[ISN] Windows & .NET Magazine Security UPDATE--July 23, 2003

From: InfoSec News (isnat_private)
Date: Thu Jul 24 2003 - 00:55:25 PDT

  • Next message: InfoSec News: "[ISN] EEYE: Windows MIDI Decoder (QUARTZ.DLL) Heap Corruption"

    ====================
    
    ==== This Issue Sponsored By ====
    UltraBac Software
    http://list.winnetmag.com/cgi-bin3/DM/y/eRsv0CJgSH0CBw0BBUM0AR
    
    ====================
    
    1. In Focus: Critical Patches; and a Different Kind of Full Disclosure
    
    2. Security Risks
         - DoS in Cisco IOS
         - Buffer Overrun in RPC Interface Could Allow Code Execution
         - Unchecked Buffer in Windows Shell Could Enable System
           Compromise
         - Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting
    
    3. Announcements
         - Windows Scripting Solutions for the Systems Administrator
         - Take Our Brief Active Directory Survey!
    
    4. Security Roundup
         - News: Microsoft Releases Three New Patches: One Critical, Two
     Important
         - News: Microsoft Loses Key DRM Battle
         - News: OASIS to Help Describe Web Vulnerabilities
         - News: Honeynet Affiliates Help Dampen Credit Card Fraud
         - News: Sophos Warns Users About Invasive Software
         - News: Homeland Security Picks Microsoft, Dell
     
    5. Instant Poll
         - Results of Previous Poll: Handling Spam
         - New Instant Poll: Cisco IOS Software Vulnerability
    
    6. Security Toolkit
         - Virus Center
             - Virus Alert: Gruel.B
         - FAQ: How Can I Make Sure That No One Logs On by Using the
           Windows NT Service Accounts That My Company's Critical 
           Applications Use?
    
    7. Event
         - Assessing Security Risks in Exchange 2003
     
    8. New and Improved
         - Destroy Viruses
         - Enforce Password Policies
         - Submit Top Product Ideas
    
    9. Hot Thread
         - Windows & .NET Magazine Online Forums
             - Featured Thread: Hacktool: Rootkit
    
    10. Contact Us
       See this section for a list of ways to contact us.
    
    ====================
    
    ==== Sponsor: UltraBac Software ====
    
       UltraBac Software Introduces Affordable DR
       UBDR Pro is designed to serve as an organization's first line of
    defense in disaster recovery using the latest in 32-bit backup and
    recovery technologies. It uses a "lights out" scheduler to backup
    snapshot images of selected partitions to tape, disk, or any UNC path.
    A built-in locked file backup agent ensures all files are backed up so
    they can be restored safely when required. To recover a failed
    machine, users simply insert and boot from a universal UBDR Pro CD,
    then initiate a restore of the image from either tape or network UNC
    path. After the restore, a reboot recovers the machine 100% to its
    last pre-backup state. Users may also invoke the built-in encryption
    feature for added security.
       http://list.winnetmag.com/cgi-bin3/DM/y/eRsv0CJgSH0CBw0BBUM0AR
    
    ====================
    
    ==== 1. In Focus: Critical Patches; and a Different Kind of Full
    Disclosure ====
       by Mark Joseph Edwards, News Editor, markat_private
    
    You probably know by now about two serious vulnerabilities in Windows
    and Cisco Systems IOS software that could lead to significant problems
    for a vast majority of networks. The Windows problem relates to remote
    procedure calls (RPCs); an unchecked buffer could lead to a system or
    network compromise. Microsoft issued a patch for the problem, which
    affects Windows Server 2003, Windows XP, Windows 2000, and Windows NT
    (including NT Server 4.0, Terminal Server Edition--WTS). Because the
    problem affects four OS platforms, the potential for mass disruption
    is fairly significant. You can learn more about it in the related
    article, "Buffer Overrun in RPC Interface Could Allow Code Execution,"
    in this edition of Security UPDATE.
    
    Even more threatening is the problem with Cisco IOS software, which
    runs on a large number of devices including many of the routers that
    serve as gateways across the Internet. Cisco reported that a Denial of
    Service (DoS) condition exists whereby all Ethernet interfaces could
    become unresponsive and stop processing inbound traffic. The problem
    could also lead to an inability to remotely access a device. If your
    Cisco devices use IOS software, you should read Cisco's bulletin
    regarding this matter and upgrade your IOS software accordingly. The
    bulletin is linked in our article, "DoS in Cisco IOS," in this edition
    of Security UPDATE.
    
    The Polish group that discovered the RPC problem, The Last Stage of
    Delirium Research Group, chose not to divulge technical details about
    the discovery at this time. Because so many systems could be
    compromised if exploit details were easy to come by, that's probably a
    wise choice. However, the group routinely publishes technical details
    and code that others can use to verify or demonstrate a given security
    problem, so the group is likely to release information about its
    latest discovery eventually. Windows users have a window of
    opportunity to patch their systems before the group releases details
    or some other entity figures out how to exploit the RPC problem and
    publishes details. Full disclosure is almost inevitable, so be sure to
    either patch your systems or find a way to work around the problem.
    
    The media recently brought to light a twist on the matter of full
    disclosure. This twist deals with the security of underlying network
    technologies, not the top-level systems themselves. The "Washington
    Post" reports that George Mason University graduate student Sean
    Gorman's dissertation has drawn attention from those involved with
    national security.
       http://www.washingtonpost.com/wp-dyn/articles/A23689-2003Jul7.html
    
    Gorman's dissertation involves a detailed map of networks across the
    country. One can use the map to drill down and gain an array of
    details about a given network. For example, according to the
    "Washington Post" report, Gorman can click on a bank in Manhattan and
    see who has communication lines connected to that bank, or he can
    click on a trucking warehouse in Baltimore and determine its choke
    points.
    
    The implications of his map are staggering. According to Richard
    Clarke, former US special advisor for cyberspace security, "He
    [Gorman] should turn it in to his professor, get his grade, and then
    they both should burn it." However, if Gorman can create such a map,
    others can as well. More importantly, others might have done so
    already.
    
    Many consider full disclosure a problem, and sometimes it is. However,
    often (perhaps in most cases), it serves a worthwhile purpose. In
    Gorman's case, he's now involved in a dilemma: Will his PhD
    dissertation become "classified information"? If it does, can he still
    obtain his degree?
    
    Some argue that in Gorman's case, security through obscurity isn't
    much security at all. In the information security world, people make
    the same argument. After all, if people don't know about
    vulnerabilities, they might well be overly exposed without knowledge
    about that exposure. Knowing about problems lets people address them
    and defend themselves. On the other hand, full disclosure also gives
    intruders knowledge they might not have been able to obtain otherwise.
    Clearly, timing and coordination of information release is a concern.
    
    According to an article in the "Dallas Morning News," Bruce Schneier,
    founder and CTO of Counterpane Internet Security, said (about
    information security vulnerability disclosure), "What we've learned
    during the past eight or so years is that full disclosure helps much
    more than it hurts. Since full disclosure has become the norm, the
    computer industry has transformed itself from a group of companies
    that ignores security and belittles vulnerabilities into one that
    fixes vulnerabilities as quickly as possible."
       http://seattletimes.nwsource.com/cgi-bin/PrintStory.pl?document_id=135262788&zsection_id=268448455&slug=softwarebugs14&date=20030714
    
    I think you'll agree that Schneier is right. But consider the
    vulnerability information Gorman has collected. Protecting physical
    communication infrastructure isn't nearly as simple as correcting
    program code. Quite a dilemma indeed.
    
    ==== 2. Security Risks ====
       contributed by Ken Pfeil, kenat_private
    
    DoS in Cisco IOS
       Cisco Systems reported a Denial of Service (DoS) condition in its
    IOS software that occurs when the software is configured to use IP
    version 4 (IPv4). A sequence of specially crafted IPv4 packets can
    cause the input interface to stop processing traffic when the input
    queue is full, thereby causing the router to stop processing inbound
    traffic. Cisco has made new IOS software code available. For links to
    the software and bulletin as well as additional information, visit the
    URL below.
       http://www.secadministrator.com/articles/index.cfm?articleid=39610
    
    Buffer Overrun in RPC Interface Could Allow Code Execution
       The Last Stage of Delirium Research Group discovered that a
    buffer-overrun condition in the remote procedure call (RPC) interface
    can result in the execution of arbitrary code on the vulnerable
    computer. This condition stems from a flaw in the way malformed
    messages are handled. By exploiting this flaw, an attacker would be
    able to run code with Local System privileges on the vulnerable
    system. Microsoft has released security bulletin MS03-026 (Buffer
    Overrun In RPC Interface Could Allow Code Execution), which addresses
    this vulnerability, and recommends that affected users apply the
    appropriate patch listed in the bulletin.
       http://www.winnetmag.com/windowsserver2003/index.cfm?articleid=39617
    
    Unchecked Buffer in Windows Shell Could Enable System Compromise
       An unchecked buffer exists in one of the functions that the Windows
    shell uses to extract custom attribute information from certain
    folders. This problem could result in the execution of arbitrary code
    on the vulnerable computer. The vendor, Microsoft, has released
    security bulletin MS03-027 (Unchecked Buffer in Windows Shell Could
    Enable System Compromise), which addresses this vulnerability, and
    recommends that affected users apply the appropriate patch listed in
    the bulletin.
       http://www.secadministrator.com/articles/index.cfm?articleid=39616
    
    Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting
       A cross-site scripting vulnerability in some of Microsoft Internet
    Security and Acceleration (ISA) Server 2000's custom error pages could
    result in the execution of arbitrary code on the vulnerable computer.
    The vendor, Microsoft, has released security bulletin MS03-028 (Flaw
    in ISA Server Error Page Could Allow Cross-Site Scripting Attack),
    which addresses this vulnerability, and recommends that affected users
    apply the appropriate patch listed in the bulletin.
       http://www.secadministrator.com/articles/index.cfm?articleid=39615
    
    ==== 3. Announcements ====
       (from Windows & .NET Magazine and its partners)
    
    Windows Scripting Solutions for the Systems Administrator
       You might not be a programmer, but that doesn't mean you can't
    learn to create and deploy timesaving, problem-solving scripts.
    Discover Windows Scripting Solutions, the monthly print publication
    that helps you tackle common problems and automate everyday tasks with
    simple tools, tricks, and scripts. Try a sample issue today at
       http://list.winnetmag.com/cgi-bin3/DM/y/eRsv0CJgSH0CBw0BBTy0AA
    
    Take Our Brief Active Directory Survey!
       Windows & .NET Magazine would like to know how your organization
    uses Active Directory. Your feedback will be kept absolutely
    confidential, so take our brief survey today!
       http://list.winnetmag.com/cgi-bin3/DM/y/eRsv0CJgSH0CBw0BA7o0AU
    
    ==== 4. Security Roundup ====
    
    Microsoft Releases Three New Patches: One Critical, Two Important
       Microsoft released three security bulletins today regarding three
    problems in Windows platforms. Microsoft considers one patch
    "critical" and the other two "important."
       http://www.secadministrator.com/articles/index.cfm?articleid=39594
    
    Microsoft Loses Key DRM Battle
       In a strangely unpublicized case, Microsoft found itself last week
    on the losing end of a ruling in a critical Digital Rights Management
    (DRM) battle with InterTrust, a DRM company that's suing the software
    giant for almost 150 counts of patent infringement.
       http://www.secadministrator.com/articles/index.cfm?articleid=39596
    
    OASIS to Help Describe Web Vulnerabilities
       OASIS, a nonprofit standards body, is creating an open data format
    to help describe Web security vulnerabilities. OASIS designed the
    specification to be used for assessment and protection tools.
       http://www.secadministrator.com/articles/index.cfm?articleid=39586
    
    Honeynet Affiliates Help Dampen Credit Card Fraud
       The Honeynet Project recently released a new "Know Your Enemy"
    paper that describes how project affiliates gained new insight into
    credit card fraud.
       http://www.secadministrator.com/articles/index.cfm?articleid=39585
    
    Sophos Warns Users About Invasive Software
       Antivirus maker Sophos is warning users about an email message
    spreading around the Internet that invites users to view video files.
    To do so, they must first install an Internet Optimizer whose end user
    license agreement (EULA) gives the originating software company
    extensive rights.
       http://www.secadministrator.com/articles/index.cfm?articleid=39579
    
    Homeland Security Picks Microsoft, Dell
       The US Department of Homeland Security has agreed to a 6-year
    enterprise contract for Microsoft software that Dell will support.
    According to the PC maker, Dell will support 144,000 department
    employees using Microsoft server, OS, and application software.
       http://www.secadministrator.com/articles/index.cfm?articleid=39583
    
    ==== 5. Instant Poll ====
    
    Results of Previous Poll: Handling Spam
       The voting has closed in Windows & .NET Magazine's Security
    Administrator Channel nonscientific Instant Poll for the question,
    "Which is the best approach to handling spam?" Here are the results
    from the 205 votes.
       - 22% Networks should operate their own filtering technology
       - 64% Users should have to "opt-in" to receive spam from a given
       source
       -  7% Users should have to "opt-out" to not receive spam from a
       given source
       -  6% Other (email your idea to securityat_private)
    (Deviations from 100 percent are due to rounding.)
    
    New Instant Poll: Cisco IOS Software Vulnerability
       The next Instant Poll question is, "Did your network experience
    problems as a result of the recently reported Cisco IOS software
    vulnerability?" Go to the Security Administrator Channel home page and
    submit your vote for a) Yes--We experienced a Denial of Service (DoS)
    because of the attack, b) We experienced downtime but only because of
    an IOS upgrade, c) No, or d) Not sure.
       http://www.secadministrator.com
    
    ==== 6. Security Toolkit ====
    
    Virus Center
       Panda Software and the Windows & .NET Magazine Network have teamed
    to bring you the Center for Virus Control. Visit the site often to
    remain informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    Virus Alert: Gruel.B
       W32/Gruel.B is a highly damaging worm with actions that include
    removing numerous key files from infected computers. Gruel.B reaches
    computers in an email message that's easily recognized because the
    subject includes the phrase: "Symantec: New Serious Virus Found," and
    the message text reads "Norton Security Response: has detected a new
    virus in the Internet. For this reason we made this tool attachement
    [sic] to protect your computer from this serious virus. Due to the
    number of submissions received from customers, Symantec Security
    Response has upgraded this threat to a Category 5 (Maximum)." To learn
    more about Gruel.B, read about it on Panda's Web site.
       http://www.pandasoftware.com/about/press/viewnews.aspx?noticia=3922
    
    FAQ: How Can I Make Sure That No One Logs On by Using the Windows
    NT Service Accounts That My Company's Critical Applications Use?
       contributed by John Savill, http://www.windows2000faq.com
    
    A. An easy way you can restrict use of the service accounts is by
    linking a logon script that calls logoff.exe with the /F and /N
    parameters specified to the accounts. (Logoff.exe comes bundled with
    the "Microsoft Windows NT Server 4.0 Resource Kit.") The /F parameter
    forces processes to close when logoff.exe is executed. The /N
    parameter forces processes to close without confirmation when
    logoff.exe is executed. When you protect an account with logoff.exe
    and the two parameters, anyone who attempts to log on interactively
    with the account will immediately be logged off. For this solution to
    work, you obviously must make sure that the tool is available on all
    machines in your domain.
    
    ==== 7. Event ====
    
    New--Mobile & Wireless Road Show!
       Learn more about the wireless and mobility solutions that are
    available today! Register now for this free event!
       http://list.winnetmag.com/cgi-bin3/DM/y/eRsv0CJgSH0CBw0BA8Y0A8
    
    ==== 8. New and Improved ====
       by Sue Cooper, productsat_private
    
    Destroy Viruses
       Global Hauri announced ViRobot Expert 4.5, desktop and server
    software to protect your systems against viruses, spam, and spyware.
    Its antivirus feature detects unknown computer viruses and moves them
    into a virtual directory in Windows to prevent infection. Known
    viruses are destroyed rather than quarantined. The antispam feature
    uses three filters to examine the subject line, mail content, and
    attachments. ViRobot Expert 4.5 runs in Windows Explorer and supports
    Logs, Backup Bin, Inbox, and Configuration functions. The application
    supports Windows XP/2000 Professional/NT Workstation/Me/98/95. Contact
    Global Hauri at 408-232-5463 or salesat_private
       http://www.globalhauri.com
    
    Enforce Password Policies
       Little cat Z released Password Defender 2.2c, password policy
    enforcement for Windows NT and Active Directory (AD) networks. The
    software's creators first wrote their own password cracker, then
    systematically worked out password policy rules to prevent it from
    working. The software combines password cracking (to find existing
    weak passwords) and password filtering (to prevent creation of
    additional weak passwords). Its policy-based system lets you apply
    different password-strength rules to different Windows 2000/NT groups.
    New features include support for high-speed custom dictionaries and
    support for Terminal Services. Contact London-based Little cat Z at
    infoat_private
       http://www.littlecatz.com
    
    Submit Top Product Ideas
       Have you used a product that changed your IT experience by saving
    you time or easing your daily burden? Do you know of a terrific
    product that others should know about? Tell us! We want to write about
    the product in a future What's Hot column. Send your product
    suggestions to whatshotat_private
    
    ==== 9. Hot Thread ====
    
    Windows & .NET Magazine Online Forums
       http://www.winnetmag.com/forums
    
    Featured Thread: Hacktool.Rootkit
       (Three messages in this thread)
    
    A user writes that he has a Windows 2000 Server running a particular
    Web application. The server has Symantec antivirus software installed,
    and the server is behind a Cisco Systems PIX firewall. Someone has
    planted the hacktool.rootkit Trojan horse on the server. When an
    administrator logs on to the console, Symantec antivirus real-time
    protection quarantines the iexplore.dll file. When someone logs on to
    the local console, the iexplore.dll is created and planted into
    WINNT\System32 directory. Can he remove the Trojan horse without
    having to rebuild the server? Lend a hand or read the responses:
       http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=61176
    
    ==== Sponsored Links ====
    
    AutoProf
       Jerry Honeycutt Desktop Deployment Whitepaper
       http://list.winnetmag.com/cgi-bin3/DM/y/eRsv0CJgSH0CBw0BBDo0Ai
    
    Sybari
       Learn about the new security features of Exchange 2003 -- FREE!
       http://list.winnetmag.com/cgi-bin3/DM/y/eRsv0CJgSH0CBw0BBOG0AF
    
    ===================
    
    ==== 10. Contact Us ====
    
    About the newsletter -- lettersat_private
    About technical questions -- http://www.winnetmag.com/forums
    About product news -- productsat_private
    About your subscription -- securityupdateat_private
    About sponsoring Security UPDATE -- emedia_oppsat_private
    
    ====================
       This email newsletter is brought to you by Security Administrator,
    the print newsletter with independent, impartial advice for IT
    administrators securing Windows and related technologies. Subscribe
     today.
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
    Thank you!
    __________________________________________________________
    Copyright 2003, Penton Media, Inc.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Jul 24 2003 - 03:28:59 PDT