[ISN] Security UPDATE, March 26, 2003

From: InfoSec News (isnat_private)
Date: Thu Mar 27 2003 - 01:48:50 PST

  • Next message: InfoSec News: "[ISN] Iraq's Uruklink "0wned" By Hackers"

    ********************
    Windows & .NET Magazine Security UPDATE--brought to you by Security
    Administrator, a print newsletter bringing you practical, how-to
    articles about securing your Windows Server 2003, Windows 2000, and
    Windows NT systems.
       http://www.secadministrator.com
    ********************
    
    ~~~~ THIS ISSUE SPONSORED BY ~~~~
    
    FREE White Paper on SQL Injection
       http://list.winnetmag.com/cgi-bin3/flo/y/eQDj0CJgSH0CBw08T70Am
    
    Appliance Filtering Offers Simplicity and Lower TCO
       http://list.winnetmag.com/cgi-bin3/flo/y/eQDj0CJgSH0CBw08T80An
       (below IN FOCUS)
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: FREE WHITE PAPER ON SQL INJECTION ~~~~
       ALERT: How a Hacker Launches a SQL Injection Attack - Step-by-Step!
    It's as simple as placing additional SQL commands into an input box on
    a web form giving hackers complete access to all your backend data!
    Firewalls and IDS will not stop SQL Injection attempts because they
    are NOT seen as intrusions. Download this *FREE* white paper from SPI
    Dynamics for a complete guide to protection!
       http://list.winnetmag.com/cgi-bin3/flo/y/eQDj0CJgSH0CBw08T70Am
    ~~~~~~~~~~~~~~~~~~~~
    
    March 26, 2003--In this issue:
    
    1. IN FOCUS
         - Security Research: A Double-Edged Sword
    
    2. SECURITY RISKS
         - Code Execution Vulnerability in Windows Script Engine
         - DoS in Microsoft ISA Server
    
    3. ANNOUNCEMENTS
         - Get a Sample Issue of Exchange & Outlook Administrator
         - Get the eBook That Will Help You Get Certified!
    
    4. SECURITY ROUNDUP
         - News: New Book Helps You Manage Corporate Security
         - News: Microsoft Warns About IIS WebDAV Component
    
    5. SECURITY TOOLKIT
         - Virus Center
         - FAQ: How Can I Use DiskPart to Create a RAID 5 Set?
    
    6. NEW AND IMPROVED
         - Track Configuration Changes
         - Secure Enterprise with Firewall/VPN Appliance
         - Submit Top Product Ideas
    
    7. HOT THREADS
         - Windows & .NET Magazine Online Forums
             - Featured Thread: IIS Server Security
    
    8. CONTACT US
       See this section for a list of ways to contact us.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    1. ==== IN FOCUS ====
       (contributed by Mark Joseph Edwards, News Editor,
    markat_private)
    
    * SECURITY RESEARCH: A DOUBLE-EDGED SWORD
    
    Many people work to discover security risks in software and also to
    ensure that users aren't unnecessarily exposed to those risks. In the
    past, researchers often released complete details about security
    problems and simultaneously notified the public at large about the
    problems--while everyone awaited the vendor's response, including the
    production of a patch.
    
    Over the past couple of years, most researchers have changed how they
    handle the security risks they discover. Currently, most researchers
    report their findings to the appropriate vendor and give the vendor
    enough information to create an adequate patch. Researchers typically
    try to work within vendors' time frames for patch production and
    customer notification. When vendors aren't responsive enough or
    completely fail to acknowledge and repair security problems in their
    products, researchers usually release details about the discovered
    problems, sometimes accompanied by scathing remarks about the vendors'
    lackadaisical attitude.
    
    Some time ago, several companies (including but not limited to
    Microsoft, @stake, Foundstone, Oracle, Internet Security Systems--ISS,
    Guardent, BindView) teamed together to form the Organization for
    Internet Safety (OIS). One of OIS's first projects was to draft a
    specification that includes guidelines to help security researchers
    and product vendors interact to achieve vulnerability remedies and
    reporting procedures for public notification.
    
    >From what I understand, the specification is close to completion, and
    it should help researchers--whether independent or not--fine-tune how
    they handle their discoveries. Security forum operators might also use
    the guidelines to support a sense of diplomacy and responsibility
    among today's security researchers.
    
    One team of researchers, CERT, already has a process in place that
    defines the way the organization handles problems reported to it. CERT
    works to ensure that vendors know about discovered security problems
    and coordinates with vendors to release information to the public.
    CERT and various vendors pass information back and forth and prepare
    bulletins for public notification.
    
    However, at least one rogue researcher has been undermining CERT's
    efforts to protect the public at large. Over the past couple of weeks,
    someone has posted four messages to public discussion forums that
    leaked sensitive information before CERT had a chance to finish its
    coordinated process. During the CERT process, someone gained
    unpublished vulnerability information and anonymously exposed it to
    potential intruders before vendors had time to finish their
    coordinated efforts to protect users. You can read about the problem
    in the "eWeek" story "More CERT Documents Leaked."
       http://www.eweek.com/article2/0,3959,962679,00.asp
    
    I think you'll agree that this behavior is irresponsible,
    self-centered, and manipulative. The anonymous person who posted the
    stolen vulnerability information has pledged to continue leaking CERT
    bulletin data--that is, until CERT finds out who's leaking the
    information and changes its process to prevent the exploitation. The
    anonymous person thinks that vulnerability information should be
    available to potential intruders before administrators have time to
    patch or modify their systems for better protection.
    
    Such irresponsible activity might eventually place a heavy burden on
    mailing list operators to better research messages sent to their lists
    for publication. Right now, security mailing list moderators basically
    ensure messages are relevant to list topics, and they guide
    conversation to limit inordinate amounts of fruitless discussion.
    However, posting on-topic information that any user wants to submit
    can be a problem, as we see in this matter of publishing vulnerability
    information leeched from CERT. Such actions place list moderators in a
    difficult situation because moderators can't always know where or how
    users obtain their submitted information.
    
    ~~~~~~~~~~~~~~~~~~~~
    
    ~~~~ SPONSOR: APPLIANCE FILTERING OFFERS SIMPLICITY AND LOWER TCO ~~~~
       Using the appliance-based approach for web filtering provides
    administrators with significant advantages over software only
    filtering, including: Lower Overall TCO, Platform Independence, and
    Minimal Ongoing Maintenance. With the iPrism Web Filtering solution, a
    single, self-contained appliance is all you need to manage your web
    filtering. iPrism uses a unique, 100% human-reviewed database that is
    updated daily, provides built-in reports, and real-time override
    capabilities. FREE Online Test Drive!
       http://list.winnetmag.com/cgi-bin3/flo/y/eQDj0CJgSH0CBw08T80An
    ~~~~~~~~~~~~~~~~~~~~
    
    2. ==== SECURITY RISKS ====
       (contributed by Ken Pfeil, kenat_private)
    
    * CODE EXECUTION VULNERABILITY IN WINDOWS SCRIPT ENGINE
       A new vulnerability in the Windows Script Engine can result in the
    execution of arbitrary code on the vulnerable system. This
    vulnerability stems from a flaw in the way the Windows Script Engine
    for JScript processes information. Microsoft has released Security
    Bulletin MS03-008 (Flaw in Windows Script Engine Could Allow Code
    Execution) to address this vulnerability and recommends that affected
    users immediately apply the appropriate patch mentioned in the
    bulletin.
       http://www.secadministrator.com/articles/index.cfm?articleid=38384
    
    * DoS IN MICROSOFT ISA SERVER
       A new vulnerability in Microsoft Internet Security and Acceleration
    (ISA) Server 2000 can result in a Denial of Service (DoS) condition.
    This vulnerability stems from a flaw in the way ISA Server's DNS
    intrusion-detection application filter handles a specific type of
    request when the filter scans incoming DNS requests. Microsoft has
    released Security Bulletin MS03-009 (Flaw In ISA Server DNS Intrusion
    Detection Filter Can Cause Denial Of Service) to address this
    vulnerability and recommends that affected users immediately apply the
    patch mentioned in the bulletin.
       http://www.secadministrator.com/articles/index.cfm?articleid=38385
    
    3. ==== ANNOUNCEMENTS ====
       (brought to you by Windows & .NET Magazine and its partners)
    
    * GET A SAMPLE ISSUE OF EXCHANGE & OUTLOOK ADMINISTRATOR
       Exchange & Outlook Administrator, the monthly print newsletter from
    Windows & .NET Magazine, gives you the in-depth articles you need to
    secure, maintain, and troubleshoot your messaging environment. Try an
    issue of Exchange & Outlook Administrator, and discover for yourself
    what our expert authors know that you don't. Click here!
       http://list.winnetmag.com/cgi-bin3/flo/y/eQDj0CJgSH0CBw078G0AZ
    
    * GET THE eBOOK THAT WILL HELP YOU GET CERTIFIED!
       The "Insider's Guide to IT Certification," from the Windows & .NET
    Magazine Network, has one goal: to help you save time and money on
    your quest for certification. Find out how to choose the best study
    guides, save hundreds of dollars, and be successful as an IT
    professional. The amount of time you spend reading this book will be
    more than made up by the time you save preparing for your
    certification exams. Order your copy today!
       http://list.winnetmag.com/cgi-bin3/flo/y/eQDj0CJgSH0CBw06cX0AY
    
    4. ==== SECURITY ROUNDUP ====
    
    * NEWS: NEW BOOK HELPS YOU MANAGE CORPORATE SECURITY
       Butterworth-Heinemann has released a new book, "The Manager's
    Handbook for Corporate Security: Establishing and Managing a
    Successful Assets Protection Program," that helps managers learn how
    to better handle corporate security needs. A company spokesperson said
    that the new book, by Gerald Kovacich and Edward Halibozek, covers a
    range of information, including physical security, information
    security, merger and acquisitions security, emergency/contingency
    planning, executive protection, personnel security, event security,
    and many other security processes.
       http://www.secadministrator.com/articles/index.cfm?articleid=38394
    
    * NEWS: UPDATE: MICROSOFT WARNS ABOUT IIS WEBDAV COMPONENT
       Microsoft issued Security Bulletin MS03-007 (Unchecked Buffer In
    Windows Component Could Cause Web Server Compromise) regarding a
    serious problem in WWW Distributed Authoring and Versioning (WebDAV).
    Users who installed Microsoft's URLScan tool for Microsoft IIS were
    thought to be protected against intrusion from this latest
    vulnerability--unless they modified the URLScan configuration in a way
    that would keep it from catching excessively long URLs. However, Russ
    Cooper posted a message to the NTBugTraq mailing list stating that
    Mark and David Litchfield of Next Generation Security Software
    (NGSSoftware) had discovered variant ways to exploit such an attack on
    IIS systems, and that based on knowledge Cooper has about the matter,
    disabling WebDAV wouldn't stop these attacks. The only way to prevent
    the attacks is to load the patch immediately. To read the original
    article and link to the Microsoft bulletin and patch, click on the URL
    below.
       http://www.secadministrator.com/articles/index.cfm?articleid=38374
    
    5. ==== SECURITY TOOLKIT ====
    
    * VIRUS CENTER
       Panda Software and the Windows & .NET Magazine Network have teamed
    to bring you the Center for Virus Control. Visit the site often to
    remain informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    * FAQ: HOW CAN I USE DISKPART TO CREATE A RAID 5 SET?
       ( contributed by John Savill, http://www.windows2000faq.com )
    
    A. A RAID 5 set consists of data spread across three physical disks,
    of which one can fail without causing any data loss. To use the
    DiskPart utility from the "Microsoft Windows 2000 Server Resource Kit"
    or the "Microsoft Windows 2000 Professional Resource Kit" to create a
    RAID 5 set, perform the following steps:
       1. Download and install the DiskPart utility from the Microsoft Web
     site.
       2. Go to Start, Run, then type "cmd" to start a command-line
     session.
       3. Type "diskpart" to start a DiskPart session.
       4. Type "create volume raid size=<size in MB> disk=<disk numbers>"
    where <size in MB> is the amount of space you want to use from each
    disk (in megabytes) and <disk numbers> are the numbers of the disks
    that you want to use in the RAID 5 configuration. For example, "create
    volume raid size=6000 disk=1,2,3" creates a RAID 5 set that's 12GB
    (i.e., 6000MB x 2) across three disks (one-third of the space is used
    for fault tolerance).
    
    6. ==== NEW AND IMPROVED ====
       (contributed by Sue Cooper, productsat_private)
    
    * TRACK CONFIGURATION CHANGES
       Ecora Software released Ecora Enterprise Auditor 3.0, a product
    suite for automated, cross-platform configuration reporting and change
    management. The software installs on an administrative desktop (no
    agents required) and collects configuration data from Windows, UNIX,
    Linux, Novell NetWare, Cisco Systems, Microsoft SQL Server, Exchange
    Server, IIS, Active Directory (AD), Citrix, Oracle, and Lotus Domino
    platforms into a SQL Server database. The data can be used to audit,
    report, and identify and track changes. Hundreds of built-in reports
    are incorporated, and a drag-and-drop interface lets you create
    customized Fact Finding Reports. You can run reports interactively,
    schedule them for off-hours, or schedule them to run regularly. Ecora
    Enterprise Auditor 3.0 gives you a before and after view for all
    changes and lets you observe changes that took place in any given time
    period. Contact Ecora Software at 877-923-2672, 603-436-1616, and
    salesat_private
       http://www.ecora.com
    
    * SECURE ENTERPRISE WITH FIREWALL/VPN APPLIANCE
       WatchGuard Technologies announced the Firebox V60L, a wire-speed
    100Mbps firewall for midsized enterprises that provides 50Mbps Triple
    DES (3DES) VPN throughput and up to 150 VPN tunnels. The 1U (1.75")
    appliance supports network separation with multiple LAN interfaces and
    includes networking features such as Quality of Service (QoS), dynamic
    routing, server load balancing, and Virtual LAN (VLAN) support. The
    Firebox V60L is based on an intelligent custom security
    application-specific integrated circuit (ASIC) that accelerates
    firewall, VPN, Network Address Translation (NAT), and QoS actions.
    Secure central management is Java-based. Available through
    distributors or resellers, the price is $3990. Contact WatchGuard at
    800-734-9905 and 206-521-8340.
       http://www.watchguard.com
    
    * SUBMIT TOP PRODUCT IDEAS
       Have you used a product that changed your IT experience by saving
    you time or easing your daily burden? Do you know of a terrific
    product that others should know about? Tell us! We want to write about
    the product in a future What's Hot column. Send your product
    suggestions to whatshotat_private
    
    7. ==== HOT THREADS ====
    
    * WINDOWS & .NET MAGAZINE ONLINE FORUMS
       http://www.winnetmag.com/forums
    
    Featured Thread: IIS Server Security
       (Three messages in this thread)
    
    A user writes that he has Windows 2000 Server running Microsoft IIS
    for his organization's Web site, which uses Secure Sockets Layer
    (SSL). He says he's diligent about making sure that all Win2K Server,
    IIS, and Microsoft Internet Explorer (IE) patches have been installed.
    He wants to know whether any software applications he can install on
    his Web server will further enhance its security. Lend a hand or read
    the responses:
       http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=56028
    
    8. ==== CONTACT US ====
       Here's how to reach us with your comments and questions:
    
    * ABOUT IN FOCUS -- markat_private
    
    * ABOUT THE NEWSLETTER IN GENERAL -- lettersat_private (please
    mention the newsletter name in the subject line)
    
    * TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums
    
    * PRODUCT NEWS -- productsat_private
    
    * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
    Support -- securityupdateat_private
    
    * WANT TO SPONSOR SECURITY UPDATE? emedia_oppsat_private
    
    ********************
       This email newsletter is brought to you by Security Administrator,
    the print newsletter with independent, impartial advice for IT
    administrators securing a Windows 2000/Windows NT enterprise.
    Subscribe today!
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
       Receive the latest information about the Windows and .NET topics of
    your choice. Subscribe to our other FREE email newsletters.
       http://www.winnetmag.com/email
    
    |-+-|-+-|-+-|-+-|-+-|
    
    Thank you for reading Security UPDATE.
    
    MANAGE YOUR ACCOUNT
       You can manage your entire Windows & .NET Magazine Network email
    newsletter account on our Web site. Simply log on and you can change
    your email address, update your profile information, and subscribe or
    unsubscribe to any of our email newsletters all in one place.
       http://www.winnetmag.com/email
    
    Thank you!
    __________________________________________________________
    Copyright 2003, Penton Media, Inc.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Mar 27 2003 - 04:22:50 PST