[ISN] Security UPDATE, August 14, 2002

From: InfoSec News (isnat_private)
Date: Thu Aug 15 2002 - 04:06:06 PDT

  • Next message: InfoSec News: "[ISN] U.S. Aiding Asia-Pacific Anti-Cybercrime Efforts"

    ********************
    Windows & .NET Magazine Security UPDATE--brought to you by Security
    Administrator, a print newsletter bringing you practical, how-to
    articles about securing your Windows .NET Server, Windows 2000, and
    Windows NT systems.
       http://www.secadministrator.com
    ********************
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    Top 10 Windows and AD Security Threats
       http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw032P0AO
    
    VeriSign - The Value of Trust
       http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw01bI0A2
       (below IN FOCUS)
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: TOP 10 WINDOWS AND AD SECURITY THREATS ~~~~
       Do you know the 10 most widely exploited vulnerabilities in the
    Windows environment and what you can do about them? The same
    vulnerabilities get exploited again and again. In most cases they
    aren't new - but left open, they can wreak havoc throughout your
    organization. To find out how to protect your organization, download
    the FREE white paper, "Top 10 Security Threats for Windows 2000 and
    Active Directory." If nothing else, closing these Top 10 holes will go
    a long way to securing your network! Download the white paper at
       http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw032P0AO
    
    ~~~~~~~~~~~~~~~~~~~~
    
    August 14, 2002--In this issue:
    
    1. IN FOCUS
         - Can Your Applications Jeopardize Your Security?
    
    2. SECURITY RISKS
         - Multiple Vulnerabilities in Microsoft Content Management Server
           2001
    
    3. ANNOUNCEMENTS
         - Enter the Windows & .NET Magazine/Transcender Sweepstakes!
         - Do You Like the Kind of Content You're Finding in This
           Newsletter?
    
    4. SECURITY ROUNDUP
         - News: SP3 for Win2K Now Available
         - Feature: Forcing Password Changes
         - Feature: Synchronizing Logins
    
    5. HOT RELEASES
         - Spectracom's NetClock, for Secure Network Time
         - IBM E-business Scalability White Paper
    
    6. SECURITY TOOLKIT
         - Virus Center
         - FAQ: What Administrative Permissions Do I Need to Upgrade a
           System from Windows 2000 to Windows .NET Server (Win.NET 
           Server)?
    
    7. NEW AND IMPROVED
         - Filter Objectionable Material from All Windows Applications
         - Enhance Enterprise VPN Performance
         - Submit Top Product Ideas
    
    8. HOT THREADS
         - Windows & .NET Magazine Online Forums
            - Featured Thread: I've Been Hacked
    
    9. CONTACT US
       See this section for a list of ways to contact us.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    1. ==== IN FOCUS ====
       (contributed by Mark Joseph Edwards, News Editor,
    markat_private)
    
    * CAN YOUR APPLICATIONS JEOPARDIZE YOUR SECURITY?
    
    In last week's Security UPDATE Special Edition, I discussed
    Microsoft's plan to implement a hardware-level security system
    code-named Palladium. In the commentary, I quoted Chairman and Chief
    Software Architect Bill Gates' statement that it's "the growth of the
    Internet and the advent of massive computing systems built from loose
    affiliations of services, machines, communications networks and
    application software that have helped create the potential for
    increased vulnerabilities."
       http://www.microsoft.com/mscorp/execmail/
    
    Although Gates' statement seemed to pass the buck to some
    extent--without admitting in the same breath to his own company's
    shortcomings--another Microsoft executive let the cat out of the bag.
    In May, "eWeek" reported that a top Microsoft executive, Jim Allchin,
    admitted that parts of the company's software contained flaws so
    dangerous that making those sections of program code public could be a
    severe blow to Windows security. Both statements leave it to readers
    to discern that loose affiliations are the necessary nature of current
    computing--that is, unless we want to let a couple of companies
    dominate the industry.
       http://www.eweek.com/article2/0,3959,5264,00.asp
    
    To facilitate third-party application development, Windows allows
    considerable flexibility. When third parties develop applications,
    it's safe to say that they don't have nearly as much information about
    APIs as Microsoft does. The companies' limited knowledge leads to
    security-related problems. However, even when Microsoft offers sound
    advice to third parties, the parties might incompletely register or
    only partially understand the information offered.
    
    Operational security contexts for system services and desktop
    applications offer a good case in point. Last week, Chris Paget
    published a white paper that details how misused security contexts can
    lead directly to unauthorized elevation of user privileges. In many
    cases, users--even guest users--can elevate their privileges to those
    of the built-in System account, which, as you know, is all-powerful.
    
    Paget describes the steps a user can take that lead to the System
    account security context. The process works as follows: A user first
    uses a simple program to obtain the windows handle of an application
    that's operating under the Local System account. The user uses the
    handle to modify the application's window parameters so that the
    window will accept a large amount of text from the Windows clipboard.
    The user then uses the clipboard to paste command-shell code into the
    window and sends a message to the window that executes the code. After
    the code executes, the user has access to a command shell running
    under the Local System account from which the user can perform any
    desired action. To use Paget's technique, the user must usually have
    either the ability to coax a user into running a malicious program or
    physical access to the user's computer. However, Paget said that he
    could use the technique to gain control over a remote Terminal Server
    system because the remote server drives those desktops.
       http://security.tombom.co.uk/shatter.html
    
    Before he published the white paper, Paget notified Microsoft about
    his findings and his intent to publish them. Microsoft's response (see
    the first URL below) noted that the company was aware of the
    circumstances that could cause the vulnerability and had offered
    advice that helps mitigate them. Microsoft had previously published an
    essay titled, "The Ten Immutable Laws of Security" (see the second URL
    below), in which laws 1 and 3 offer modest advice for third-party
    developers, but only indirectly. Law 1 states, "If a bad guy can
    persuade you to run his program on your computer, it's not your
    computer anymore," and Law 3 states, "If a bad guy has unrestricted
    physical access to your computer, it's not your computer anymore."
       http://security.tombom.co.uk/response.txt
       http://www.microsoft.com/technet/columns/security/essays/10imlaws.asp
    
    Although both laws state truths and apply to the techniques Paget
    outlines, they do little to inform developers about the extreme risks
    associated with running desktop applications and user services under
    the context of the System account. Unless developers fully realize the
    risks, they unnecessarily place systems in jeopardy. Paget tested the
    process of privilege elevation that he describes by exploiting Network
    Associates' (formerly McAfee's) VirusScan 4.5.1, which opens windows
    on the desktop under the Local System account.
    
    You can help mitigate the risk of such an exploit by "attacking" your
    own systems. From the Web page that contains Paget's white paper, you
    can link to a small application called Shatter, which obtains an
    application's window handles. You can use Shatter with Netcat, a
    hexadecimal editor, and a Windows debugging application (also linked
    in the white paper) to test various applications on your desktop to
    see whether you can gain elevated privileges.
    
    If you succeed in elevating privileges, you can respond in one of
    three ways. You can ignore the fact that a given application
    jeopardizes your security. You can notify the vendor about the
    situation and insist that the vendor change the application's
    behavior. Or you can stop using that particular software altogether.
    You must police applications on your own systems--unless you want
    Palladium to do it for you.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: VERISIGN - THE VALUE OF TRUST ~~~~
       FREE E-COMMERCE SECURITY GUIDE
       Is your e-business built on a strong, secure foundation? Find out
    with VeriSign's FREE White Paper, "Building an E-Commerce Trust
    Infrastructure." Learn how to authenticate your site to customers,
    secure your web servers with 128-Bit SSL encryption, and accept secure
    payments online. Click here:
       http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw01bI0A2
    
    ~~~~~~~~~~~~~~~~~~~~
    
    2. ==== SECURITY RISKS ====
       (contributed by Ken Pfeil, kenat_private)
    
    * MULTIPLE VULNERABILITIES IN MICROSOFT CONTENT MANAGEMENT SERVER 2001
       Joao Gouveia discovered three new vulnerabilities in Microsoft
    Content Management Server 2001, the most serious of which could give a
    potential attacker full control over the vulnerable server. These
    three vulnerabilities consist of a buffer overrun in a low-level
    function that performs user authentication, a SQL injection
    vulnerability, and two flaws that affect a function that lets a user
    upload files to the server. Microsoft has released Microsoft Security
    Bulletin MS02-041 (Unchecked Buffer in Content Management Server Could
    Enable Server Compromise) to address this vulnerability and recommends
    that affected users download and apply the appropriate patch mentioned
    in the security bulletin.
       http://www.secadministrator.com/articles/index.cfm?articleid=26212
    
    3. ==== ANNOUNCEMENTS ====
       (brought to you by Windows & .NET Magazine and its partners)
    
    * ENTER THE WINDOWS & .NET MAGAZINE/TRANSCENDER SWEEPSTAKES!
       Nothing can help you prepare for certification like Transcender
    products, and no one can help you master your job like Windows & .NET
    Magazine. Enter our combined sweepstakes contest, and you could win a
    Transcender Deluxe MCSE Select Pak (a $729 value) or one of several
    other great prizes. Sign up today!
       http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw028j0At
    
    * DO YOU LIKE THE KIND OF CONTENT YOU'RE FINDING IN THIS NEWSLETTER?
       If so, we have more than a dozen email newsletters just as
    informative as this one on the topics you care about most. From
    Windows 2000/NT to security to storage, our technical authors cut to
    the chase about what's going on in the industry so that you can stay
    informed in less than 5 minutes a day! Subscribe at no charge.
       http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw0rvS0Ac
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: SP3 FOR WIN2K NOW AVAILABLE
       On July 30, Microsoft released Service Pack 3 (SP3) for Windows
    2000. Users should consider loading the new service pack for a variety
    of reasons, including the fact that the new service pack contains all
    the fixes presented in the Win2K Security Rollup Package 1 (SRP1). But
    that's not all. The new service pack also contains other
    security-related modifications for Win2K systems, so be sure to read
    the news story on our Web site to learn the details.
       http://www.wininformant.com/articles/index.cfm?articleid=26219
    
    * FEATURE: FORCING PASSWORD CHANGES
       Do you subscribe to our Windows Client UPDATE newsletter? If not,
    you missed some interesting commentary. Last week, David Chernicoff
    discussed network problems that a systems administrator encountered
    after a quarterly security audit. During the audit process, users'
    passwords were changed and unpredictable behavior set in regarding
    access to file shares and Encrypting File System (EFS)-encrypted
    files. Visit our Web site and read about the circumstances. You might
    find yourself in a similar situation.
       http://www.secadministrator.com/articles/index.cfm?articleid=26210
    
    * FEATURE: SYCHRONIZING LOGINS
       In our most recent Reader Challenge, a reader posed a problem about
    the task of synchronizing logins across multiple Microsoft SQL Server
    machines as follows: Ray's company runs SQL Server 7.0 on its
    production servers and SQL Server 2000 on its staging servers. Ray
    needs to build a script that can synchronize logins between the
    production and staging servers (i.e., add missing logins from the
    production servers to the staging servers). Synchronized logins will
    let him create an identical environment for testing application
    upgrades, SQL Server, and the OS on a different server. When a staging
    server is configured identically to a production server and holds the
    same data, he can also test service pack upgrades on the staging
    server. Then, after the upgrade is finished, he can switch the server
    roles. The production servers are configured for mixed authentication,
    which means that users can connect to a SQL Server instance by using
    either Windows authentication or SQL Server authentication. Visit our
    Web site to see how the challenge winner helped Ray write a script
    that can synchronize the logins between the servers while preserving
    all login properties.
       http://www.secadministrator.com/articles/index.cfm?articleid=25710
    
    5. ==== HOT RELEASES ====
    
    * SPECTRACOM'S NETCLOCK, FOR SECURE NETWORK TIME
       Does your network depend on a Time Source that's outside your
    Firewall? Doesn't your network need an accurate clock source? Think
    "Time" is FREE over the Internet? Spectracom's NetClock/NTP and
    White-Paper can help you.
       http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw02fG0A5
       http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw02fF0A4
    
    * IBM E-BUSINESS SCALABILITY WHITE PAPER
       Learn real-world techniques for meeting the scalability demands of
    your e-business. The IBM white paper, "Design for Scalability,"
    includes information that can help you meet changing usage demands.
    Get your complimentary copy at
       http://www.ibm.com/e-business/playtowin/n177
    
    6. ==== SECURITY TOOLKIT ====
    
    * VIRUS CENTER
       Panda Software and the Windows & .NET Magazine Network have teamed
    to bring you the Center for Virus Control. Visit the site often to
    remain informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    * FAQ: WHAT ADMINISTRATIVE PERMISSIONS DO I NEED TO UPGRADE A SYSTEM
    FROM WINDOWS 2000 TO WINDOWS .NET SERVER (WIN.NET SERVER)?
       ( contributed by John Savill, http://www.windows2000faq.com )
    
    A. The permissions required to upgrade a server from Win2K to Win.NET
    Server vary depending on the server, its position in the forest, and
    which domain users use to log on to the network. For all upgrades, you
    need the ability to
       1. back up files and directories
       2. modify firmware environment values
       3. restore files and directories
       4. shut down the system
    
    The tables listed on our FAQ site at the URL below show which
    administrative roles have access to domain controllers (DCs) and
    member servers, depending on whether the administrator is logged on to
    a root domain or a nonroot domain.
       http://www.secadministrator.com/articles/index.cfm?articleid=26082
    
    7. ==== NEW AND IMPROVED ====
       (contributed by Judy Drennen, productsat_private)
    
    * FILTER OBJECTIONABLE MATERIAL FROM ALL WINDOWS APPLICATIONS
       Security Software Systems released Cyber Sentinel, software that
    filters objectionable material from all Windows
    applications--including Microsoft Word, Microsoft Excel, email,
    attachments, instant messages, and chats--not just from the Internet.
    Cyber Sentinel delivers reports so that you can see where your
    problems lie and who's causing the violations. The software costs $49
    for up to 25 users. Contact Security Software Systems at 630-466-1038
    or infoat_private
       http://www.securitysoft.com
    
    * ENHANCE ENTERPRISE VPN PERFORMANCE
       WatchGuard Technologies announced the RapidStream "Secured by Check
    Point" line of high-performance security appliances, targeted at the
    Global 1000 and large enterprise market. The RapidStream line, which
    includes RapidStream 11000, RapidStream 8100, RapidStream 6100, and
    Rapid Stream 2100 models, is designed to address VPN performance,
    scalability, and flexibility in a Check Point appliance solution.
    Pricing starts at $5000 for the RapidStream 2100, which supports up to
    400 IP Security (IPSec) tunnels and 8000 concurrent sessions. Contact
    WatchGuard at 206-521-8340.
       http://www.rapidstream.com
    
    * SUBMIT TOP PRODUCT IDEAS
       Have you used a product that changed your IT experience by saving
    you time or easing your daily burden? Do you know of a terrific
    product that others should know about? Tell us! We want to write about
    the product in a future What's Hot column. Send your product
    suggestions to whatshotat_private
    
    8. ==== HOT THREADS ====
    
    * WINDOWS & .NET MAGAZINE ONLINE FORUMS
       http://www.winnetmag.com/forums
    
    Featured Thread: I've Been Hacked
       (10 messages in this thread)
    
    Bruce writes that a few days ago he noticed a new icon in the system
    tray of one of his Windows 2000 servers. The icon was for slave.exe
    from Remote-Anything. He also found remnants of Serv-U installed.
    Neither had been installed locally. He has uninstalled slave.exe and
    is still trying to find a way to safely uninstall Serv-U. He wants to
    know whether any available software monitors who's connected to which
    ports. Also, should he report the offender to his ISP (his ISP is in
    Israel; Bruce is in Canada)? Read the responses or lend a hand at:
       http://www.secadministrator.com/forums/thread.cfm?thread_id=111167
    
    9. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- vpattersonat_private (please
    mention the newsletter name in the subject line)
    
    * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
    Support -- securityupdateat_private
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private
    
    ********************
    
       This email newsletter is brought to you by Security Administrator,
    the print newsletter with independent, impartial advice for IT
    administrators securing a Windows 2000/Windows NT enterprise.
    Subscribe today!
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
       Receive the latest information about the Windows and .NET topics of
    your choice. Subscribe to our other FREE email newsletters.
       http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw0rvS0Ac
    
    |-+-|-+-|-+-|-+-|-+-|
    
    Thank you for reading Security UPDATE.
    
    MANAGE YOUR ACCOUNT
       You can manage your entire Windows & .NET Magazine Network email
    newsletter account on our Web site. Simply log on and you can change
    your email address, update your profile information, and subscribe or
    unsubscribe to any of our email newsletters all in one place.
       http://list.winnetmag.com/cgi-bin3/flo?y=eM480CJgSH0CBw0rvS0Ac
    
    Thank you!
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Aug 15 2002 - 07:32:14 PDT