[ISN] Security UPDATE, January 29, 2003

From: InfoSec News (isnat_private)
Date: Thu Jan 30 2003 - 00:48:59 PST

  • Next message: InfoSec News: "Re: [ISN] Internet Attack's Disruptions More Serious Than Many Thought Possible"

    ********************
    Windows & .NET Magazine Security UPDATE--brought to you by Security
    Administrator, a print newsletter bringing you practical, how-to
    articles about securing your Windows Server 2003, Windows 2000, and
    Windows NT systems.
       http://www.secadministrator.com
    ********************
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    Experience How Real Time Monitoring Will Benefit YOU
       http://list.winnetmag.com/cgi-bin3/flo?y=ePO50CJgSH0CBw07Xg0Au
    
    PacWest Security Road Show
       http://list.winnetmag.com/cgi-bin3/flo?y=ePO50CJgSH0CBw07Kz0A1
       (below IN FOCUS)
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: EXPERIENCE HOW REAL TIME MONITORING WILL BENEFIT YOU ~~~~
       A proactive Security Administrator installed TNT Software's ELM
    Enterprise Manager 3.0 on his critical servers to assess the benefits
    of real time monitoring. During the first week, EEM 3.0 paged him as a
    disgruntled employee attempted to access confidential files, alerted
    him when the QoS of his Exchange Server began to drop, and
    automatically restarted a failed anti-virus service. As a result, ELM
    Enterprise Manager was purchased and fully deployed during the second
    week. Download your FREE 30 day full feature evaluation copy today and
    experience how real time monitoring will benefit YOU.
       http://list.winnetmag.com/cgi-bin3/flo?y=ePO50CJgSH0CBw07Xg0Au
    ~~~~~~~~~~~~~~~~~~~~
    
    January 29, 2003--In this issue:
    
    1. IN FOCUS
         - Slammer/Sapphire Worm and Shades of Code Red
    
    2. SECURITY RISKS
         - Information Disclosure Vulnerability in Microsoft Outlook 2002
         - Cross-Site Scripting Vulnerability in Microsoft Content
           Management Server 2001
         - Unchecked Buffer in Microsoft Locator Service
    
    3. ANNOUNCEMENT
         - InfoSec World Conference and Expo/2003
    
    4. SECURITY ROUNDUP
         - News: SQL Slammer Worm Hits Microsoft Too
         - News: ISS and PowerTech Team to Improve IBM iSeries Server
           Security
         - News: SonicWALL Announces equinux VPN Tracker Support
         - News: Russia First Country to View Windows Source Code
         - News: ABIT and VIA Announce Chip-based Security for
           Motherboards
    
    5. SECURITY TOOLKIT
         - Virus Center
         - FAQ: How Can I Prevent Regedit from Remembering the Last
           Registry Key Location I Accessed Under Windows XP?
    
    6. NEW AND IMPROVED
         - Assess Enterprise Vulnerability
         - Keep Offensive Emails out of Your Mailbox
         - Submit Top Product Ideas
    
    7. HOT THREADS
         - Windows & .NET Magazine Online Forums
             - Featured Thread: User Can't Change Password at Logon
         - HowTo Mailing List
             - Featured Thread: Default Master Browser
    
    8. CONTACT US
       See this section for a list of ways to contact us.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    1. ==== IN FOCUS ====
       (contributed by Mark Joseph Edwards, News Editor, markat_private)
    
    * SLAMMER/SAPPHIRE WORM AND SHADES OF CODE RED
    
    As you probably know by now, a tiny worm began traveling the Internet
    over the past weekend. Known as either Slammer or Sapphire, the worm
    affects unpatched Microsoft SQL Server machines. Patches to prevent
    the vulnerability the worm exploits have been available since July
    2002.
    
    The worm doesn't damage an infected machine, nor does it compromise
    any data on an infected machine. However, it does prove a simple
    concept: A tiny worm (376 bytes) with only the essential amount of
    code can spread rapidly and consume large amounts of bandwidth in the
    process.
    
    Some people compare this worm with the Code Red worm that affected
    Microsoft IIS systems last year. However, far more IIS systems than
    SQL Server machines are online, and the Slammer/Sapphire worm's impact
    is proving to be relatively short-lived. As Chris Rouland, director of
    Internet Security Systems' (ISS's) X-Force said in an "InfoWorld"
    interview, the worm's impact has already lessened significantly. As of
    Sunday, its impact was more comparable to that of the Nimda virus,
    which affects Microsoft Outlook clients. According to ISS monitoring,
    Nimda and Slammer/Sapphire both propagated at about 10,000 attacks per
    hour on Sunday.
    
    By now, I'm sure Slammer/Sapphire's activity has lessened even further
    (although it's possible for it to flare up again), whereas the most
    serious affects of Code Red were probably felt for a longer period.
    Overall, Nimda is probably more expensive to clean up than
    Slammer/Sapphire. Even so, the thing Slammer/Sapphire did that Nimda
    didn't do was severely affect network communications. In some cases,
    networks went down entirely for brief periods of time.
    
    The reason that some networks went offline was probably twofold.
    First, the worm consumed a lot of bandwidth, sometimes saturating a
    given network's total capacity. Second, the worm affected Cisco
    Systems routers, which countless networks across the Internet use. The
    worm affected some Cisco routers because of the way those routers were
    configured to log packets. In some cases, routers were configured to
    block all traffic to port 1434 and to log all denied packets, such as
    those destined for blocked port 1434, which SQL Server typically uses.
    So the worm traffic in conjunction with the logging overwhelmed some
    routers. To read Cisco's recommendations regarding configuration
    adjustments, view the related Web page at the first URL below. To see
    a graph of how the worm affected traffic at a few of the larger
    networks, visit the second URL below.
       http://www.cisco.com/en/US/products/hw/iad/ps497/products_security_advisory09186a0080133399.shtml
       http://www.research.att.com/~griffin/bgp_monitor/sql_worm.html
     
    Another problem with this worm is that it also affects Microsoft SQL
    Server Desktop Engine (MSDE), which ships inside a lot of products,
    some from Microsoft and many others from third parties. These products
    include Visual Studio .NET (Architect, Developer, and Professional
    Editions), ASP.NET Web Matrix Tool, Microsoft Office XP Developer
    Edition, Microsoft Developer Network (MSDN) Universal and Enterprise
    subscriptions, and Microsoft Access. But those products represent just
    the tip of the iceberg. To see the huge list of products that use
    MSDE--many of which are probably installed on your systems--visit the
    SQL Security Web site at the URL below. The list is updated as those
    who maintain the list become aware of more products that use MSDE.
       http://www.sqlsecurity.com/desktopdefault.aspx?tabindex=10&tabid=13
    
    A Microsoft Web page offers information about the Slammer/Sapphire
    worm, including patch information (see the first URL below). As
    always, be sure to read the fine print associated with patches and
    related articles before you load any patches. Also, consider loading
    the recently released SQL Server Service Pack 3 (SP3). And if you want
    a tool that will scan your SQL Server systems to determine whether
    they're vulnerable, then you can download such a tool courtesy of eEye
    Digital Security (see the second URL below).
       http://www.microsoft.com/technet/security/virus/alerts/slammer.asp
       http://www.eeye.com/html/research/tools/sapphiresql.html
    
    To help prevent such attacks from being successful, administrators
    must patch systems as quickly as possible. They need to maintain
    firewalls in a deny-all-traffic-until-otherwise-authorized
    configuration. Also, they must conduct any remote administration that
    requires opening nonessential ports through a VPN and some kind of
    remote terminal software. When all the hype around this new worm has
    finally fizzled out, I hope that businesses will have learned how
    important it is to take defensive actions sooner rather than later.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: PACWEST SECURITY ROAD SHOW ~~~~
       BACK BY POPULAR DEMAND - DON'T MISS OUR SECURITY ROAD SHOW EVENT!
       If you missed last year's popular security Road Show event, now's
    your chance to catch it again in Portland and Redmond. Learn from
    experts Mark Minasi and Paul Thurrott about how to shore up your
    system's security and what desktop security features are planned for
    Microsoft .NET and beyond. Registration is free so sign up now!
       http://list.winnetmag.com/cgi-bin3/flo?y=ePO50CJgSH0CBw07Kz0A1
    ~~~~~~~~~~~~~~~~~~~~
    
    2. ==== SECURITY RISKS ====
       (contributed by Ken Pfeil, kenat_private)
    
    * INFORMATION DISCLOSURE VULNERABILITY IN MICROSOFT OUTLOOK 2002
       A vulnerability in Microsoft Outlook 2002 can result in information
    disclosure. This vulnerability stems from a flaw in the way Outlook
    2002 uses a V1 Exchange Server Security certificate to encrypt email.
    As a result of this flaw, Outlook fails to correctly encrypt the mail
    and sends the message in plain text. Information in the message is
    therefore exposed. Microsoft has released Security Bulletin MS03-003
    (Flaw in how Outlook 2002 handles V1 Exchange Server Security
    Certificates could lead to Information Disclosure) to address this
    vulnerability.
       http://www.secadministrator.com/articles/index.cfm?articleid=37819
    
    * CROSS-SITE SCRIPTING VULNERABILITY IN MICROSOFT CONTENT MANAGEMENT
    SERVER 2001
       A vulnerability in Microsoft Content Management Server (MCMS) 2001
    lets an attacker insert script code into data that a user sends to an
    MCMS server. The vulnerability stems from a Cross-Site Scripting flaw
    and could result in the ability to access information that the user
    shared with the legitimate site. Microsoft has released Security
    Bulletin MS03-002 (Cumulative Patch for Microsoft Content Management
    Server) to address this vulnerability.
       http://www.secadministrator.com/articles/index.cfm?articleid=37818
    
     * UNCHECKED BUFFER IN MICROSOFT LOCATOR SERVICE
       The Microsoft Locator service contains a vulnerability that stems
    from an unchecked buffer. By sending a specially malformed request to
    the Locator service, an attacker can cause the Locator service to fail
    or to run code of the attacker's choice on the system. To address this
    vulnerability, Microsoft has released Security Bulletin MS03-001
    (Unchecked Buffer in Locater Service Could Lead to Code Execution),
    and recommends that affected users immediately apply the appropriate
    patch mentioned in the bulletin.
       http://www.secadministrator.com/articles/index.cfm?articleid=37780
     
    3. ==== ANNOUNCEMENT ====
       (brought to you by Windows & .NET Magazine and its partners)
    
    * INFOSEC WORLD CONFERENCE AND EXPO/2003
       MIS Training Institute's InfoSec World Conference and Expo/2003
    will be held in Orlando, FL, March 10-12, 2003, with optional
    workshops on March 8, 9, 12, 13, and 14. InfoSec World will cover
    today's need-to-know topics and deliver proven strategies for
    protecting your systems. For details and to register, visit:
       http://list.winnetmag.com/cgi-bin3/flo?y=ePO50CJgSH0CBw07Lo0Aq
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: SQL SLAMMER WORM HITS MICROSOFT TOO
       Just a week after Microsoft celebrated the 1-year anniversary of
    its Trustworthy Computing initiative, the milestone was marred by one
    of the most virulent computer worms of all time, the so-called Slammer
    worm, which targets Microsoft SQL Server 2000 machines.
       http://www.secadministrator.com/articles/index.cfm?articleid=37817
    
    * NEWS: ISS AND POWERTECH TEAM TO IMPROVE IBM iSERIES SERVER SECURITY
       Internet Security Systems (ISS) and PowerTech Group have announced
    an alliance to improve security for IBM's iSeries servers. ISS
    President and CEO Tom Noonan said that PowerTech's PowerLock iSeries
    line of security tools would pass security information over to the ISS
    RealSecure platform, which the RealSecure SiteProtector 2.0 security
    management platform could then correlate.
       http://www.secadministrator.com/articles/index.cfm?articleid=37755
    
    * NEWS: SONICWALL ANNOUNCES EQUINUX VPN TRACKER SUPPORT
       SonicWALL announced a new relationship with equinux USA in which
    equinux will provide interoperability for its VPN Tracker software for
    network access through SonicWALL's firewall and VPN appliance
    technology.
       http://www.secadministrator.com/articles/index.cfm?articleid=37756
    
    * NEWS: RUSSIA FIRST COUNTRY TO VIEW WINDOWS SOURCE CODE
       Microsoft has announced that Russia will be the first country to
    view the source code for Windows under the Government Security Program
    (GSP), a plan the company revealed earlier this month.
       http://www.secadministrator.com/articles/index.cfm?articleid=37732
    
    * NEWS: ABIT AND VIA ANNOUNCE CHIP-BASED SECURITY FOR MOTHERBOARDS
       ABIT Computer and VIA Technologies announced new chipset features
    that will include security technologies. ABIT will include
    functionality for IP Security (IPSec), and VIA will include a
    chip-based random-number generator.
       http://www.wininformant.com/articles/index.cfm?articleid=37734
     
    5. ==== SECURITY TOOLKIT ====
    
    * VIRUS CENTER
       Panda Software and the Windows & .NET Magazine Network have teamed
    to bring you the Center for Virus Control. Visit the site often to
    remain informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    * FAQ: HOW CAN I PREVENT REGEDIT FROM REMEMBERING THE LAST REGISTRY
    KEY LOCATION I ACCESSED UNDER WINDOWS XP?
       ( contributed by John Savill, http://www.windows2000faq.com )
    
    A. In a previous FAQ, I explained how to write a script to
    automatically reset the last key location every time you log on to the
    OS. Another option for clearing the last registry key accessed is to
    use registry permissions to disable Write access to the key. To do so,
    perform the following steps:
       1. Start the registry editor.
       2. Navigate to the
    HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
    registry subkey.
       3. Select LastKey.
       4. If you're working in XP, open the Edit menu and select
    Permissions; if you're working in Windows 2000, open the Security menu
    and select Permissions.
       5. Remove Full Control access and grant Read-only access.
       6. Click OK.
    
    You'll need to repeat this process for all users who don't want
    regedit to remember the last key location they accessed.
    
    6. ==== NEW AND IMPROVED ====
       (contributed by Sue Cooper, productsat_private)
    
    * ASSESS ENTERPRISE VULNERABILITY
       eSecurityOnline, an Ernst & Young security software company,
    released eSO Advisor, a hardware and software appliance designed to
    automatically assess and manage your environment's security risks. eSO
    Advisor correlates automated discovery, inventory, and assessment
    processes with a continuously updated database of verified threats and
    proven fixes, gleaned from eSecurityOnline's customers and from more
    than 2400 Ernst & Young security specialists worldwide. eSO Advisor's
    reporting features illustrate trends and overall progress in your
    company's security risk management. eSO Advisor supports most
    enterprise platforms. Contact eSecurityOnline at 603-634-4527 or
    salesat_private
       http://www.esecurityonline.com
    
    * KEEP OFFENSIVE EMAILS OUT OF YOUR MAILBOX
       PJ Walczak released Mailbox Guard 1.6, a utility that eliminates
    spam, viruses, and obscenity before it reaches your mailbox. Mailbox
    Guard prescreens mail on your email server and ranks each message
    according to a four-level risk scale, with each level color-tagged.
    Mailbox Guard 1.6 notifies you that new email messages are waiting and
    also provides the messages' risk level. Features new to Mailbox Guard
    1.6 include user-definable lists, remote preview, and deletion of
    emails from multiple accounts. Supports all Windows desktop OSs at
    $29.50 per installation. Contact PJ Walczak at infoat_private
       http://www.pjwalczak.com/mbguard/
    
    * SUBMIT TOP PRODUCT IDEAS
       Have you used a product that changed your IT experience by saving
    you time or easing your daily burden? Do you know of a terrific
    product that others should know about? Tell us! We want to write about
    the product in a future What's Hot column. Send your product
    suggestions to whatshotat_private
    
    7. ==== HOT THREADS ====
    
    * WINDOWS & .NET MAGAZINE ONLINE FORUMS
       http://www.winnetmag.com/forums
    
    Featured Thread: User Can't Change Password at Logon
       (Two messages in this thread)
    
    A reader writes that on his network when users' passwords are about to
    expire, users receive a message during logon that says "Your password
    will expire in [X] days, would you like to change it now?" But even if
    users answer "Yes," they can't change the password. After clicking
    "Yes," they receive the message "You're not allowed to change your
    password at this time" (or a message with similar wording). However,
    if the users log on with their old (still valid) credentials, they can
    change the password in a usual way, such as by using Ctrl+Alt+Del and
    selecting Change Password. Do you have any ideas about why this
    situation exists? Lend a hand or read the responses:
       http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=53206
    
    * HOWTO MAILING LIST
       http://63.88.172.96/listserv/page_listserv.asp?a0=howto
    
    Featured Thread: Default Master Browser
       (One message in this thread)
    
    A user wants to know whether he can make a particular Windows XP or
    Windows 2000 system a Master Browser if another Master Browser  is
    already present because that system booted first. Read the responses
    or lend a hand at the following URL:
       http://63.88.172.96/listserv/page_listserv.asp?A2=IND0301D&L=HOWTO&P=976
    
    8. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- lettersat_private (please
    mention the newsletter name in the subject line)
    
    * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
    Support -- securityupdateat_private
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private
    
    ********************
    
       This email newsletter is brought to you by Security Administrator,
    the print newsletter with independent, impartial advice for IT
    administrators securing a Windows 2000/Windows NT enterprise.
    Subscribe today!
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
       Receive the latest information about the Windows and .NET topics of
    your choice. Subscribe to our other FREE email newsletters.
       http://www.winnetmag.com/email
    
    |-+-|-+-|-+-|-+-|-+-|
    
    Thank you for reading Security UPDATE.
    
    MANAGE YOUR ACCOUNT
       You can manage your entire Windows & .NET Magazine Network email
    newsletter account on our Web site. Simply log on and you can change
    your email address, update your profile information, and subscribe or
    unsubscribe to any of our email newsletters all in one place.
       http://www.winnetmag.com/email
    
    Thank you!
    __________________________________________________________
    Copyright 2003, Penton Media, Inc.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Jan 30 2003 - 03:23:59 PST