[ISN] Security UPDATE, June 12, 2002

From: InfoSec News (isnat_private)
Date: Thu Jun 13 2002 - 00:50:38 PDT

  • Next message: InfoSec News: "[ISN] Two Oracle Flaws Put Machines at Risk"

    ********************
    Windows & .NET Magazine Security UPDATE--brought to you by Security
    Administrator, a print newsletter bringing you practical, how-to
    articles about securing your Windows .NET Server, Windows 2000, and
    Windows NT systems.
       http://www.secadministrator.com
    ********************
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    FREE Security White Paper from NetIQ!
       http://list.winnetmag.com/cgi-bin3/flo?y=eMJj0CJgSH0CBw02Vp0Ah <
    
    ST. BERNARD SOFTWARE
       http://list.winnetmag.com/cgi-bin3/flo?y=eMJj0CJgSH0CBw0qyw0AS
       (below IN FOCUS)
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: FREE SECURITY WHITE PAPER FROM NETIQ! ~~~~
       Need to secure your network against intrusion while minimizing IT
    costs and downtime? Get a real-time solution for immediate action and
    future protection. A security event correlation system pulls together
    information from all three stages of network security: prevention,
    detection and reaction. Learn the best practices you need to secure
    your network today. Read NetIQ's free white paper, "Security Event
    Correlation: "Where are We Now?"
       Download it now!
       http://list.winnetmag.com/cgi-bin3/flo?y=eMJj0CJgSH0CBw02Vp0Ah
    
    ~~~~~~~~~~~~~~~~~~~~
    
    June 12, 2002--In this issue:
    
    1. IN FOCUS
         - Federated Networks: The Next Wave of Security
    
    2. SECURITY RISKS
         - DoS in ISC's BIND 9.0
         - Unchecked Buffer in ASP.NET Component of Microsoft .NET
         - Multiple Vulnerabilities in Yahoo! Messenger
    
    3. ANNOUNCEMENTS
         - Get Valuable Info for Free with IT Consultant Newsletter
         - Attend Black Hat Briefings & Training, July 29-August 1, 2002,
           Las Vegas
    
    4. SECURITY ROUNDUP
         - Feature: Microsoft Plans SQL Server Security Guide
         - Feature: Roll Out Secure Servers
         - Feature: Hunting Malicious Code
         - News: Microsoft Counters Sun Liberty Alliance with TrustBridge
     
    5. INSTANT POLL
         - Results of Previous Poll: IM Policy
         - New Instant Poll: IM Add-Ons
    
    6. HOT RELEASE
         - Is Your Network at Risk? Test Sybari's Antigen!
    
    7. SECURITY TOOLKIT
         - Virus Center
         - FAQ: How to Automatically Install URLScan
    
    8. NEW AND IMPROVED
         - Submit Top Product Ideas
         - Security Assessment Product
         - Book: Securing Windows NT/2000: From Policies to Firewalls
    
    9. HOT THREADS
         - Windows & .NET Magazine Online Forums
             - Featured Thread: Stop Applications from Executing
    
    10. CONTACT US
       See this section for a list of ways to contact us.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    1. ==== IN FOCUS ====
       (contributed by Mark Joseph Edwards, News Editor,
    markat_private)
    
    * FEDERATED NETWORKS: THE NEXT WAVE OF SECURITY
    
    Have you heard about the upcoming federated networks? Two groups, the
    Liberty Alliance and the Web Services Interoperability Organization
    (WS-I), are developing the technology to let users better manage their
    credentials for cross-site authentication and network access between
    dissimilar topologies and protocols. The goal is to make single
    sign-on (SSO) easier by developing methods that let users authenticate
    once with the provider of their choice and gain subsequent access to
    other networks within a federation transparently.
       http://www.projectliberty.org
       http://www.ws-i.org
    
    Sun Microsystems launched the Liberty Alliance Project last September.
    The Liberty Alliance intends to "create an open, federated solution
    for network identity--enabling ubiquitous single sign on,
    decentralized authentication and open authorization from any device
    connected to the Internet, from traditional desktop computers and
    cellular phones through to TVs, automobiles, credit cards and
    point-of-sale terminals." The Liberty Alliance maintains that the
    development and adoption of such specifications would prevent various
    service providers from creating "Internet toll-booths."
    
    "Without an open federated identity model for the Internet, there's
    risk that only a few companies and their preferred sets of partners
    will become firmly established as the service brokers of the
    Internet," said a Liberty Alliance spokesperson. "Companies will be
    charged to use services brokered through these Internet toll takers.
    Merchants and financial institutions will certainly pay for
    authentication and access to these profiles. In short, a company that
    is not a service broker will be charged for access to [its] own
    communities--communities built on the backs of [its] own shareholders
    and citizens."
    
    The Liberty Alliance is developing an open specification and invites
    participation in the process. Various alliance membership levels are
    available to any organization. To date, more than 40 major companies
    participate in the organization, including American Express, Visa,
    MasterCard, Citigroup, AOL, General Motors, Sony, Cisco Systems,
    Hewlett-Packard (HP), United Airlines, Novell, RSA Security, Entrust,
    the Apache Software Foundation, and VeriSign. Phase I of the
    specification is due for release any time now, and the organization
    expects to announce the next development phases, including the time
    frames in which protocols for the specification will be made
    available.
    
    In April, Microsoft, IBM, and VeriSign announced Web Services Security
    (WS-Security) with an accompanying specification. The specification
    defines a standard set of Simple Object Access Protocol (SOAP)
    extensions or message headers for exchanging secure, signed messages
    in a Web services environment. According to Microsoft, WS-Security is
    "designed to support XML Web services capable of seamlessly crossing
    organizational, network, application, database, and trust boundaries."
    The specification will support many types of credential information,
    including Kerberos, public key infrastructure (PKI), Extensible Rights
    Markup Language (XrML), Security Assertion Markup Language (SAML), and
    Secure Sockets Layer (SSL)/Transport Layer Security (TLS). The support
    "means that organizations can begin to build solutions on this
    foundation today, and do not need to throw away their current security
    infrastructure investments." Furthermore, WS-Security will let users
    directly federate Active Directories (ADs) over the Internet and let
    Windows .NET Server (Win.NET Server) accept Microsoft .NET Passport as
    a credential type when passports are mapped to an AD account.
     
     http://msdn.microsoft.com/library/en-us/dnglobspec/html/ws-security.asp
    
    Microsoft announced that it will release TrustBridge for Win.NET
    Server in 2003. TrustBridge will be built on WS-Security technology
    and will let Win.NET Server-based applications use credentials that
    non-Microsoft products that use WS-Security generate. For example, IBM
    will add WS-Security support to its middleware products. You can read
    the related news story in this newsletter for more information about
    TrustBridge.
       http://www.secadministrator.com/articles/index.cfm?articleid=25501
    
    Microsoft anticipates that "the proposed model and specifications that
    emerge (WS-Security) will be broadly available from multiple vendors
    and will be considered by appropriate standards organizations." In the
    meantime, the company also announced that .NET Passport would support
    WS-Security by 2003, and that it will add WS-Security to Visual Studio
    .NET and .NET Framework this year. The WS-I organization expects to
    see its members release a set of sample applications that demonstrate
    WS-Security interoperability this year.
    
    WS-I boasts more than 1000 members, including notable heavyweights
    such as Intel, AT&T, Procter and Gamble, and Sabre. And although some
    companies such as HP and VeriSign have chosen to participate in both
    efforts, another industry leader, Sun, hasn't joined the WS-I
    organization. According to an InfoWorld Media Group report, Sun wants
    to participate, but only if it can have a seat on the board of
    directors with its competitors Microsoft and IBM in an effort to gain
    parity in decision making. To date, WS-I has declined to modify its
    current board, which isn't surprising given that Sun's Java competes
    with Microsoft's .NET Web services technology.
       http://www.infoworld.com/articles/hn/xml/02/04/18/020418hnwsi.xml
    
    Federated networks promise to further change the way we manage privacy
    and authentication credentials. Be sure to keep an eye on the Liberty
    Alliance Project and WS-I's developments.
     
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: PC MAGAZINE EDITORS' CHOICE FOR WEB FILTERING ~~~~
       There are many approaches to Web filtering today, from desktop
    software to server and firewall add-ons to ISP/ASP services to
    filtering appliances. PC Magazine tested a dozen of the leading Web
    filtering solutions and selected the iPrism Filtering Appliance as
    best for business use. They concluded, "iPrism's the best return on a
    busy network administrator's time and money."
       To find out if iPrism might be best for you, please visit:
    http://list.winnetmag.com/cgi-bin3/flo?y=eMJj0CJgSH0CBw0qyw0AS
    
    ~~~~~~~~~~~~~~~~~~~~
    
    2. ==== SECURITY RISKS ====
       (contributed by Ken Pfeil, kenat_private)
    
    * DoS IN ISC'S BIND 9.0
       The Internet Software Consortium (ISC) reported a Denial of Service
    (DoS) condition in its BIND DNS software. This vulnerability stems
    from a logic error in BIND that lets remote attackers cause a DNS
    server running BIND 9.0 to BIND 9.2.0 to fail, shut down, and manually
    restart. ISC recommends that affected users either apply a patch an
    OEM supplies or upgrade immediately to BIND 9.2.1.
       http://www.secadministrator.com/articles/index.cfm?articleid=25494
    
    * UNCHECKED BUFFER IN ASP.NET COMPONENT OF MICROSOFT .NET
       A vulnerability in the ASP.NET component of the Microsoft .NET
    Framework can result in a Denial of Service (DoS) condition or
    execution of arbitrary code on the vulnerable system. This
    vulnerability stems from an unchecked buffer in a routine that handles
    cookie processing in the StateServer mode. Microsoft has released
    Microsoft Security Bulletin MS02-026 (Unchecked Buffer in ASP.NET
    Worker Process) to address this vulnerability and recommends that
    affected users apply the appropriate patch.
       http://www.secadministrator.com/articles/index.cfm?articleid=25512
    
    * MULTIPLE VULNERABILITIES IN YAHOO! MESSENGER
       Scott Woodward, Phuong Nguyen, and Adam Lang discovered multiple
    vulnerabilities in Yahoo! Messenger that can lead to remote compromise
    of the affected system. The first vulnerability is a buffer-overflow
    condition in the messenger Uniform Resource Identifier (URI) handler
    "ymsgr:". The second vulnerability, in the Yahoo! Messenger "addview"
    function, lets an attacker execute arbitrary script and HTML in the
    Internet security zone of the local machine. Yahoo! recommends that
    affected users upgrade to version 5, 0, 0, 1065 or a later version.
       http://www.secadministrator.com/articles/index.cfm?articleid=25498
    
    3. ==== ANNOUNCEMENTS ====
       (brought to you by Windows & .NET Magazine and its partners)
    
    * GET VALUABLE INFO FOR FREE WITH IT CONSULTANT NEWSLETTER
       Sign up today for IT ConsultantWire, a FREE email newsletter from
    Penton Media. This newsletter is specifically designed for IT
    consultants, bringing you news, product analysis, project management
    and business logic trends, industry events, and more. Find out more
    about this solution-packed resource and sign up for FREE at
       http://list.winnetmag.com/cgi-bin3/flo?y=eMJj0CJgSH0CBw0rfb0An
    
    * ATTEND BLACK HAT BRIEFINGS & TRAINING, JULY 29-AUGUST 1, 2002, LAS
    VEGAS
       Black Hat Briefings is the world's premier technical security
    event, featuring 8 tracks and 12 training sessions, with lots of
    Windows topics coverage, full support by Microsoft, and a keynote by
    Richard Clarke. See for yourself what the buzz is all about. Register
    today!
       http://list.winnetmag.com/cgi-bin3/flo?y=eMJj0CJgSH0CBw0pHV0A4
    
    4. ==== SECURITY ROUNDUP ====
    
    * FEATURE: MICROSOFT PLANS SQL SERVER SECURITY GUIDE
       Security has always been an important aspect of database
    management. However, according to James Hamilton, one of three
    architects on the Microsoft SQL Server development team, some of the
    ground rules for how a DBA needs to think about security have changed.
    Brian Moran gleaned some interesting perspectives about security
    during a conversation with Hamilton, who has responsibility and vision
    for "thinking about security" as it relates to SQL Server.
       http://www.secadministrator.com/articles/index.cfm?articleid=25343
    
    * FEATURE: ROLL OUT SECURE SERVERS
       Once upon a time, Mark Minasi thought nothing of building a new
    test server without hotfixes or service packs. After all, it was just
    a test server; it contained no important data, so he didn't care
    whether the server was secure. But those were the days before the
    Microsoft IIS worms. Nowadays, if he puts an unsecured server on the
    network, it could become infected and become one of the legions of
    machines that spend all day looking for other computers to infect.
       A fan of both scripting and Microsoft Remote Installation Services
    (RIS), Minasi shows you how to set up a RIS server that will let you
    start an automated Windows 2000 installation, walk away for a while,
    and return to find all the latest hotfixes installed. Although he
    builds his example on RIS, this approach also works on a simpler
    network-based installation that uses a shared i386.
       http://www.secadministrator.com/articles/index.cfm?articleid=24892
    
    * FEATURE: HUNTING MALICIOUS CODE
       The phone calls always start the same way: "My antivirus scanner
    isn't finding anything, but I know something is there." No one calls
    an antivirus consultant until the usual antivirus tools and checks
    have failed. And the caller's statement doesn't surprise me. So, how
    do you find malicious code (e.g., worms, viruses, Trojan horses,
    backdoor programs) when the expert tools can't find it? Seven steps
    will help you find viruses and other types of malicious programs on
    all Windows systems.
       http://www.secadministrator.com/articles/index.cfm?articleid=24899
    
    * NEWS: MICROSOFT COUNTERS SUN LIBERTY ALLIANCE WITH TRUSTBRIDGE
       Microsoft has announced TrustBridge, a new technology that will let
    businesses share user identity information between applications and
    organizations. A Microsoft spokesperson said, "TrustBridge technology
    will allow different organizations using the Windows operating system
    to exchange user identities and interoperate in heterogeneous
    environments."
       http://www.secadministrator.com/articles/index.cfm?articleid=25501
    
    5. ==== INSTANT POLL ====
    
    * RESULTS OF PREVIOUS POLL: IM POLICY
       The voting has closed in Windows & .NET Magazine's Security
    Administrator Channel nonscientific Instant Poll for the question,
    "Which of the following answers best describes your organization's
    approach to Instant Messaging (IM) use?" Here are the results (+/- 2
    percent) from the 259 votes:
       - 20% We standardize on one package
       - 16% We let users make their own IM choice
       - 62% We don't let users use IM
    
    * NEW INSTANT POLL: IM ADD-ONS
       The next Instant Poll question is, "If your organization permits
    Instant Messaging (IM) software use, do you use security add-ons?" Go
    to the Security Administrator Channel home page and submit your vote
    for the answer that most closely matches your organization's approach
    to IM: a) Yes--We use IM software plus an antivirus add-on, b) Yes--We
    use IM software plus an encrypted-transport add-on, c) Yes--We use IM
    software plus antivirus and encrypted-transport add-ons, or d) No--We
    use IM software without security add-ons.
       http://www.secadministrator.com
    
    6. ==== HOT RELEASE ====
    
    * IS YOUR NETWORK AT RISK? TEST SYBARI'S ANTIGEN!
       Take the Sybari Challenge and test Antigen. If Antigen catches
    viruses missed by your installed solution, you'll get a free t-Shirt
    and 5% off your Antigen purchase through June 30th. For details go to
       http://list.winnetmag.com/cgi-bin3/flo?y=eMJj0CJgSH0CBw02Vq0Ai
    
    7. ==== SECURITY TOOLKIT ====
    
    * VIRUS CENTER
       Panda Software and the Windows & .NET Magazine Network have teamed
    to bring you the Center for Virus Control. Visit the site often to
    remain informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    * FAQ: HOW TO AUTOMATICALLY INSTALL URLSCAN
       (contributed by Randy Franklin Smith, rsmithat_private)
    
       To install URLScan automatically, use the IIS Lockdown Wizard,
    which is included in the IIS Lockdown tool. The wizard asks you which
    type of Web server you're running and which Microsoft IIS-related
    products (e.g., Microsoft FrontPage Server Extensions, Microsoft
    Commerce Server) are installed. The wizard then attempts to lock down
    your server without breaking any functionality that your installed
    tools and products require. The wizard installs URLScan, disables
    specified script mappings ( for information about these script
    mappings, go to
    http://www.microsoft.com/technet/security/tools/tools/locktool.asp ),
    disables specified services, removes specified folders that contain
    dangerous sample content (from the default installation of IIS), and
    strengthens file permissions to prevent anonymous users from writing
    to content directories and running system utilities.
       If using the IIS Lockdown Wizard breaks your Web site, simply run
    the wizard again. Answer Yes to the question "Do you want to restore
    your original settings?" that you see on the first page of the wizard
    when you rerun it, and the wizard will restore your original settings.
    
    8. ==== NEW AND IMPROVED ====
       (contributed by Judy Drennen, productsat_private)
    
    * SUBMIT TOP PRODUCT IDEAS
       Have you used a product that changed your IT experience by saving
    you time or easing your daily burden? Do you know of a terrific
    product that others should know about? Tell us! We want to write about
    the product in a future What's Hot column. Send your product
    suggestions to whatshotat_private
    
    * SECURITY ASSESSMENT PRODUCT
       SPI Dynamics announced WebInspect 2.0, a next-generation Web
    application security assessment product that helps ensure the security
    of your entire network through automated and adaptable processes that
    scan Web applications to identify known and unknown vulnerabilities.
    WebInspect runs on Windows XP, Windows 2000, Windows NT 4.0 with
    Service Pack 6a (SP6a), and Windows 98 and costs $4995 per server for
    perpetual licensing with volume discounts available for enterprise
    purchases. Consultant and corporate auditors can purchase WebInspect
    on an annual per seat basis at $20,000.
       http://www.spidynamics.com
    
    * BOOK: SECURING WINDOWS NT/2000: FROM POLICIES TO FIREWALLS
       CRC Press announced Michael A. Simonyi's "Securing Windows NT/2000:
    >From Policies to Firewalls," a managerial and practical technical
    tutorial for Windows 2000 and Windows NT. The book discusses how to
    develop a strategy to implement security within an organization. It
    presents in-depth knowledge about how, why, and where these Windows
    OSs must be tuned to connect securely to the Internet. The book costs
    $49.95. For more information, contact CRC Press at 800-272-7737 ext.
    2524 or go to the Web site.
       http://www.crcpress.com
     
    9. ==== HOT THREADS ====
    
    * WINDOWS & .NET MAGAZINE ONLINE FORUMS
       http://www.winnetmag.com/forums
    
    Featured Thread: Stop Applications from Executing
       (One message in this thread)
    
    Edward wants to know a way (besides using the RestrictRun and
    DisallowRun registry settings) to prevent applications from running.
    Some of his users have figured out that they can simply rename
    imported applications to common windows application names such as
    notepad.exe or iexplore.exe and run them because those filenames are
    allowed to execute on the desktop.
       http://www.secadministrator.com/forums/thread.cfm?thread_id=105782
    
    10. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- vpattersonat_private (please
    mention the newsletter name in the subject line)
    
    * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
    Support -- securityupdateat_private
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private
    
    ********************
    
       This email newsletter is brought to you by Security Administrator,
    the print newsletter with independent, impartial advice for IT
    administrators securing a Windows 2000/Windows NT enterprise.
    Subscribe
    today!
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
       Receive the latest information about the Windows and .NET topics of
    your choice. Subscribe to our other FREE email newsletters.
       http://www.winnetmag.com/email
    
    |-+-|-+-|-+-|-+-|-+-|
    
    Thank you for reading Security UPDATE.
    
    MANAGE YOUR ACCOUNT
    You can manage your entire Windows & .NET Magazine Network email
    newsletter account on our Web site. Simply log on and you can change
    your email address, update your profile information, and subscribe or
    unsubscribe to any of our email newsletters all in one place.
       http://www.winnetmag.com/email
    
    SUBSCRIBE
       To quickly subscribe, send a blank email to
     mailto:Security-UPDATE_Subat_private
    
    UNSUBSCRIBE
       To quickly unsubscribe, send a blank email to
     mailto:Security-UPDATE_Unsubat_private
    
    Thank you!
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Jun 13 2002 - 03:36:47 PDT