capabilities. However, some administrators virtually ignore IM 
    security considerations. For example, IM communications often traverse 
    a network in plain text format, which means someone could eavesdrop 
    easily on private business communications.
     
    If you don't have IM software on your network, don't install it without 
    planning. IM use carries considerable risk and requires not only the 
    implementation of company policies, but also diligent ongoing attention 
    to IM's vulnerabilities. For example, last week Microsoft reported that 
    its MSN Chat Control software contains a buffer-overflow condition that 
    could let intruders run the code of their choice on a user's machine. 
    The problem affects MSN Chat Control, MSN Messenger, and Microsoft 
    Exchange IM and is the third MSN chat security problem that Microsoft 
    has reported this year. (See the related Security UPDATE story at the 
    URL below.) But Microsoft isn't alone in having IM software security 
    problems. So far this year, reports have documented eight security 
    problems with AOL Instant Messenger (AIM), four with Yahoo! Messenger, 
    and five with ICQ (which AOL owns). 
       http://www.secadministrator.com/articles/index.cfm?articleid=25168
    
    You can address one IM security risk, for example, by using security 
    software that protects IM's plain text transport. Cerulean Studios has 
    an IM security solution that's definitely worth a look: Trillian (see 
    the URL below). Among many security-related IM software packages, this 
    solution stands out for two reasons: Trillian permits messaging between 
    several popular IM networks--including AOL, ICQ, Internet Relay Chat 
    (IRC), MSN, and Yahoo!--and it encrypts communications by using 
    continually regenerated encryption keys. Trillian's encryption feature, 
    SecureIM, uses the Blowfish encryption algorithm to generate a new 
    encryption key each time the user begins a new secure chat session. 
    After the software generates a key, it stores the key only in memory 
    and never to disk, making it harder for an attacker to compromise the 
    key.
       http://www.ceruleanstudios.com
     
    AOL recently announced its encrypted messaging client, Enterprise AIM. 
    According to a Washington Post Newsbytes story, AOL has partnered with 
    VeriSign to create the new IM client, which AOL intends to sell to 
    enterprise users. In addition to encrypted communications, Enterprise 
    AIM will use VeriSign's certificate technology to authenticate users, 
    which will help prevent user impersonation. 
       http://www.newsbytes.com/news/02/176517.html
    
    If you subscribe to the Security Administrator monthly print 
    newsletter, you might have read Roger A. Grimes' article in the May 
    issue, "IM Security Primer," InstantDoc ID 24665, which offers a detailed 
    overview of the major IM networks and information about the security 
    concerns they raise for the enterprise. (To learn more about the print 
    newsletter, visit the Security Administrator Channel home page at the URL 
    below.)
       http://www.secadministrator.com
    
    We're conducting a new Instant Poll this week: If your organization 
    uses IM, we want to know which IM software you've standardized on. Stop 
    by our home page and give us your answer.
       http://www.secadministrator.com
     
    ~~~~~~~~~~~~~~~~~~~~ 
    
    ~~~~ SPONSOR: WINDOWS & .NET MAGAZINE WEBINAR: UNDERSTANDING PKI ~~~~
       ATTEND OUR FREE WEBINAR: UNDERSTANDING PKI
       Implementing PKI successfully requires an understanding of the 
    technology with all its implications. Attend the latest Webinar from 
    Windows & .NET Magazine and develop the knowledge you need to address 
    this challenging technology and make informed purchasing decisions. 
    We'll also look closely at three possible content encryption solutions, 
    including PKI. Register for FREE today!
       http://list.winnetmag.com/cgi-bin3/flo?y=eLxo0CJgSH0CBw0rcc0Ab
      
    ~~~~~~~~~~~~~~~~~~~~ 
    
    2. ==== SECURITY RISKS ====
       (contributed by Ken Pfeil, kenat_private)
    
    * UNCHECKED BUFFER IN MSN MESSENGER CHAT ACTIVEX CONTROL
       eEye Digital Security discovered that a buffer-overflow condition 
    exists in  MSN Messenger Chat control that can result in unauthorized 
    code execution. Even if users haven't installed MSN Messenger, an 
    attacker can call the control from the codebase tag, which would prompt 
    users to install the control with Microsoft's credentials because 
    Microsoft signs the OLE custom control (OCX). eEye's advisory gives a 
    detailed explanation of this vulnerability. Microsoft has released 
    Security Bulletin MS02-022 (Unchecked Buffer in MSN Chat Control Can 
    Lead to Code Execution) to address this vulnerability and recommends 
    that affected users apply the appropriate patch listed in the bulletin.
       http://www.secadministrator.com/articles/index.cfm?articleid=25168
    
    * BUFFER OVERFLOW IN MACROMEDIA'S FLASH PLAYER ACTIVEX CONTROL
       A buffer-overflow condition exists in Macromedia's Flash Player 6.0 
    ActiveX Control. An attacker can use this vulnerability to execute code 
    through email, a Web site, or any other way that Microsoft Internet 
    Explorer (IE) displays HTML. eEye Digital Security's advisory gives a 
    detailed explanation of this vulnerability. Macromedia has released an 
    updated version of Flash Player that addresses this vulnerability.
       http://www.secadministrator.com/articles/index.cfm?articleid=25152
    
    3. ==== ANNOUNCEMENTS ====
    
    * GET VALUABLE INFO FOR FREE WITH IT CONSULTANT NEWSLETTER
       Sign up today for IT ConsultantWire, a FREE email newsletter from 
    Penton Media. This newsletter is specifically designed for IT 
    consultants, bringing you news, product analysis, project management 
    and business logic trends, industry events, and more. Find out more 
    about this solution-packed resource and sign up for FREE at
       http://list.winnetmag.com/cgi-bin3/flo?y=eLxo0CJgSH0CBw0rfb0Ad
    
    * IMMEDIATE ACCESS TO T-SQL SOLUTIONS!
       Exclusive in-depth articles, tips, tricks, and code samples all at 
    your fingertips. Content you can't get anywhere else--brought to you by 
    the SQL Server experts you trust such as Kalen Delaney, Itzik Ben-Gan, 
    and others. Increase your productivity today! Go to the following URL.
       http://list.winnetmag.com/cgi-bin3/flo?y=eLxo0CJgSH0CBw0Kqz0AZ
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: MICROSOFT REMEDY HEARINGS: ALLCHIN EXPLAINS GENESIS, SCOPE OF 
    TRUSTWORTHY COMPUTING
       Microsoft Group Vice President Jim Allchin admitted something 
    yesterday that I've suspected ever since I first read the "Trustworthy 
    Computing" email, a missive that Chairman and Chief Software Architect 
    Bill Gates sent to Microsoft employees and that the company 
    purposefully leaked to the press. Under questioning during cross-
    examination at the Microsoft remedy hearings, Allchin said that it was 
    he, not Gates, who originally came up with the Trustworthy Computing 
    idea. Allchin also described the Windows products that the initiative 
    covers. 
       http://www.secadministrator.com/articles/index.cfm?articleid=25159
    
    * FEATURE: GUARDING YOUR CAs
       With the growing emphasis on information security, many companies 
    turn to digital certificates to help increase the level of security on 
    their networks. If your network relies on digital certificates, 
    however, you need to implement some disaster-prevention and -recovery 
    techniques to protect your digital certificates and the Certificate 
    Authorities (CAs) that issue them. A brief review of public key 
    infrastructure (PKI) and an introduction to digital certificates and 
    their CAs will get you started. Then, let's examine some methods 
    designed to help you better guard your certificates, your CAs, and the 
    certificate databases that contain your CAs.
       http://www.secadministrator.com/articles/index.cfm?articleid=25156
    
    * FEATURE: USING THE MBSA
       If you follow the news about Microsoft security tools, you probably 
    know that 6 weeks ago Microsoft released Microsoft Baseline Security 
    Analyzer (MBSA), which has received a fair amount of negative press 
    coverage. 
       The complaints echo what David Chernicoff wrote last year about the 
    Microsoft Personal Security Advisor (MPSA) tool: The information the 
    tool provides isn't as useful as it could be, and you need to 
    understand what each reported entry means before you'll find the tool 
    useful. The MBSA tool that replaced the MPSA has similar problems, 
    which isn't surprising because it uses the same design philosophy.
       http://www.secadministrator.com/articles/index.cfm?articleid=25161
    
    5. ==== INSTANT POLL ====
    
    * RESULTS OF PREVIOUS POLL: SECURITY INFORMATION NOTIFICATION
       The voting has closed in Windows & .NET Magazine's Security 
    Administrator Channel nonscientific Instant Poll for the question, "How 
    should Microsoft notify its customers about new service packs and new or 
    updated security-related rollup packages, tools, and TechNet articles?" 
    Here are the results (+/-2 percent) from the 378 votes:
       - 63% Microsoft should issue security bulletins for all security-
    related matters
       - 34% Microsoft should add a mailing list for non-bulletin security 
    matters 
       -  3% Microsoft needn't notify customers in any additional ways
    
    * NEW INSTANT POLL: IM USE
       The next Instant Poll question is, "If your organization uses 
    Instant Messaging (IM), which IM choice have you standardized on?" Go 
    to the Security Administrator Channel home page and submit your vote 
    for a) AOL Instant Messenger (AIM), b) ICQ, c) MSN Messenger, d) Yahoo! 
    Messenger, or e) Other.
       http://www.secadministrator.com
    
    6. ==== SECURITY TOOLKIT ==== 
    
    * VIRUS CENTER
       Panda Software and the Windows & .NET Magazine Network have teamed to 
    bring you the Center for Virus Control. Visit the site often to remain 
    informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    * FAQ: HOW CAN I MODIFY THE INSTALLATION CREDENTIAL SETTINGS IN WIN2K?
       ( contributed by John Savill, http://www.windows2000faq.com )
    
    A. An administrator can lock down a system to prevent a user from 
    installing new software, or the administrator can configure the system 
    so that the user can provide credentials and continue the installation. 
    To modify the installation credential settings for one machine, perform 
    the following steps: 
    
       1. Start a registry editor (e.g., regedit.exe). 
       2. Navigate to the following subkey: 
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Policies\Explorer. 
       3. Double-click the NoRunasInstallPrompt value; set it to 1 to 
    disable credentials or 0 to allow credentials. 
       4. Click OK. 
    
    To modify the installation credential settings for network 
    installations, perform the following steps: 
    
       1. Start a registry editor (e.g., regedit.exe). 
       2. Navigate to the following subkey: 
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
    Policies\Explorer. 
       3. Double-click the PromptRunasInstallNetPath value; set it to 1 to 
    disable credentials or 0 to allow credentials. 
       4. Click OK. 
    
    7. ==== NEW AND IMPROVED ==== 
       (contributed by Judy Drennen, productsat_private)
    
    * INTEGRATED SECURITY APPLIANCE
       Symantec announced Symantec Gateway Security, a security appliance 
    that integrates firewall, gateway-level antivirus, intrusion-detection, 
    content-filtering, and VPN capabilities in a single solution. Although 
    designed for small and midsized offices, administrators can also manage 
    local and remote appliances over the Internet including advanced 
    configurations, rule sets, and cluster parameters, which reduces total 
    cost of ownership (TCO). Symantec Gateway Security Model 5110 offers 
    throughput of up to 40Mbps with a 50-node license for $11,790; Model 
    5200 offers a throughput of up to 80Mbps with a 250-node license for 
    $23,590; Model 5300 provides a throughput of up to 80Mbps with an 
    unlimited node license for $51,990. Contact Symantec at 408-517-8000.
       http://www.symantec.com
    
    * UNIVERSAL ANTIVIRUS RESCUE SYSTEM
       Central Command released Vexira Antivirus Rescue Disk System, a free 
    virus scanner that can scan Windows, Linux, UNIX, DOS, and OS/2 from a 
    single CD-ROM or disk set. Vexira can remove more than 64,463 viruses, 
    Trojan horses, and other malicious applications, thereby providing 
    users with a safety net when they ca''t start a computer because of 
    file corruption, alterations to the registry, or damaged partition 
    tables. Contact Central Command at 330-723-2062.
       http://www.centralcommand.com
      
    8. ==== HOT THREADS ==== 
    
    * WINDOWS & .NET MAGAZINE ONLINE FORUMS 
       http://www.winnetmag.com/forums
    
    Featured Thread: Blocking IM
       (Five messages in this thread)
    
    John wants to know whether he can prevent his network users from 
    loading Yahoo! Messenger and similar Instant Messaging (IM) programs 
    onto their systems for use through the company Internet connection. 
       http://www.secadministrator.com/forums/thread.cfm?thread_id=81118
    
    * HOWTO MAILING LIST
       http://www.secadministrator.com/listserv/page_listserv.asp?s=howto
    
    Featured Thread: Not Recovering from a Missing SAM Database
       (Two messages in this thread)
    
    Kit writes that with Windows 2000, if the SAM database is corrupted, 
    the OS politely makes its own blank copy of the SAM and starts up--so 
    you can immediately restore from backup. On some machines, he d'''''t 
    want that to happen. Is there a registry setting he can change to 
    prevent this behavior? Can you help? Read the responses or lend a hand 
    at the following URL:
       http://63.88.172.96/listserv/page_listserv.asp?a2=ind0205a&l=howto&p=503
    
    9. ==== CONTACT US ==== 
       '''''s how to reach us with your comments and questions: 
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- vpattersonat_private (please 
    mention the newsletter name in the subject line) 
    
    * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums 
    
    * PRODUCT NEWS -- productsat_private 
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer 
    Support -- securityupdateat_private 
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private 
    
    ******************** 
    
       This email newsletter is brought to you by Security Administrator, 
    the print newsletter with independent, impartial advice for IT 
    administrators securing a Windows 2000/Windows NT enterprise. Subscribe 
    today!
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
       Receive the latest information about the Windows and .NET topics of 
    your choice. Subscribe to our other FREE email newsletters. 
       http://www.winnetmag.com/email 
    
    |-+-|-+-|-+-|-+-|-+-|
    
    Thank you for reading Security UPDATE. 
    
    You are subscribed as isnat_private
    
    MANAGE YOUR ACCOUNT
    You can manage your entire Windows & .NET Magazine Network email 
    newsletter account on our Web site. Simply log on and you can change 
    your email address, update your profile information, and subscribe or 
    unsubscribe to any of our email newsletters all in one place.
       http://www.winnetmag.com/email
    
    SUBSCRIBE
    To quickly subscribe, send a blank email to mailto:Security-UPDATE_Subat_private
    
    UNSUBSCRIBE
    To quickly unsubscribe, send a blank email to 
    mailto:Security-UPDATE_Unsubat_private
    
    Thank you!
    __________________________________________________________
    Copyright 2002, Penton Media, Inc.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu May 16 2002 - 04:06:12 PDT