[ISN] Security UPDATE, September 18, 2002

From: InfoSec News (isnat_private)
Date: Thu Sep 19 2002 - 02:44:53 PDT

  • Next message: InfoSec News: "Re: [ISN] Warchalking is theft, says Nokia"

    ********************
    Windows & .NET Magazine Security UPDATE--brought to you by Security
    Administrator, a print newsletter bringing you practical, how-to
    articles about securing your Windows .NET Server, Windows 2000, and
    Windows NT systems.
       http://www.secadministrator.com
    ********************
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    Consolidated Security Auditing and Monitoring
       http://list.winnetmag.com/cgi-bin3/flo?y=eNZH0CJgSH0CBw04qT0AR
    
    Wireless WP
       http://www.ibm.com/e-business/playtowin/n240
       (below IN FOCUS)
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: CONSOLIDATED SECURITY AUDITING AND MONITORING ~~~~
       HIPAA? Gramm-Leach-Bliley? BS7799/ISO17799? Aelita InTrust(tm)
    bridges the gap between industry regulations & policies and your IT
    infrastructure. InTrust consolidates, archives, and analyzes
    heterogeneous IT audit data and offers numerous reports to assist in
    documenting compliance. And InTrust's data repositories enable
    efficient, permanent storage of all event data. Get started with the
    FREE security assessment tool: Aelita InTrust Audit Advisor!
       http://list.winnetmag.com/cgi-bin3/flo?y=eNZH0CJgSH0CBw04qT0AR
    
    ~~~~~~~~~~~~~~~~~~~~
    
    September 18, 2002--In this issue:
    
    1. IN FOCUS
         - Is Discovering Security Holes a Catch-22?
    
    2. SECURITY RISKS
         - Certificate Validation Vulnerability in Multiple Microsoft
           Products
    
    3. ANNOUNCEMENTS
         - Mark Minasi and Paul Thurrott Are Bringing Their Security
           Expertise to You!
         - Real-World Tips and Solutions Here for You
    
    4. SECURITY ROUNDUP
         - News: Surprise: Microsoft's Java Implementation Is Full of
    Security Holes
         - News: Privacy Groups Not Done Complaining About Passport
         - News: Windows XP SP1 Already Cracked
         - News: Intel 3GHz Pentium 4 with Hyperthreading in 2002;
           Security in 2003
         - News: Intel and VeriSign Announced Processor-Based
           Authentication
    
    5. INSTANT POLL
         - Results of Previous Poll: Warchalking
         - New Instant Poll: A Year of Security
    
    6. SECURITY TOOLKIT
         - Virus Center
         - FAQ: Why Did My FTP Password Stop Working on My Windows 2000
           System After I Installed the Win2K Security Rollup Package 1 
           (SRP1)?
    
    7. NEW AND IMPROVED
         - Protect Your PC from Trojan Horses
         - Security for Web Services and Web-Based Networks
         - Submit Top Product Ideas
     
    8. HOT THREADS
         - Windows & .NET Magazine Online Forums
             - Featured Thread: Blocking by Port?
    
    9. CONTACT US
       See this section for a list of ways to contact us.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    1. ==== IN FOCUS ====
       (contributed by Mark Joseph Edwards, News Editor,
    markat_private)
    
    * IS DISCOVERING SECURITY HOLES A CATCH-22?
    
    In an email message last week, I received a URL to a Web site on which
    I saw more than a dozen vulnerabilities in Microsoft products (19 as
    of September 16). Patches are either not available or offer
    insufficient protection. The most recent vulnerability was reported on
    September 9, 2002, and the oldest was reported on June 6, 2000.
       http://www.pivx.com/larholm/unpatched
    
    The vulnerabilities include serious problems, such as exposing local
    files, sniffing Secure Sockets Layer (SSL) connections, installation
    and execution of arbitrary programs, breaching firewalls, elevation of
    privileges, and buffer overflows. Why aren't patches available for
    these problems? The answer is probably manifold.
    
    Given that users reported some of the vulnerabilities last week, we
    can assume that Microsoft is working on patches to correct them. Other
    vulnerabilities do have available patches--but not for all versions of
    a product. For example, regarding two Microsoft Internet Explorer (IE)
    problems (cssText Local File Reading and DynSrc Local File detection,
    which relate to reading data from local files and determining whether
    certain files exist, respectively), patches are available for IE 6.0,
    but not for IE 5.x.
    
    Microsoft released IE 6.0 some time ago and recently released Service
    Pack 1 (SP1) for that version (see the first URL below). However, many
    users still have IE 5.x. Recent reports that show IE's presence on
    about 94 percent of all desktops also show that 48 percent of those
    users still have IE 5.x versions of the browser (see the second URL
    below). Why do we lack patches for serious vulnerabilities in IE 5.x?
    We could infer that Microsoft wants users to "toe the line" and
    upgrade to IE 6.0 SP1.
       http://www.microsoft.com/windows/ie/default.asp
       http://www.upsdell.com/browsernews/stat.htm
    
    According to "InfoWorld," Microsoft Windows Division Senior Vice
    President Brian Valentine recently made some rather startling
    statements. At the Windows .NET Server (Win.NET Server) 2003 developer
    conference, Valentine said, "I'm not proud. We really haven't done
    everything we could to protect our customers ... Our products just
    aren't engineered for security ... We realized that we couldn't
    continue with the way we were building software and expect to deliver
    secure products ... It's impossible to solve the problem completely,
    as we solve these problems there are hackers who are going to come up
    with new ones. There's no end to this."
       http://www.infoworld.com/articles/hn/xml/02/09/05/020905hnmssecure.xml
    
    Why would Microsoft admit somewhat apologetically that the company
    hasn't done all it could do for security? Given the constant barrage
    of security problems still being discovered, won't the company make
    significant security changes in its code base? Furthermore, won't
    Microsoft slow the rush of new products to market faster than we can
    adapt to the current products? Unfortunately, the answer is--probably
    not, especially given some of the company's latest technology
    announcements.
    
    Microsoft recently announced its intention to create a hardware-based
    platform for security, code-named Palladium. Palladium will offload
    certain aspects of system security—-aspects that have resided inside a
    user-controlled OS--onto Intel-developed hardware designed to work
    with Microsoft-sanctioned security technology.
    
    Clearly, Palladium will, in some instances, relieve Microsoft of the
    burden of writing more-secure software. At the same time, the new
    security approach will put users in the uncomfortable position of
    choosing whether they should upgrade every computer and OS to continue
    "following" Microsoft by adopting Palladium. To help foster Palladium
    adoption, Microsoft will probably release yet another
    resource-intensive OS that couldn't possibly run well on users'
    existing hardware. And if the company also continues to forego
    releasing security patches for previous software packages, that will
    prod users even harder.
       http://www.secadministrator.com/articles/index.cfm?articleid=26675
    
    I have deep concerns about hardware-based security as the direction of
    the future. Bruce Schneier expressed the sentiments of many users
    quite clearly in a recent "Crypto-Gram" newsletter (see the URL
    below): "There's a lot of good stuff in [Palladium], and a lot I like
    about it. There's also a lot I don't like, and am scared of. My fear
    is that [Palladium] will lead us down a road where our computers are
    no longer our computers, but are instead owned by a variety of
    factions and companies all looking for a piece of our wallet. To the
    extent that [Palladium] facilitates that reality, it's bad for
    society. I don't mind companies selling, renting, or licensing things
    to me, but the loss of the power, reach, and flexibility of the
    computer is too great a price to pay."
       http://www.counterpane.com/crypto-gram-0208.html#1
    
    Hacking Microsoft products is no longer about the white-hat angle of
    coaxing Microsoft to write better code and alerting users to
    vulnerabilities or the black-hat angle of attacking Microsoft. Right
    now, the more diligently hackers work to find security bugs, the more
    they support the eventual adoption of Microsoft Palladium, as well as
    other vendorcentric hardware-based security subsystems that will
    quickly make their way to market. (For more about Intel and VeriSign's
    recently announced processor-based authentication, for example, see
    the news story in this edition of the newsletter or use the URL
    below.)
       http://www.secadministrator.com/articles/index.cfm?articleid=26671
    
    If more severe security problems are discovered and reported—-and we
    can assume they will be--that's fuel for the vendorcentric hardware
    security platforms of the near future. Conversely, if those security
    problems go undiscovered or unreported, users remain unknowingly at
    high risk. With the advent of Palladium, Microsoft benefits either
    way. But do we? It's a veritable Catch-22.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: WIRELESS WP ~~~~
       Put wireless technologies to work for your organization to build a
    flexible and more competitive e-business. The IBM white paper, "A
    Wireless World Awaits: Nine Moves that Mobilize e-business," can help
    you learn how wireless technology solutions extend your company's
    reach and help you and your partners work securely while still
    remaining focused on your core business issues. Also covered are early
    implementation questions, planning issues, and reasons for getting
    started now. Visit us online today to download your complimentary copy
    at http://www.ibm.com/e-business/playtowin/n240
    
    ~~~~~~~~~~~~~~~~~~~~
    
    2. ==== SECURITY RISKS ====
       (contributed by Ken Pfeil, kenat_private)
    
    * CERTIFICATE VALIDATION VULNERABILITY IN MULTIPLE MICROSOFT PRODUCTS
       Microsoft discovered a vulnerability in its CryptoAPI that can let
    an attacker use digital certificates to spoof his or her identity.
    This vulnerability stems from a problem in the APIs that construct and
    validate certificate chains--they don't check the basic constraints
    field. The same type of vulnerability (but unrelated to CryptoAPI)
    also occurs in several products for the Macintosh. Microsoft has
    released Security Bulletin MS02-050 (Certificate Validation Flaw Could
    Enable Identity Spoofing) to address this vulnerability and recommends
    that affected users apply the appropriate patch mentioned in the
    bulletin. For a detailed explanation of the risks and a link to the
    patch, be sure to visit our Web site.
       http://www.secadministrator.com/articles/index.cfm?articleid=26559
    
    3. ==== ANNOUNCEMENTS ====
       (brought to you by Windows & .NET Magazine and its partners)
    
    * MARK MINASI AND PAUL THURROTT ARE BRINGING THEIR SECURITY EXPERTISE
    TO YOU!
       Windows & .NET Magazine Network Road Show 2002 is coming this
    October to New York, Chicago, Denver, and San Francisco!  Industry
    experts Mark Minasi and Paul Thurrott will show you how to shore up
    your system's security and what desktop security features are planned
    for Microsoft .NET and beyond. Sponsored by NetIQ, Microsoft, and
    Trend Micro. Registration is free, but space is limited so sign up
    now!
       http://list.winnetmag.com/cgi-bin3/flo?y=eNZH0CJgSH0CBw03lK0AC
    
    * REAL-WORLD TIPS AND SOLUTIONS HERE FOR YOU
       Early-bird discount for Windows & .NET Magazine LIVE! expires
    September 21st! Register now, and you'll also receive access to
    sessions of concurrently run XML Web Services Connections. Choose from
    more than 70 sessions and save $1595. Discover why more than half of
    our attendees choose to attend only LIVE! events, which are chock-full
    of "been there, done that" knowledge from people who use Microsoft
    products in the real world. Register now at
       http://list.winnetmag.com/cgi-bin3/flo?y=eNZH0CJgSH0CBw03lH0A8
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: SURPRISE: MICROSOFT'S JAVA IMPLEMENTATION IS FULL OF SECURITY
    HOLES
       Jouko Pynnonen of Online Solutions in Finland discovered a series
    of severe security vulnerabilities in Microsoft's Java implementation.
    Some of the vulnerabilities let attackers run arbitrary code through
    Microsoft Internet Explorer (IE) and Microsoft Outlook Express.
    According to a message posted to the NTBugTraq mailing list on
    September 9, Pynnonen discovered and reported to Microsoft as many as
    10 such vulnerabilities during July and August.
       http://www.secadministrator.com/articles/index.cfm?articleid=26623
    
    * NEWS: PRIVACY GROUPS NOT DONE COMPLAINING ABOUT PASSPORT
       Two of the privacy groups that exhorted the Federal Trade
    Commission (FTC) to investigate Microsoft for privacy and security
    violations in Microsoft .NET Passport are now asking the FTC to
    reconsider its early August settlement with the software giant. Citing
    concerns that the agreement doesn't do enough to protect consumers,
    the Electronic Privacy Information Center (EPIC) and Computer &
    Communications Industry Association (CCIA) have separately lobbied the
    FTC to come down harder on Microsoft.
       http://www.secadministrator.com/articles/index.cfm?articleid=26617
    
    * NEWS: WINDOWS XP SP1 ALREADY CRACKED
       As Paul Thurrott noted in a Short Take item in the September 13,
    2002, edition of WinInfo Daily UPDATE, by the time Microsoft released
    Windows XP Service Pack 1 (SP1), intruders had already issued a patch
    that lets users with illegally obtained copies of the OS upgrade to
    SP1, an ability the service pack was supposed to prevent. Microsoft
    says, however, that it intended the feature to prevent casual copying
    only, and that the company knew all along that it couldn't prevent the
    hacker community from finding a way to upgrade. Users can circumvent
    the no-upgrade policy by using a Product Key changer program that lets
    users change XP's Windows Product Activation (WPA) key to a new key
    that isn't on Microsoft's no-upgrade list.
       http://www.wininformant.com/articles/index.cfm?articleid=26625
    
    * NEWS: INTEL: 3GHZ PENTIUM 4 WITH HYPERTHREADING IN 2002; SECURITY IN
    2003
       Intel announced a slew of new products at the annual Intel
    Developer Forum in San Jose, California, touching off a year of
    massive upgrades that the company says will further distance it from
    the competition. Intel plans upgrades and new products in virtually
    every product category it covers, including processors for every type
    of hardware from PDAs to the most massively scalable server products
    in the world.
       http://www.secadministrator.com/articles/index.cfm?articleid=26616
    
    * INTEL AND VERSIGN ANNOUNCED PROCESSOR-BASED AUTHENTICATION
       In what might become a significant blow to competitors, Intel and
    VeriSign announced that Intel's upcoming line of mobile processors
    (code-named Banias) will support VeriSign's digital certificate and
    Personal Trust Agent (PTA) technology. VeriSign said that by
    integrating the two technologies, a PC is thereby transformed into a
    "digital credential that can then be used to perform many e-business
    functions in the corporate IT environment, such as single sign-on,
    more secure remote access, and trusted peer-to-peer computing."
       http://www.secadministrator.com/articles/index.cfm?articleid=26671
    
    5. ==== INSTANT POLL ====
    
    * RESULTS OF PREVIOUS POLL: WARCHALKING
       The voting has closed in Windows & .NET Magazine's Security
    Administrator Channel nonscientific Instant Poll for the question,
    "Has your wireless network been warchalked?" Here are the results (+/-
    2 percent) from the 136 votes:
       -  10% Yes
       -  51% No
       -  38% I'm not sure
    
    * NEW INSTANT POLL: A YEAR OF SECURITY
       The next Instant Poll question is, "Do you think that your
    organization's network is more secure or less secure than it was a
    year ago?" Go to the Security Administrator Channel home page and
    submit your vote for a) More secure, b) Less secure, or c) Not sure.
       http://www.secadministrator.com
    
    6. ==== SECURITY TOOLKIT ====
    
    * VIRUS CENTER
       Panda Software and the Windows & .NET Magazine Network have teamed
    to bring you the Center for Virus Control. Visit the site often to
    remain informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    * FAQ: WHY DID MY FTP PASSWORD STOP WORKING ON MY WINDOWS 2000 SYSTEM
    AFTER I INSTALLED THE WIN2K SECURITY ROLLUP PACKAGE 1 (SRP1)?
       ( contributed by John Savill, http://www.windows2000faq.com )
    
    A. After you install the Win2K SRP1, Win2K considers leading
    white-space characters (i.e., spaces) in the FTP password to be valid
    characters and no longer removes them. As a result, if a stored
    password contains spaces, you must include the spaces when you enter
    the password. Likewise, if the password doesn't contain spaces, you
    must ensure that the password you type has no leading spaces.
    
    7. ==== NEW AND IMPROVED ====
       (contributed by Judy Drennen, productsat_private)
    
    * PROTECT YOUR PC FROM TROJAN HORSES
       Anti-Trojan Network released Anti-Trojan 5.5, software to protect
    your PC from the threat of Trojan horses. Anti-Trojan 5.5 lets users
    protect their computers by scanning all ports on their PCs, checking
    for the presence of Trojan horses in the registry, and scanning the
    contents of the system's hard drives. The software runs on Windows XP,
    Windows 2000, Windows NT, Windows Me, and Windows 9x and costs $22 per
    single license. Contact Anti-Trojan Network at the Web site.
       http://www.anti-trojan.net
    
    * SECURITY FOR WEB SERVICES AND WEB-BASED NETWORKS
       Array Networks announced Array SP (Security Proxy), a platform to
    help enterprises defend and police Web services and applications with
    trusted encryption, authentication, authorization, and accounting.
    Array SP's rich set of features, intuitive GUI, and Plug and Play
    (PnP) installation ensures painless Web security. Contact Array
    Networks at 408-874-2420.
       http://www.arraynetworks.net
    
    * SUBMIT TOP PRODUCT IDEAS
       Have you used a product that changed your IT experience by saving
    you time or easing your daily burden? Do you know of a terrific
    product that others should know about? Tell us! We want to write about
    the product in a future What's Hot column. Send your product
    suggestions to whatshotat_private
    
    8. ==== HOT THREADS ====
    
    * WINDOWS & .NET MAGAZINE ONLINE FORUMS
       http://www.winnetmag.com/forums
    
    Featured Thread: Blocking by Port?
       (Three messages in this thread)
    
    A user writes that he has a Windows NT Server 4.0 Service Pack 6a
    (SP6a) environment with Microsoft Proxy Server 2.0. Users on the
    network access the Internet through the proxy server. He would like to
    block access that originates on the network to any sites that don't
    use port 80 for HTTP. How can he configure proxy server to do this?
    Can he block this sort of access using his Cisco Systems 1605 router?
    Read the responses or lend a hand:
       http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=46005
    
    9. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- vpattersonat_private (please
    mention the newsletter name in the subject line)
    
    * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
    Support -- securityupdateat_private
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private
    
    ********************
    
       This email newsletter is brought to you by Security Administrator,
    the print newsletter with independent, impartial advice for IT
    administrators securing a Windows 2000/Windows NT enterprise.
    Subscribe today!
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
       Receive the latest information about the Windows and .NET topics of
    your choice. Subscribe to our other FREE email newsletters.
       http://www.winnetmag.com/email
    
    |-+-|-+-|-+-|-+-|-+-|
    
    Thank you for reading Security UPDATE.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Sep 19 2002 - 05:39:21 PDT