[ISN] Windows & .NET Magazine Security UPDATE--August 6, 2003

From: InfoSec News (isnat_private)
Date: Thu Aug 07 2003 - 00:33:27 PDT

  • Next message: InfoSec News: "[ISN] Ehrlich Orders Voting System Security Study"

    ====================
    
    ==== This Issue Sponsored By ====
    
    Ecora Software
       http://list.winnetmag.com/cgi-bin3/DM/y/ecHw0CJgSH0CBw0BBlS0AV
    
    HP & Microsoft Network Storage Solutions Road Show
       http://list.winnetmag.com/cgi-bin3/DM/y/ecHw0CJgSH0CBw07cD0Ao
    
    ====================
    
    1. In Focus: The RPC/DCOM Bugs: How Bad Are They?
    
    2. Security Risks
         - Information-Disclosure Vulnerability in Cisco AP1100
         - DoS Vulnerability in Cisco WAP
    
    3. Announcements
         - Need Help Managing Your Storage Investment?
         - Learn More About the Security Risks in Exchange 2003
    
    4. Security Roundup
         - News: Microsoft Patches Leave Systems Insecure and Break RAS
         - News: Is RIAA Targeting You?
         - News: Bono Introduces Spyware Bill
         - News: Are You Vulnerable to RPC Exploitation?
    
    5. Instant Poll
         - Results of Previous Poll: Cisco IOS Software Vulnerability
         - New Instant Poll: RPC/DCOM Probing
    
    6. Security Toolkit
         - Virus Center
         - FAQ: What Command-Prompt Tool Reports System Uptime?
    
    7. Event
         - New--Mobile & Wireless Road Show!
    
    8. New and Improved
         - Monitor Web Content from Both Directions
         - Submit Top Product Ideas
    
    9. Hot Thread
         - Windows & .NET Magazine Online Forums
             - Featured Thread: Auditing Software for Win2K?
         - HowTo Mailing List
             - Featured Thread: Batch Files in AD GPO
    
    10. Contact Us
       See this section for a list of ways to contact us.
    
    ====================
    
    ==== Sponsor: Ecora Software ====
    
       Perform patch audits in minutes with Ecora Patch Manager
       How confident are you that all critical security patches are
    deployed and up-to-date on every single system in your infrastructure?
    Need some help figuring it all out before the next big worm attack? 
    Try a free copy of Ecora Patch Manager.  Designed for IT professionals
    short on time, Patch Manager completely automates and simplifies the
    entire patch management cycle in just minutes.  See for yourself how
    automation can save time, reduce costs, and keep your IT
    infrastructure stable and secure. Download a free, fully-functional
    trial of Ecora Patch Manager now!  Patch Manager supports
    mission-critical OS platforms and applications, including Windows
    NT/2000/XP, Microsoft Exchange, IIS, SQL, MSDE, Windows Media Player,
    Microsoft Office, and IE.
       http://list.winnetmag.com/cgi-bin3/DM/y/ecHw0CJgSH0CBw0BBlS0AV
    
    ====================
    
    ==== 1. In Focus: The RPC/DCOM Bugs: How Bad Are They? ====
       by Mark Joseph Edwards, News Editor, markat_private
    
    You've undoubtedly learned about the remote procedure call
    (RPC)-Distributed COM (DCOM) bug in Windows by now. If not, you were
    probably on vacation and returned to what might seem like a crisis.
    Microsoft released its patch for the problem, which you can read about
    in "Microsoft Patches Leave Systems Insecure and Break RAS" and "Are
    You Vulnerable to RPC Exploitation?" in this issue of Security UPDATE.
    However, users have discovered that the Microsoft patch doesn't
    exactly fix all the problems.
    
    Users who obtained the "demonstration code" (I use that term loosely)
    to test their patched systems quickly learned that systems are still
    vulnerable to a Denial of Service (DoS) attack that crashes the
    svchost.exe process. One reader informed me that Microsoft has
    acknowledged that problem and said that it will release a fix.
    
    Microsoft originally reported that disabling DCOM (by using
    dcomcnfg.exe) and blocking port 135 would mitigate attacks, which is
    true. However, the company later modified its bulletin to indicate
    that you must also block port 137 and port 445 because someone can
    launch an attack against those ports as well. Another reader pointed
    out that CERT's bulletin about the matter adds port 139 to the list of
    vulnerable ports. You should block access to all of these ports (UDP
    and TCP) wherever and whenever possible. Ports can be open on many
    machines, and it's always best to block everything that you don't need
    to leave exposed.
       http://www.cert.org/advisories/CA-2003-19.html
    
    Defending against attacks by disabling DCOM might not be a practical
    workaround either, depending on your network environment. Members of
    various mailing lists (e.g., Full-Disclosure, Focus-MS) report that
    you might encounter critical problems with such attempted workarounds.
    
    For example, even if you perform the blocking actions described, you
    might still be at risk if your Microsoft IIS servers have COM Internet
    Services enabled. In that case, attacks might be possible against port
    80 and port 443. Also, disabling DCOM on your system eliminates the
    ability of different systems' COM objects to communicate with each
    other, which has wide-reaching effects.
    
    Microsoft Systems Management Server (SMS) servers won't be able to
    perform their tasks correctly. Also, after you disable DCOM on a
    machine, your remote management tools won't be able to access that
    machine. For example, if you need to reenable DCOM to regain
    functionality, someone will have to physically visit that machine to
    turn it back on.
    
    Obviously, patches that correct these matters would provide the best
    solution. By the time you read this, Microsoft might have released
    another patch that corrects all the problems. I hope so, because many
    people are concerned that someone will unleash a worm or virus that
    could lead to massive DoS episodes--or release Trojan horses that open
    back doors. Unfortunately, both possibilities are likely and at least
    one worm, Autorooter, has already been discovered. (You can read about
    the worm at the Kaspersky Lab Web site--see the URL below.) Other
    exploits might already have occurred by the time you read this
    newsletter. If such exploits occur, who will be responsible: the
    intruders, the people who fail to patch their systems, or the people
    who release proof-of-concept code? Perhaps all of those groups will
    have played a part.
       http://www.viruslist.com/eng/viruslist.html?id=61506
    
    In the meantime, you can monitor attack trends at Internet Storm
    Center. The site provides useful information about security risk
    trends by gathering that information from numerous network sensors
    around the world. Be sure to check it out.
       http://www.incidents.org
    
    ====================
    
    ==== Sponsor: HP & Microsoft Network Storage Solutions Road Show ====
     
       Missed the Network Storage Solutions Road Show?
       If you couldn't make the HP & Microsoft Network Storage Solutions
    Road Show, you missed Mark Smith talking about Windows-Powered NAS,
    file server consolidation, and more.  The good news is that you can
    now view the Webcast event in its entirety at:
       http://list.winnetmag.com/cgi-bin3/DM/y/ecHw0CJgSH0CBw07cD0Ao
    
    ====================
    
    ==== 2. Security Risks ====
       contributed by Ken Pfeil, kenat_private
    
    Information-Disclosure Vulnerability in Cisco AP1100
       VIGILANTe discovered that a vulnerability in Cisco Systems' Aironet
    AP1100 Wireless Access Point (WAP) can lead to information disclosure.
    The device is subject to a brute-force attack. Cisco has issued a
    notice about this vulnerability and recommends that affected users
    work through their usual support channels to obtain a software
     upgrade.
       http://www.secadministrator.com/articles/index.cfm?articleid=39710
    
    DoS Vulnerability in Cisco WAP
       VIGILANTe discovered that a vulnerability in Cisco Systems' Aironet
    AP1200 and Aironet AP1100 Wireless Access Point (WAP) can lead to a
    Denial of Service (DoS) condition. By sending a malformed URL to the
    Cisco Aironet AP1200 or Aironet AP1100, an attacker can cause the
    device to reload. Repeating this action results in the DoS condition.
    Cisco has issued a notice about this vulnerability and recommends that
    affected users work through their usual support channels to obtain a
    software upgrade.
       http://www.secadministrator.com/articles/index.cfm?articleid=39711
    
    ==== Sponsor: Virus Update from Panda Software ====
    
       Check for the latest anti-virus information and tools, including
    weekly virus reports, virus forecasts, and virus prevention tips, at
    Panda Software's Center for Virus Control.
       http://list.winnetmag.com/cgi-bin3/DM/y/ecHw0CJgSH0CBw0BBlT0AW
    
       Viruses routinely infect "fully protected" networks. Is total
    protection possible? Find answers in the free guide HOW TO KEEP YOUR
    COMPANY 100% VIRUS FREE from Panda Software. Learn how viruses enter
    networks, what they do, and the most effective weapons to combat them.
    Protect your network effectively and permanently - download today!
       http://list.winnetmag.com/cgi-bin3/DM/y/ecHw0CJgSH0CBw0BBDp0AK
    
    ====================
    
    ==== 3. Announcements ====
       (from Windows & .NET Magazine and its partners)
    
    Need Help Managing Your Storage Investment?
       Planning and managing your storage deployment can be costly and
    complex. Check out Windows & .NET Magazine's Storage Administration
    Web site for the latest advice, news, and tips to help you make the
    most of your storage investment. You'll find problem-solving articles,
    eye-opening white papers, a technical forum, and much more!
       http://list.winnetmag.com/cgi-bin3/DM/y/ecHw0CJgSH0CBw0rvk0Al
    
    Learn More About the Security Risks in Exchange 2003
       Videotaped live at Microsoft TechEd 2003, this free archived Web
    seminar delivers an introduction to the new security features and
    enhancements of Exchange Server 2003, including the new security APIs
    that can minimize virus risk and spam traffic. Plus, you'll discover
    more about the future of the messaging industry and what's on the
    horizon in assessing risk. Register today!
       http://list.winnetmag.com/cgi-bin3/DM/y/ecHw0CJgSH0CBw0BAjH0AH
    
    ==== 4. Security Roundup ====
    
    News: Microsoft Patches Leave Systems Insecure and Break RAS
       Users are reporting problems with two of Microsoft's recent
    security hotfixes, which patch problems with remote procedure call
    (RPC) and Windows file-management functions. Demonstration code
    related to the RPC problem that Microsoft Security Bulletin MS03-026
    addresses (Buffer Overrun In RPC Interface Could Allow Code Execution)
    was released on the Internet. Users discovered that even with the RPC
    patch installed, systems were still vulnerable to Denial of Service
    (DoS) attacks. Other users reported that after installing the patch
    related to the file-management problem that Security Bulletin MS03-029
    addresses (Flaw in Windows Function Could Allow Denial of Service),
    their RAS servers stopped working properly. Microsoft says that it
    will release patches that correct those problems.
       http://www.secadministrator.com/articles/index.cfm?articleid=39709
    
    News: Is RIAA Targeting You?
       The Recording Industry Association of America (RIAA) is hot on the
    heels of file swappers, namely those who use popular programs such as
    Kazaa to trade music files. If you wonder whether they're targeting
    you or your networks, learn how to find out through this news story.
       http://www.secadministrator.com/articles/index.cfm?articleid=39724
    
    News: Bono Introduces Spyware Bill
       Representative Mary Bono (R-CA) introduced a new bill, cosponsored
    by Representative Edolphus Towns (D-NY), that would regulate computer
    spyware that companies use to gather various information from users.
       http://www.secadministrator.com/articles/index.cfm?articleid=39715
    
    News: Are You Vulnerable to RPC Exploitation?
       If you've read any of the news stories on the Internet about the
    recently reported remote procedure call (RPC) security problem, you
    might wonder whether the Internet will be brought to its knees any
    time. While security experts continue to analyze the extent of the
    danger, you do need to protect your systems--and don't depend on
    Windows Update service.
       http://www.secadministrator.com/articles/index.cfm?articleid=39740
    
    ==== 5. Instant Poll ====
    
    Results of Previous Poll: Cisco IOS Software Vulnerability
       The voting has closed in Windows & .NET Magazine's Security
    Administrator Channel nonscientific Instant Poll for the question,
    "Did your network experience problems as a result of the recently
    reported Cisco IOS software vulnerability?" Here are the results from
    the 83 votes.
       -  1% Yes--We experienced a Denial of Service (DoS) because of the
     attack
       - 25% We experienced downtime but only because of an IOS upgrade
       - 65% No
       -  8% Not sure
    (Deviations from 100 percent are due to rounding.)
    
    New Instant Poll: RPC/DCOM Probing
       The next Instant Poll question is, "Has your company experienced
    someone probing to determine whether you systems are vulnerable to a
    remote procedure call(RPC)/Distributed COM (DCOM) exploit?" Go to the
    Security Administrator Channel home page and submit your vote for a)
    Yes, b) No, or c) I'm not sure.
       http://www.secadministrator.com
    
    ==== 6. Security Toolkit ====
    
    Virus Center
       Panda Software and the Windows & .NET Magazine Network have teamed
    to bring you the Center for Virus Control. Visit the site often to
    remain informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    FAQ: What Command-Prompt Tool Reports System Uptime?
       contributed by Jan De Clercq
    
    Sysinternals' PsInfo is an interesting freeware tool that you can use
    to report system uptime. You can download this command-prompt tool
    from http://www.sysinternals.com/ntw2k/freeware/psinfo.shtml. PsInfo
    also reports on other system characteristics, such as kernel version
    and processor type. If you add the -h switch, the PsInfo command also
    reports on installed hotfixes. If you add the -s switch, the command
    adds a report on installed software. You can also use the tool to
    query remote machines. The following command reports uptime and other
    system-related information for the machine named fileserver1:
    
    psinfo \\fileserver1
    
    If you want to query a remote machine, the account that runs the
    PsInfo tool must have remote registry access to the remote machine's
    HKEY_LOCAL_MACHINE\SYSTEM registry subkey. For more information about
    configuring remote registry access, see "NT Gatekeeper: Securing
    Remote Access to the System Registry," October 2001, InstantDoc ID
    22417.
       http://www.secadministrator.com/articles/index.cfm?articleid=22417
    
    ==== 7. Event ====
    
    New--Mobile & Wireless Road Show!
       Learn more about the wireless and mobility solutions that are
    available today! Register now for this free event!
       http://list.winnetmag.com/cgi-bin3/DM/y/ecHw0CJgSH0CBw0BA8Y0Ai
    
    ==== 8. New and Improved ====
       by Sue Cooper, productsat_private
    
    Monitor Web Content from Both Directions
       Clearswift announced MIMEsweeper for Web 5.0, content filtering
    that manages and enforces your Web usage, security, privacy, and
    compliance policies. The software offers analysis of HTTP and
    browser-based FTP traffic, integration with leading antivirus
    applications, URL-based blocking of banned sites, comprehensive
    auditing and reporting, email alerts to administrators, and granular
    policy management. MIMEsweeper for Web disassembles Web transfers,
    breaking them down into individual objects for content analysis
    according to policy as it applies to the user who initiates the
    transmission. MIMEsweeper for Web 5.0 has improved scalability,
    performance, and manageability. The product will be available later in
    August. Contact Clearswift at 425-460-6000 or info.usat_private
       http://www.clearswift.com
    
    Submit Top Product Ideas
       Have you used a product that changed your IT experience by saving
    you time or easing your daily burden? Do you know of a terrific
    product that others should know about? Tell us! We want to write about
    the product in a future What's Hot column. Send your product
    suggestions to whatshotat_private
    
    ==== 9. Hot Threads ====
    
    Windows & .NET Magazine Online Forums
       http://www.winnetmag.com/forums
    
    Featured Thread: Auditing Software for Win2K?
       (Two messages in this thread)
    
    A user writes that on his Windows 2000 Server, the Event Viewer
    Security logs shows thousands of logon attempts a day for the
    Administrator account. He thinks that someone is trying to break into
    the account. The information Event Viewer provides (he has also tried
    capturing network frames using Network Monitor) isn't sufficient to
    find the source. He wants to know the best way to determine the origin
    of the logon attempts. Lend a hand or read the responses:
       http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=61753
    
    HowTo Mailing List
       http://63.88.172.96/listserv/page_listserv.asp?s=howto
    
    Featured Thread: Batch Files in AD GPO
       (Six messages in this thread)
    
    A user wants to know whether batch files can be assigned to a Group
    Policy Object (GPO) and whether scripts in a GPO must be in VBScript.
    Lend a hand or read the responses:
      
     http://63.88.172.96/listserv/page_listserv.asp?A2=IND0307D&L=HOWTO&P=80
    
    ==== Sponsored Links ====
    
    Ultrabac
       FREE live trial-Backup & Disaster Recovery software w/ encryption
       http://ad.doubleclick.net/clk;5945485;8214395;x
       http://www.ultrabac.com/default.asp?src=WINTxtLAug03tgt=./
    
    CrossTec
       Free Download - NEW NetOp 7.6 - faster, more secure, remote support
       http://ad.doubleclick.net/clk;5930423;8214395;j
       http://www.crossteccorp.com/w2kmag.htm
    
    ===================
    
    ==== 10. Contact Us ====
    
    About the newsletter -- lettersat_private
    About technical questions -- http://www.winnetmag.com/forums
    About product news -- productsat_private
    About your subscription -- securityupdateat_private
    About sponsoring Security UPDATE -- emedia_oppsat_private
    
    ====================
       This email newsletter is brought to you by Security Administrator,
    the print newsletter with independent, impartial advice for IT
    administrators securing Windows and related technologies. Subscribe
     today.
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
    To unsubscribe from this email newsletter, send an email message to
    mailto:Security-UPDATE_Unsubat_private
    
    To make other changes to your email account such as change your email
    address, update your profile, and subscribe or unsubscribe to any of
    our email newsletters, simply log on to our Email Preference Center.
       http://www.winnetmag.com/email
    
    Thank you!
    __________________________________________________________
    Copyright 2003, Penton Media, Inc.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Aug 07 2003 - 03:12:47 PDT