[ISN] Windows & .NET Magazine Security UPDATE--August 13, 2003

From: InfoSec News (isnat_private)
Date: Thu Aug 14 2003 - 02:09:18 PDT

  • Next message: InfoSec News: "[ISN] Northeast, Canada power failure exposes infrastructure frailty"

    ====================
    
    ==== This Issue Sponsored By ====
    
    Shavlik HFNetChkPro Patch Management
       http://list.winnetmag.com/cgi-bin3/DM/y/ecLq0CJgSH0CBw076e0Aa
    
    Ecora Software
       http://list.winnetmag.com/cgi-bin3/DM/y/ecLq0CJgSH0CBw0BBrM0AT
    
    ====================
    
    1. In Focus: The Risks of Sharing Vulnerability Information
    
    2. Security Risks
         - DoS in Crob FTP Server 2.60.1
    
    3. Announcements
         - Windows & .NET Magazine Connections: for Security-Minded IT
           Pros
         - Try Windows & .NET Magazine!
    
    4. Security Roundup
         - News: ISC Detects RPC/DCOM Worm
         - News: SuSE Linux Passes EAL2+ Security Test; EAL3 on the
           Horizon
         - Feature: New Features in SP3a
    
    5. Security Toolkit
         - Virus Center
             - Virus Alert: W32/Mimail
         - FAQ: How Can I Ensure That Our Web Servers Aren't Enabled for
           IP Routing Between the Demilitarized Zone (DMZ) and the 
           Internal Network?
    
    6. Event
         - New--Mobile & Wireless Road Show!
    
    7. New and Improved
         - Install Secure, Affordable Remote Access Appliance
         - Detect Critical Security Flaw and Repair Systems for Free
         - Submit Top Product Ideas
    
    8. Hot Threads
         - Windows & .NET Magazine Online Forums
             - Featured Thread: Firewall Service on ISA Server Fails to
     Start
         - HowTo Mailing List
             - Featured Thread: Disabling Unneeded Services
    
    9. Contact Us
       See this section for a list of ways to contact us.
    
    ====================
    
    ==== Sponsor: Shavlik HFNetChkPro Patch Management ====
    
       Patch MS03-026 and get FREE 25% Maintenance!
       Immediately deploy critical patch MS03-026 and get FREE 25%
    maintenance for the first year when you order HFNetChkPro by 8/31/03!
    Easily scan for & install SP4 and MS03-026 with Shavlik HFNetChkPro
    and make a powerful impact on your enterprise security. Now's the time
    to get patched and stay patched with the leading security patch
    management solution. Download our free version at
     http://list.winnetmag.com/cgi-bin3/DM/y/ecLq0CJgSH0CBw076e0Aa
    
    ====================
    
    ==== 1. In Focus: The Risks of Sharing Vulnerability Information ====
       by Mark Joseph Edwards, News Editor, markat_private
    
    As you know, the past few weeks have been full of reports about
    possible impending attacks on Windows networks across the globe
    because of the recently discovered remote procedure call
    (RPC)/Distributed COM (DCOM) security problem. The release of code
    that attackers could use to exploit unprotected systems intensified
    those debates.
    
    As I write this commentary, the speculation about a widespread attack
    is beginning to manifest itself in a new worm, known as Blaster,
    MBlast, or Lovesan. More than 10,000 systems probably infected with
    the worm are scanning to discover vulnerable systems. You can read
    about the worm in "ISC Detects RPC/DCOM Worm," in this edition of
    Security UPDATE.
    
    At the same time, security professionals continue to debate the issues
    involved in having available knowledge about security vulnerabilities
    and having available code that attackers could twist into ready
    exploits--but the debates haven't reached any consensus. However,
    maybe this worm will shift the opinions.
    
    A news story I read recently offers food for further thought. Although
    the story isn't related to computer security, it's related in a
    general sense to full disclosure and to a key element in determining
    someone's potential culpability--intent.
    
    A young man (Sherman Austin) has been arrested, charged, and sent to
    prison for his alleged intentions regarding information to which he
    linked from his Web site. The Web site he linked to offered
    bomb-making information. As we know, anyone can obtain such
    information in the public domain (e.g., in libraries). Apparently,
    Austin's prosecution (which ended in a plea bargain) wasn't based on
    his use of "bomb-making" materials but on his linking from his Web
    site to such material. You can read more about the case at the URL
    below:
       http://www.eff.org/br/20030807_eff_pr.php
    
    The matter of intent raises interesting questions about full
    disclosure in the computer security arena. At any given step in the
    disclosure proceedings, what's the intent of somebody who discloses
    security vulnerability information--and can that intent be known?
    
    Amid much talk about cyber-terrorism, you hear debates about what kind
    of security vulnerability information to release, when to release it,
    and to whom to release it. The blame game is also popular: Some users
    are blamed for not patching their systems; other users are blamed for
    providing too much vulnerability information (whether information or
    code); and vendors are blamed for faults in their products. Because of
    the widespread use of various OSs, one tiny ripple not handled
    correctly can cause a tidal wave of problems. The hype about perceived
    potential damage often compounds the problem.
    
    The RPC/DCOM problem offers a good example of how even the best
    intentions regarding vulnerability disclosure simply aren't enough. In
    this instance, those involved in discovering and reporting the problem
    followed the proposed guidelines of both the Organization for Internet
    Safety (OIS), which includes the vendor (Microsoft), in handling the
    vulnerability, subsequent disclosure, and patch provisioning. Even so,
    the proper process didn't stop people from learning more about the
    vulnerability and writing code to "demonstrate" the problem.
    
    At the same time that intruders morphed the code into attack tools,
    the code revealed that the patch didn't work to prevent other aspects
    of vulnerability. Clearly, having the code available can be a distinct
    benefit.
    
    Is such code the equivalent of "bomb-making" instructions? Might some
    people assume that Web site and mailing list operators who support
    full disclosure have malicious intent? Can a decision for or against
    full-disclosure ever benefit everyone? I wonder whether Austin's
    recent conviction offers a precedent that might apply to
    cyber-security.
    
    In Austin's case, intent is an essential element. Some security
    researchers wear black hats and some white hats with pride. Still
    others swap hats in different situations. However, because intent is
    sometimes difficult if not impossible to know, prosecutors might make
    assumptions and everyone's rights might be at risk.
    
    If you have comments or predictions about disclosure issues,
    discerning intent, and the rights involved, I'd like to hear them.
    Send me an email with your comments.
    
    ====================
    
    ==== Sponsor: Ecora Software  ====
    
       Perform patch audits in minutes with Ecora Patch Manager
       How confident are you that all critical security patches are
    deployed and up-to-date on every single system in your infrastructure?
    Need some help figuring it all out before the next big worm attack? 
    Try a free copy of Ecora Patch Manager. Designed for IT professionals
    short on time, Patch Manager completely automates and simplifies the
    entire patch management cycle in just minutes. See for yourself how
    automation can save time, reduce costs, and keep your IT
    infrastructure stable and secure. Download a free, fully-functional
    trial of Ecora Patch Manager now!
       http://list.winnetmag.com/cgi-bin3/DM/y/ecLq0CJgSH0CBw0BBrM0AT
    
    ====================
    
    ==== 2. Security Risks ====
       contributed by Ken Pfeil, kenat_private
    
    DoS in Crob FTP Server 2.60.1
       "Zero X" has discovered a Denial of Service (DoS) vulnerability in
    Crob FTP Server 2.60.1. If an attacker sends the FTP server a file
    whose name contains words such as CON, AUX, COM1, LPT1, the server
    might stop responding to legitimate requests. Crob Software Studio has
    been notified.
       http://www.secadministrator.com/articles/index.cfm?articleid=39821
    
    ==== Sponsor: Virus Update from Panda Software ====
    
       Check for the latest anti-virus information and tools, including
    weekly virus reports, virus forecasts, and virus prevention tips, at
    Panda Software's Center for Virus Control.
       http://list.winnetmag.com/cgi-bin3/DM/y/ecLq0CJgSH0CBw0BBlT0AU
    
       Viruses routinely infect "fully protected" networks. Is total
    protection possible? Find answers in the free guide HOW TO KEEP YOUR
    COMPANY 100% VIRUS FREE from Panda Software. Learn how viruses enter
    networks, what they do, and the most effective weapons to combat them.
    Protect your network effectively and permanently - download today!
       http://list.winnetmag.com/cgi-bin3/DM/y/ecLq0CJgSH0CBw0BBDp0AI
    
    ====================
    
    ==== 3. Announcements ====
       (from Windows & .NET Magazine and its partners)
    
    Windows & .NET Magazine Connections: for Security-Minded IT Pros
       How secure is your network? Have you ever been hacked? If you had
    to lock down 100 machines in 5 minutes, could you do it? How has
    Windows Server 2003 improved its security features? Want to stop spam?
    Register for Windows & .NET Magazine Connections 2003 coming this fall
    to Orlando, and get all the answers to these questions and much more!
       http://list.winnetmag.com/cgi-bin3/DM/y/ecLq0CJgSH0CBw0KXQ0AA
    
    Try Windows & .NET Magazine!
      Every issue of Windows & .NET Magazine includes intelligent,
    impartial, and independent coverage of security, Active Directory,
    Microsoft Exchange Server, and more. Our expert authors deliver how-to
    content you simply can't find anywhere else. Try a sample issue today,
    and find out what more than 100,000 readers know that you don't!
       http://list.winnetmag.com/cgi-bin3/DM/y/ecLq0CJgSH0CBw07q40Ak
    
    ==== 4. Security Roundup ====
    
    News: ISC Detects RPC/DCOM Worm
       The Internet Storm Center (ISC) reports that it has captured an
    remote procedure call (RPC)/Distributed COM (DCOM) worm capable of
    spreading to Windows XP and Windows 2000 systems. According to ISC,
    the worm uses RPC/DCOM to propagate itself, sending a self-extracting
    6176-byte compressed file (about 11KB uncompressed). After the worm
    executes on an infected system, it spawns a backdoor on port 4444,
    then tries to download more worm files from a range of Trivial FTP
    (TFTP) servers.
       http://www.secadministrator.com/articles/index.cfm?articleid=39837
    
    News: SuSE Linux Passes EAL2+ Security Test; EAL3 on the Horizon
       SuSE Linux and IBM recently received the Evaluation Assurance Level
    2+ (EAL2+) security certification, a security-based rating that the
    International Organization for Standardization (ISO) assigns under its
    ISO 15408 standard. ISO gave the rating to SuSE Linux Enterprise
    Server (SLES) 8 running on IBM's eServer xSeries hardware.
       http://www.secadministrator.com/articles/index.cfm?articleid=39803
    
    Feature: New Features in SP3a
       All Microsoft SQL Server 2000 customers should have upgraded their
    production systems to Service Pack 3 (SP3) by now for protection
    against the Slammer worm and other security vulnerabilities. But
    Microsoft recently released SP3a without much fanfare. What does SP3a
    address, and who needs to upgrade to it? Microsoft's original Web page
    describing SP3a didn't specify what new features the service pack
    included or whether you needed to apply SP3a if you were already using
    SP3. However, Microsoft's SP3a download site has now provided clearer
    answers to these questions, which Brian Moran discusses in this
    article.
       http://www.secadministrator.com/articles/index.cfm?articleid=39761
    
    ==== 5. Security Toolkit ====
    
    Virus Center
       Panda Software and the Windows & .NET Magazine Network have teamed
    to bring you the Center for Virus Control. Visit the site often to
    remain informed about the latest threats to your system security.
       http://www.secadministrator.com/panda
    
    Virus Alert: W32/Mimail
       The code that the W32/Mimail virus carries can spread rapidly
    through email. The virus exploits two Microsoft Internet Explorer (IE)
    vulnerabilities, both of which Microsoft resolved some time ago.
    W32/Mimail sends itself in email to the addresses it finds in various
    files with extensions other than .com, .wav, .cab, .pdf, .rar, .zip,
    .tif, .psd, .ocx, .vxd, .mp3, .mpg, .avi, .dll, .exe, .gif, .jpg, and
    .bmp. To learn more about the virus, visit Panda Software's site for a
    complete description.
       http://www.pandasoftware.com/about/press/viewnews.aspx?noticia=3961
    
    FAQ: How Can I Ensure That Our Web Servers Aren't Enabled for IP
    Routing Between the Demilitarized Zone (DMZ) and the Internal Network?
       contributed by Jan De Clercq
    
    A. On Windows NT systems, IP routing is disabled by default. To enable
    IP routing in NT, go to Network Settings, TCP/IP Properties. On the
    Routing tab, select the Enable IP Forwarding check box. You can also
    enable the feature from the registry. Navigate to the
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    registry subkey, and set the EnableIPRouter value (of type REG_DWORD)
    to 1. Reboot the system to effect the change.
    
    To guarantee that no one enables your Web servers for IP routing
    without your knowledge, make sure that you configure the appropriate
    NT access-control and auditing options on the EnableIPRouter registry
    subkey and that only authorized users have access to your Web servers.
    You might also invest in an integrity-checking tool that alerts you
    when your system's configuration changes. For an overview of NT system
    integrity-checking tools, see "NT Gatekeeper: Learning About NT
    Integrity-Checking Tools," February 2002, InstantDoc ID 23461.
       http://www.secadministrator.com/articles/index.cfm?articleid=23461
    
    ==== 6. Event ====
    
    New--Mobile & Wireless Road Show!
       Learn more about the wireless and mobility solutions that are
    available today! Register now for this free event!
       http://list.winnetmag.com/cgi-bin3/DM/y/ecLq0CJgSH0CBw0BA8Y0Ag
    
    ==== 7. New and Improved ====
       by Sue Cooper, productsat_private
    
    Install Secure, Affordable Remote Access Appliance
       Celestix Networks launched the Celestix RAS3000, a Windows 2003
    Server-powered remote access appliance for VPNs. The rack-mounted
    appliance supports up to 1000 simultaneous VPN connections through
    wired or wireless connections. You can install multiple appliances for
    an unlimited total number of VPN clients. The RAS3000's management
    software offers load balancing, real-time alerting and monitoring, and
    historical reporting. The appliance supports all Windows OSs including
    Pocket PC 2002. The Celestix RAS3000 costs $5995 for up to 1000
    concurrent connections and is available from authorized VARs and
    resellers. Contact Celestix on the company's Web site.
        http://www.celestix.com
    
    Detect Critical Security Flaw and Repair Systems for Free
       Shavlik Technologies released a free Detection and Repair Kit to
    discover whether your network is at risk for attack because of the
    critical security flaw described in Microsoft Bulletin MS03-026
    (Buffer Overrun In RPC Interface Could Allow Code Execution). The kit
    provides unlimited network scanning and assessment for a single
    machine or thousands of machines, to inform your IT staff where fixes
    are required. The Detection and Repair Kit automatically deploys the
    MS03-026 patch on up to 50 servers. To download the Detection and
    Repair Kit, go to http://list.winnetmag.com/cgi-bin3/DM/y/ecLq0CJgSH0CBw0BBrN0AU Contact
    Shavlik Technologies at 800-690-6911, 651-426-6624, or
     infoat_private
       http://list.winnetmag.com/cgi-bin3/DM/y/ecLq0CJgSH0CBw076e0Aa
    
    Submit Top Product Ideas
       Have you used a product that changed your IT experience by saving
    you time or easing your daily burden? Do you know of a terrific
    product that others should know about? Tell us! We want to write about
    the product in a future What's Hot column. Send your product
    suggestions to whatshotat_private
    
    ==== 8. Hot Threads ====
    
    Windows & .NET Magazine Online Forums
       http://www.winnetmag.com/forums
    
    Featured Thread: Firewall Service on ISA Server Fails to Start
       (One message in this thread)
    
    A user writes that he just installed Internet Security and
    Acceleration (ISA) server on a Windows Server 2003, and it works well.
    However, he removed RRASto configure a VPN, then added it back. Since
    then, the firewall service won't start. The log states only that the
    service failed to start (no reasons given).
       The only way he can start the service is to change its logon type,
    remove RRAS, and restart the machine. He then changes the credentials
    back, starts the firewall service, and adds back RRAS. Without RRAS,
    his clients can't get to the Internet. He believes there might be some
    conflict with RRAS. Lend a hand or read the responses:
       http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=61902
    
    HowTo Mailing List
       http://63.88.172.96/listserv/page_listserv.asp?s=howto
    
    Feature Thread: Disabling Unneeded Services
       (Five messages in this thread)
    
    A user wants to know where he can find out what services he can safely
    disable on his Windows 2000 Server. Lend a hand or read the responses:
      
     http://63.88.172.96/listserv/page_listserv.asp?A2=IND0308A&L=HOWTO&P=637
    
    ==== Sponsored Links ====
    
    Ultrabac
       FREE live trial-Backup & Disaster Recovery software w/ encryption
       http://list.winnetmag.com/cgi-bin3/DM/y/ecLq0CJgSH0CBw0BBi50Au
    
    CrossTec
       Free Download - NEW NetOp 7.6 - faster, more secure, remote support
       http://list.winnetmag.com/cgi-bin3/DM/y/ecLq0CJgSH0CBw0BBnb0Ak
    
    ===================
    
    ==== 9. Contact Us ====
    
    About the newsletter -- lettersat_private
    About technical questions -- http://www.winnetmag.com/forums
    About product news -- productsat_private
    About your subscription -- securityupdateat_private
    About sponsoring Security UPDATE -- emedia_oppsat_private
    
    ====================
       This email newsletter is brought to you by Security Administrator,
    the print newsletter with independent, impartial advice for IT
    administrators securing Windows and related technologies. Subscribe
     today.
       http://www.secadministrator.com/sub.cfm?code=saei25xxup
    
    To make other changes to your email account such as change your email
    address, update your profile, and subscribe or unsubscribe to any of
    our email newsletters, simply log on to our Email Preference Center.
       http://www.winnetmag.com/email
    
    Thank you!
    __________________________________________________________
    Copyright 2003, Penton Media, Inc.
    
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.
    



    This archive was generated by hypermail 2b30 : Thu Aug 14 2003 - 06:09:16 PDT