[ISN] Windows & .NET Magazine Security UPDATE--June 4, 2003

From: InfoSec News (isnat_private)
Date: Thu Jun 05 2003 - 01:40:32 PDT

  • Next message: InfoSec News: "Re: [ISN] OpenBSD Gets Harder to Crack"

    ====================
    
    ==== This Issue Sponsored By ====
    
    TNT Software
    http://list.winnetmag.com/cgi-bin3/DM/y/eREo0CJgSH0CBw07mN0Ag
    
    Panda Software
    http://list.winnetmag.com/cgi-bin3/DM/y/eREo0CJgSH0CBw0BAft0AT 
    
    ====================
    
    1. In Focus: Cybercrime; Microsoft Hotfix; Eliminating Spam
    
    2. Security Risks
         - Multiple Vulnerabilities in Microsoft IIS
         - DoS in Microsoft WMS for Win2K and NT
         - Buffer Overrun in AnalogX Proxy Server for Windows
         - Remote Compromise Vulnerability in BadBlue Personal File
           Sharing Program
    
    3. Announcements
         - Cast Your Vote in Our Annual Readers' Choice Awards!
         - Windows & .NET Magazine Connections: Fall Dates Announced
    
    4. Security Roundup
         - News: Magazine Announces Best of Show Finalists
         - News: TrustZone Added to ARM Processor Architecture
         - News: HP Releases New Systems with Chip-Based Security
    
    5. Security Toolkit
         - Virus Center
         - FAQ: Why Can't Some of Our Users Change Their Passwords?
    
    6. Event
         - Security 2003 Road Show
    
    7. New and Improved
         - Set a Trap for Intruders
         - Protect AD from Rogue Administrators
         - Submit Top Product Ideas
    
    8. Hot Thread
         - Windows & .NET Magazine Online Forums
             - Featured Thread: Security Rights for Laptop Users
    
    9. Contact Us
       See this section for a list of ways to contact us.
    
    ====================
    
    ==== Sponsor: TNT Software  ====
    
       Experience the Benefits of Real Time Monitoring
       Poring over event records after the fact? Are undetected DoS
    attacks a constant threat? Could unauthorized webmasters take artistic
    liberties to your homepage without you knowing about it? There is an
    affordable solution. ELM Enterprise Manager monitors your security
    perimeter and alerts you by page, email, or instant message in time to
    take prompt action. Download your FREE full featured 30 Day evaluation
    copy NOW and start experiencing the benefits for real time monitoring.
    http://list.winnetmag.com/cgi-bin3/DM/y/eREo0CJgSH0CBw07mN0Ag
    
    
    ====================
    
    ==== 1. In Focus: Cybercrime; Microsoft Hotfix; Eliminating Spam ====
       by Mark Joseph Edwards, News Editor, markat_private
    
    The Computer Security Institute (CSI) released the "2003 Computer
    Crime and Security Survey," its eighth annual report conducted in
    association with the FBI. The report shows that despite shifts in
    trends, cybercrime remains a serious problem, as you well know.
    
    Highlights from the report show that financial losses from security
    breaches have dropped by about 56 percent. Last year, respondents
    reported losses of about $455,848,000; this year, respondents reported
    losses of about $201,797,340. However, though financial losses
    dropped, roughly the same number of incidents occurred.
    
    The report indicates a huge drop in losses from financial fraud, the
    most costly security problem. Last year, losses totaled $116 million;
    this year, losses totaled about $9.1 million. The largest losses came
    through the theft of proprietary information, with respondents
    reporting an average loss of about $2.7 million. For the second most
    costly security problem, however, Denial of Service (DoS) attacks,
    losses increased about 250 percent--to more than $65.6 million.
    
    According to CSI Director Chris Keating, "The trends the CSI/FBI
    survey has highlighted over the years are disturbing. [Cybercrimes]
    and other information security breaches are widespread and diverse.
    Fully 92 percent of respondents reported attacks; furthermore, such
    incidents can result in serious damages ... Clearly, more must be done
    in terms of adherence to sound practices, deployment of sophisticated
    technologies, and most importantly adequate staffing and training of
    information security practitioners in both the private sector and
    government." If you want to see the complete survey results, you can
    obtain a copy by submitting a request form at the CSI Web site.
       http://www.gocsi.com/forms/fbi/pdf.html
    
    Microsoft Hotfix
       Speaking of cyber attacks, you're probably aware that Microsoft has
    released a new security bulletin, MS03-019 (Flaw in ISAPI Extension
    for Windows Media Services Could Cause Code Execution). According to
    Microsoft, the problem affects Windows 2000 and Windows NT systems.
    The company initially rated the problem's severity as "moderate,"
    noting that the DoS would lead to the server rebooting itself.
    
    However, Mark Maiffret of eEye Digital Security pointed out that
    according to his company's tests as well as the tests that
    vulnerability discoverer Brett Moore conducted, the problem is far
    more serious than Microsoft first indicated. The tests show that the
    problem isn't simply a Denial of Service (DoS) issue. According to
    Maiffret, "If you're running Windows Media Services on IIS, attackers
    can spawn a remote shell command prompt on your vulnerable system."
    Microsoft has modified the vulnerability rating to "important" and
    re-released its related security bulletin. Administrators should patch
    their systems soon as possible to avoid having an intruder running
    rampant through a remote command shell.
    
    Eliminating Spam
       Because I've mentioned junk mail recently, I want to share a couple
    of my experiences in "taking out the trash." I run a mail server with
    a good built-in filtering subsystem. Typically, I receive anywhere
    from several hundred messages per day (weekdays) to 50 messages per
    day (weekend days). On average, my basic filters can eliminate at the
    gateway about 30 percent of the junk mail that I receive. But that's
    simply not effective enough.
    
    I've found that if I relay my email messages through a server running
    a Bayesian filtering system, I can eliminate more than 95 percent of
    the junk mail once destined for my Inbox. For details about Bayesian
    filtering, visit Paul Graham's Web site, on which you'll find several
    excellent articles.
       http://www.paulgraham.com/articles.
    
    Several Bayesian filtering systems are commercially available today.
    However, because many of you are under serious budget constraints, you
    might need a shareware solution. The shareware filtering solution I
    use now is SpamAssassin, which many of you already know and use.
    Although SpamAssassin was developed for Linux platforms (see the first
    URL below), you can install it on Win32-based systems. (You can also
    integrate it into Microsoft Outlook, Lotus Notes, and Novell
    GroupWise.) For details about how to use SpamAssassin on Win32
    platforms, see the second URL below. Because Windows users typically
    prefer a GUI interface to handle configuration, check into the
    Windows-based GUI configuration interface for SpamAssassin (see the
    third URL below). SpamAssassin can probably also be integrated to work
    with Microsoft Exchange Server, but I haven't come across exact
    details. If you can direct me to such information, please send me an
    email message.
       http://www.spamassassin.org
       http://www.openhandhome.com/howtosa.html
       http://www.openhandhome.com/saconf.html
    
    SpamAssassin has many slick features, such as automatic learning for
    whitelist creation. As with all junk-mail filtering software, you'll
    have to tweak the parameters to suit your mail influx. After a few
    days of use, you should be able to filter out 95 percent or more of
    the junk mail you receive. So if you need a cheap way to deal with
    junk mail and you have time to spend on such a project, be sure to
    check out SpamAssassin.
    
    ====================
    
    ==== Sponsor: Panda Software ====
    
       YOU DESERVE FREE PROTECTION AT HOME! Tired of spending up to $50 on
    AV and firewall licenses every year for each machine in your home?
    Qualify on our industry perks program and never pay again! (Cover all
    of your home machines too - for free.). You'll get Panda Software's
    professional AV + firewall, the one that catches More Viruses,
    Faster(tm), even on machines you thought were protected! (Limited
    time, US-only program for qualified entrants only.)
       Click here now:
       http://list.winnetmag.com/cgi-bin3/DM/y/eREo0CJgSH0CBw0BAft0AT
    
    
    ====================
    
    ==== 2. Security Risks ====
       contributed by Ken Pfeil, kenat_private
    
    Multiple Vulnerabilities in Microsoft IIS
       SPI Dynamics and NSFOCUS discovered four new vulnerabilities in
    Microsoft IIS 5.1, IIS 5.0, and IIS 4.0, the most serious of which can
    result in the execution of arbitrary code on the vulnerable system. A
    cross-site scripting vulnerability affecting IIS 5.1, IIS 5.0, and IIS
    4.0 involves an error message about the redirection of a requested
    URL. IIS 5.0's incorrect validation of requests for certain types of
    Web pages, known as server-side includes, results in a buffer overrun.
    A flaw in the way IIS 5.0 and IIS 4.0 allocate memory requests when
    constructing headers to be returned to a Web client results in a
    Denial of Service (DoS) vulnerability. IIS 5.1 and IIS 5.0's incorrect
    handling of an error condition when they receive an overly long Web
    Distributed Authoring and Versioning (WebDAV) request also results in
    a DoS vulnerability. Microsoft has released Security Bulletin MS03-018
    (Cumulative Patch for Internet Information Service) to address these
    vulnerabilities and recommends that affected users immediately apply
    the appropriate patch mentioned in the bulletin.
       http://www.secadministrator.com/articles/index.cfm?articleid=39122
    
    DoS in Microsoft WMS for Win2K and NT
       Brett Moore discovered a new vulnerability in Microsoft Windows
    Media Services (WMS) for Windows 2000 and Windows NT that can result
    in a Denial of Service (DoS) condition. This vulnerability stems from
    a flaw in the way nsiislog.dll processes incoming requests. An
    attacker can exploit this vulnerability by sending specially formed
    communications to the server that cause Microsoft IIS to stop
    responding to Internet requests. Microsoft has released Security
    Bulletin MS03-019 (Flaw in ISAPI Extension for Windows Media Services
    Could Cause Code Execution) to address this vulnerability and
    recommends that affected users apply the appropriate patch mentioned
    in the bulletin.
       http://www.secadministrator.com/articles/index.cfm?articleid=39123
    
    Buffer Overrun in AnalogX Proxy Server for Windows
       K. K. Mookhey discovered a vulnerability in AnalogX Proxy 4.13 and
    earlier that can result in the execution of arbitrary code on the
    vulnerable system. This vulnerability stems from a buffer-overflow
    condition. AnalogX has released version 4.14, which isn't vulnerable
    to this condition.
       http://www.secadministrator.com/articles/index.cfm?articleid=39121
    
    Remote Compromise Vulnerability in BadBlue Personal File Sharing
    Program
       Matt Murphy discovered a vulnerability in BadBlue Web Based File
    Sharing Program Personal Edition 1.7 through 2.2 that can let an
    attacker gain full administrative control of the vulnerable system.
    This vulnerability is partially the result of the software performing
    two security checks (i.e., binary replacement of the first two
    characters in the requested file extension and the requirement that
    requests to access .hts files be submitted by 127.0.0.1 and contain a
    proper 'Referer' header) in the wrong order. BadBlue has released
    version 2.3, which isn't vulnerable to this condition.
       http://www.secadministrator.com/articles/index.cfm?articleid=39092
    
    ==== 3. Announcements ====
       (from Windows & .NET Magazine and its partners)
    
    Cast Your Vote in Our Annual Readers' Choice Awards!
       Which companies and products are the best on the market? Tell us by
    nominating your favorites in the annual Windows & .NET Magazine
    Readers' Choice Awards survey. Click here!
       http://list.winnetmag.com/cgi-bin3/DM/y/eREo0CJgSH0CBw0zMs0As
    
    Windows & .NET Magazine Connections: Fall Dates Announced
       Jump-start your fall 2003 training plans by securing your seat for
    Windows & .NET Magazine Connections Fall, scheduled for November 2
    through 6, 2003, in Orlando, Florida. Register now to receive the
    lowest possible registration fee. Call 800-505-1201 or 203-268-3204
    for more information.
       http://list.winnetmag.com/cgi-bin3/DM/y/eREo0CJgSH0CBw0qSH0A7
    
    ==== 4. Security Roundup ====
    
    News: Magazine Announces Best of Show Finalists
       Windows & .NET Magazine announced the finalists of the Best of Show
    Awards for TechEd 2003, which is being held June 1 through June 6 in
    Dallas. The field included more than 211 entries in seven categories.
    The Best of Show judges, who are technical editors for Windows & .NET
    Magazine, will choose the winners during TechEd 2003. Windows & .NET
    Magazine will announce the winners at a private function on Wednesday,
    June 4. The list of winners will be publicly available on Thursday,
    June 5.
       http://www.secadministrator.com/articles/index.cfm?articleid=39086
    
    News: TrustZone Added to ARM Processor Architecture
       British chipmaker ARM announced its new TrustZone technology, which
    the company will add to its ARM processor architecture to provide a
    secure foundation for OSs and applications such as Palm OS, Symbian
    OS, Linux, Windows CE, and Java.
       http://www.secadministrator.com/articles/index.cfm?articleid=39108
    
    News: HP Releases New Systems with Chip-Based Security
       Hewlett-Packard (HP) has released its new ProtectTools Embedded
    Security chip in its line of D530 series motherboards for business
    computers. The new chip, called Trusted Platform Module (TPM),
    operates independently of other system components such as the
    processor, memory, and OS. According to HP, TPM will enhance file and
    folder encryption in Microsoft OSs.
       http://www.secadministrator.com/articles/index.cfm?articleid=39095
    
    Hot Release
    Research in Motion
       * BlackBerry Security White Paper for Microsoft Exchange
       Download this free technical white paper now from Windows & .NET
    Magazine's White Paper Central. Brought to you courtesy of Research in
    Motion.
       http://ad.doubleclick.net/clk;5580710;7402808;g?http://www.blackberry.com/select/server_wp/index.shtml?CPID=AF22037
    
    ==== 5. Security Toolkit ====
    
    Virus Center
       Panda Software and the Windows & .NET Magazine Network have teamed
    to bring you the Center for Virus Control. Visit the site often to
    remain informed about the latest threats to your system security.
       http://list.winnetmag.com/cgi-bin3/DM/y/eREo0CJgSH0CBw0BAeo0AN
    
    FAQ: Why Can't Some of Our Users Change Their Passwords?
       (contributed by Jan De Clercq, jan.declercqat_private)
    
    A. Sometimes users receive the error message "You do not have
    permission to change your password." Upon investigation, you might
    find that only the Administrator account could change the password.
    Windows NT 4.0 displays this error message if both of the following
    items are selected in the User Manager for Domains utility: "User Must
    Change Password at Next Logon" in the user account properties and
    "User must log on in order to change password" in the account
    policies. The administrator can resolve this problem by resetting the
    user account's password or by clearing the "User must log on in order
    to change password" option. By default, NT Server 4.0 doesn't have the
    "User must log on in order to change password" option selected. For
    more information about these particular configuration settings, read
    the explanation on our Web site.
       http://www.secadministrator.com/articles/index.cfm?articleid=25024
    
    ==== 6. Event ====
    
    Security 2003 Road Show
       Join Mark Minasi and Paul Thurrott as they deliver sound security
    advice at our popular Security 2003 Road Show event.
       http://list.winnetmag.com/cgi-bin3/DM/y/eREo0CJgSH0CBw07Kz0Aq
    
    ==== 7. New and Improved ====
       by Sue Cooper, productsat_private
    
    Set a Trap for Intruders
       NETSEC released SPECTER 7.0, honeypot software that now supports
    Windows XP and can simulate 14 different OSs. New features include
    automated online updates of the application's decoy content and
    vulnerability database, which constantly changes the honeypot, making
    it nearly impossible for an attacker to detect. SPECTER now creates
    executable programs that leave hidden marks on the attacker's
    computer. Law enforcement officials can use the marks as evidence for
    legal proceedings and security incident reconstructors can use them to
    reconstruct an incident. SPECTER 7.0 runs on Windows XP/2000. NETSEC
    offers SPECTER 7.0 as a free upgrade to SPECTER 6.x and SPECTER 5.x
    users. Prices start at $899 for initial purchases. Contact NETSEC on
    the Web.
       http://www.specter.com
    
    Protect AD from Rogue Administrators
       NetPro Computing announced DirectoryLockdown 2.0, a security
    solution to mitigate Active Directory (AD) attacks. The software
    monitors the Configuration and Schema Naming Contexts (NCs) of AD for
    unauthorized changes. If it detects modifications made to NC replicas,
    the software notifies you immediately and disables replication to and
    from the domain controller (DC), completely shutting it down.
    DirectoryLockdown 2.0 includes a recovery utility that lets you
    quickly restore the DC. DirectoryLockdown 2.0 is available with
    NetPro's Secure Active Directory Lifecycle Suite or as a standalone
    product. Contact NetPro at 602-346-3600 or on the Web.
       http://www.netpro.com
    
    Submit Top Product Ideas
       Have you used a product that changed your IT experience by saving
    you time or easing your daily burden? Do you know of a terrific
    product that others should know about? Tell us! We want to write about
    the product in a future What's Hot column. Send your product
    suggestions to whatshotat_private
    
    ==== 8. Hot Thread ====
    
    Windows & .NET Magazine Online Forums
       http://www.winnetmag.com/forums
    
    Featured Thread: Security Rights for Laptop Users
       (Two messages in this thread)
    
    A user writes that for security reasons his company wants to restrict
    laptop users to the Power User and User groups. The problem he
    encounters with that setup is that sometimes he sends users programs
    that require Administrator rights to install. How he can accomplish
    the software installations without granting the users Administrator
    access or giving them the Administrator password? Lend a hand or read
    the responses:
       http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=58902
    
    ==== Sponsored Links ====
    
    FaxBack
    Integrate FAX into Exchange/Outlook (Whitepaper, ROI, Trial)
       http://list.winnetmag.com/cgi-bin3/DM/y/eREo0CJgSH0CBw0BAb30AK
    
    
    
    ====================
    
    ==== 9. Contact Us ====
    
    About the newsletter -- lettersat_private
    About technical questions -- http://www.winnetmag.com/forums
    About product news -- productsat_private
    About your subscription -- securityupdateat_private
    About sponsoring Security UPDATE -- emedia_oppsat_private
    
    ====================
       This email newsletter is brought to you by Security Administrator,
    the print newsletter with independent, impartial advice for IT
    administrators securing Windows and related technologies. Subscribe
     today.
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
    Thank you!
    __________________________________________________________
    Copyright 2003, Penton Media, Inc.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Jun 05 2003 - 04:01:04 PDT