[ISN] Security UPDATE--More Bugs and Preemptive Fixes--July 14, 2004

From: InfoSec News (isn@private)
Date: Fri Jul 16 2004 - 00:26:33 PDT

==== This Issue Sponsored By ====

Free Download! New Sitekeeper(R) 3.1

Free Security White Paper from Postini


1. In Focus: More Bugs and Preemptive Fixes

2. Security News and Features
   - Recent Security Vulnerabilities
   - News: Extended Version of XCACLS Available
   - News: Two New Tools and One Updated Tool for ISA Server 2004

3. Instant Poll

4. Security Toolkit
   - FAQ
   - Featured Thread

5. New and Improved
   - Insulate Your Network
   - Reduce Network Security Threats


==== Sponsor: Executive Software ====
   Free Download! New Sitekeeper(R) 3.1
   Keeping track of your software licenses and staying up-to-date with
the latest patches is a pain -- especially if you have to do it
manually. But unless you stay on top of licenses and patches, you're
opening your site up to legal action and security breaches. *** NEW
Sitekeeper 3.1 is the simple, affordable way to automate your systems
management. Sitekeeper handles hardware and software inventories,
license compliance reports and software/patch installation with just a
few clicks of your mouse. No special training or dedicated hardware
needed -- in fact, you can start managing within minutes of
installation. It's systems management software -- simplified!
   Try Sitekeeper FREE -- click on


==== 1. In Focus: More Bugs and Preemptive Fixes ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net

Another problem was recently discovered in Microsoft Internet Explorer
(IE): An intruder could use the Shell.Application object to launch a
command shell on an affected system. This capability could lead to all
sorts of dangerous activity. To protect systems, you can disable the
object by navigating to the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX
Compatibility\{13709620-C279-11CE-A49E-444553540000} registry subkey
and setting the Compatibility Flags entry (type REG_DWORD) to

Yesterday, Microsoft released Microsoft Security Bulletin MS04-024
(Vulnerability in Windows Shell Could Allow Remote Code Execution) and
a related patch for that problem, so you can now load the patch
instead of editing the registry. The company also released six other
bulletins and patches as part of its monthly security patch release.
The patches fix vulnerabilities in HTML-based Help files, the Task
Scheduler, Microsoft IIS 4.0, the POSIX subsystem, and Utility Manager
(all of which might allow the execution of remote code), and Microsoft
Outlook Express (for which the company issued a cumulative patch for
Denial of Service--DoS--conditions). You can learn more about these
fixes at Microsoft's TechNet Security Web site.

After the Shell.Application bug was published on various security
mailing lists, researchers began checking the Mozilla Web browser for
a similar problem, and it turns out that Mozilla is affected to some
extent. According to Mozilla's security advisory, it's possible to use
the shell: URL scheme to launch executables on a remote user's system.
The developers issued a workaround for the problem, which is available
at the Mozilla Web site.

The discovery of these serious security risks points out the need to
regularly adjust your defenses to protect against attack. Sometimes
you need to apply a vendor patch, and other times you can perform a
configuration workaround. Another tactic you can use to mitigate
unforeseen security problems is to employ the security tools available
from various vendors.

For example, security scanners might find the shell problem as well as
the ADO databases (ADODB) problem I've discussed in recent issues of
this newsletter. Scanning tools that find these problems probably also
would let you make registry adjustments to protect against attacks.

Another tool, which I've mentioned recently, is PivX Solutions'
Qwik-Fix Pro. Qwik-Fix Pro doesn't scan your systems; instead, it lets
you change configuration settings to strengthen the overall security
of various applications, including IE.

Alex Tosheff, chief technology officer at PivX, told me that the
company plans an official release of the enterprise version of
Qwik-Fix Pro on August 2 (the product has been in public beta testing
for quite some time). The enterprise version integrates with Active
Directory (AD), uses Group Policy to define security configuration
settings, and includes a Microsoft Management Console (MMC) snap-in.

According to Thor Larholm, a lead researcher at PivX, the release
version will include features such as strengthened security for IE
security zones (e.g., My Computer, Trusted Sites, Internet), which
Microsoft Outlook also uses. Larholm also said that the product will
be expanded to include application protection for Microsoft Office,
Microsoft IIS, Apache HTTP Server, Mozilla, Opera Software's Opera,
Microsoft SQL Server, MySQL, Windows .NET Framework, Instant Messaging
(IM) applications, IBM's Lotus Notes, and other popular Windows
applications. The company is also working on features that will
perform "runtime process modification and virtual application
patching, ... generic C runtime and Win32 API replacements, ...
generic buffer overflow protection, and generic process privilege

I've pointed out before that I don't know of any products that offer
the same functionality as Qwik-Fix Pro. I'm sure some other products
offer some of the features, but as far as I know, the solution is
rather unique in its approach. And it clearly defends against hundreds
of known and untold numbers of unknown attack methods well in advance
of their release. If you haven't tested Qwik-Fix Pro already, then you
might want to take a close look at the release version when it becomes


==== Sponsor: Postini ====
   The Silent Killer: How spammers are stealing your email directory
   Have you ever had your end users complain about how slow your email
system seems to be responding when you have no visible reason for this
problem in performance? Are your Microsoft Exchange server deferral
queues constantly full, slowing server performance to a crawl? All of
these are signs that spammers are probing your email system in an
attempt to identify and "harvest" legitimate email addresses from your
organization. This is what is known as the "silent killer" or
"directory harvest attack" (DHA). Download this whitepaper now and
learn how you can protect your organization against the "silent


==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these discoveries

News: Extended Version of XCACLS Available
   Microsoft released an updated version of Extended Change Access
Control List (xcacls.exe), a tool that can help view and modify
permissions for files and directories. The new version, xcacls.vbs, is
a Visual Basic script that runs via the cscript.exe version of the
Windows Script Host (WSH).

News: Two New Tools and One Updated Tool for ISA Server 2004
   Microsoft released new and updated tools that help administrators
manage Microsoft Internet Security and Acceleration Server 2004 (ISA
Server). The new tools help you configure client systems, quarantine
clients, and monitor and change ISA Server firewall configurations.


==== Announcements ====
   (from Windows & .NET Magazine and its partners)

New! The Shifting Tactics of Spammers: How to Stop the Newest Email
   Stopping new spam techniques requires detection and prevention in
real time at the SMTP connection point. In this free Web seminar,
you'll learn how spam filters operate as well as real-world examples
of spammers new attacks and threats so that you can learn what you
must do to protect your organization. Register now!

We're Bringing the Experts Directly to You with 2 New IT Pro Workshop
Series About Security and Exchange
   Don't miss two intense workshops designed to give you simple and
free tools to better secure your networks and Exchange servers.
Discover how to prevent attackers from attacking your network and how
to perform a security checkup on your Exchange Server deployment. Get
a free 12-month subscription to Windows & .NET Magazine and enter to
win an Xbox! Register now.


==== Hot Release ====

Need to Secure Multiple Domain or Host Names?
   Securing multiple domain or host names need not burden you with
unwanted administrative hassles. Learn more about how the
cost-effective Thawte Starter PKI program can streamline management of
your digital certificates.
   Click here to download our free guide:


==== 3. Instant Poll ====

Results of Previous Poll
   The voting has closed in the Windows & .NET Magazine Network
Security Web page nonscientific Instant Poll for the question, "Which
Web browser does your company currently use for Internet (as opposed
to intranet) browsing?" Here are the results from the 191 votes.
   - 68% Microsoft Internet Explorer (IE)
   -  9% Mozilla
   - 19% Firefox
   -  3% Opera
   -  1% Other

New Instant Poll
   The next Instant Poll question is, "Do you now use or do you plan
to use 802.11i on your wireless LANs?" Go to the Security Web page and
submit your vote for
   - Yes, we use 802.11i now
   - Yes, we plan to use 802.11i in the next 3 months
   - Yes, we plan to use 802.11i in the next 6 months
   - Yes, we plan to use 802.11i in the next year
   - No, we don't plan to use 802.11i

==== 4. Security Toolkit ====

FAQ: How Can I Merge Multiple Primary Versions of the Same DNS Zone
for Different Servers into One Active Directory (AD)-Integrated Zone?
   by John Savill, http://www.winnetmag.com/windowsnt20002003faq

A. Only one primary version of the DNS zone should exist for zones
that aren't AD-integrated. If necessary, you can create additional
secondary versions of zones on other DNS servers to support fault
tolerance and load balancing.

If you have multiple primary versions of a zone that isn't
AD-integrated, those zones won't replicate or remain synchronized. The
possible actions that can occur when you move these multiple versions
into AD for storage are:

   * After the first DNS server stores its zone information in AD, all
subsequent DNS servers lose their DNS zone content and use the first
DNS server's zone information in AD.
   * As each DNS server is modified to store its information in AD,
the new DNS zone data overwrites the existing DNS zone data in AD.
   * As each DNS server is modified to store its information in AD,
the new DNS server's data merges with the existing data.

When you opt to integrate the second (or any subsequent) instance of
the zone on a different DNS server in AD--as explained in the FAQ "How
can I change how DNS information is stored on a DNS server?" 
( http://www.winnetmag.com/articles/index.cfm?articleid=43104 )--you can
choose between the first and second options. In the Active Directory
Service box, you must select either "Discard the new zone, and load
the existing zone from Active Directory" or "Overwrite the existing
zone in Active Directory with the new zone." After you make your
selection, click OK, then click OK again to confirm it.

Featured Thread: USB Hub Security
(Three messages in this thread)
   A reader wants to know if he can somehow set security on USB
devices based on the device type. He wants to allow USB-based printer
devices and disallow USB-based storage devices for users. Do you know
whether this is possible and how to do it? Lend a hand or read the
responses on our Security forum.


==== Events Central ====
   (A complete Web and live events directory brought to you by Windows
& .NET Magazine: http://www.winnetmag.com/events )

New! Extending Microsoft Office with Integrated Fax Messaging
   Are you "getting by" using fax machines or relying on a less savvy
solution that doesn't offer truly integrated faxing from within user
applications? Attend this free Web seminar and learn what questions to
ask when selecting an integrated fax solution, discover how an
integrated fax solution is more efficient than traditional faxing
methods, and learn how to select the fax technology that's right for
your organization. Register now!


==== 5. New and Improved ====
   by Jason Bovberg, products@private

Insulate Your Network
   MetaInfo has developed the MetaInfo Appliance 250 Series and
MetaInfo Appliance 500 Series of hardware platforms upon which you can
easily deploy and maintain MetaInfo's Meta IP services. These
appliances help prevent malicious users from exploiting and thus
compromising your company's DNS and DHCP services. The 250 Series is
ideal for midsized networks, and the 500 Series is best for larger
networks. For pricing information, contact MetaInfo at 206-674-3700 or
on the Web.
Reduce Network Security Threats
   ElcomSoft released Proactive Windows Security Explorer 1.0, which
executes a comprehensive audit of account passwords and exposes all
unsecure passwords. You can identify patterns and trends that weaken
security and develop the appropriate policies to improve network
security. You can also use Proactive Windows Security Explorer to
recover lost passwords and access users' Windows accounts. Proactive
Windows Security Explorer 1.0 runs on Windows 2003/XP/Me/2000/NT
4.0/98. Prices begin at $299. For more information, contact ElcomSoft
on the Web.

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a Windows & .NET Magazine T-shirt if we write about the
product in a future Windows & .NET Magazine What's Hot column. Send
your product suggestions with information about how the product has
helped you to whatshot@private


==== Sponsored Links ====

   Comparison Paper: The Argent Guardian Easily Beats Out MOM


Editor's note: Share Your Security Discoveries and Get $100
   Share your security-related discoveries, comments, or problems and
solutions in the Security Administrator print newsletter's Reader to
Reader column. Email your contributions (500 words or less) to
r2rsecadmin@private If we print your submission, you'll get
$100. We edit submissions for style, grammar, and length.


==== Contact Us ====

About the newsletter -- letters@private
About technical questions -- http://www.winnetmag.com/forums
About product news -- products@private
About your subscription -- securityupdate@private
About sponsoring Security UPDATE -- emedia_opps@private


==== Contact Our Sponsors ====

Primary Sponsor:
   Executive Software -- http://executive.com

Secondary Sponsor:
   Postini -- http://www.postini.com -- 1-888-584-3150

Hot Release Sponsor:
   thawte -- http://www.thawte.com -- 1-650-426-7400


This email newsletter is brought to you by Windows & .NET Magazine,
the leading publication for IT professionals deploying Windows and
related technologies. Subscribe today.

You received this email message because you asked to receive
additional information about products and services from the Windows &
.NET Magazine Network. To unsubscribe, send an email message to
mailto:Security-UPDATE_Unsub@private Thank you!

View the Windows & .NET Magazine privacy policy at

Windows & .NET Magazine, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2004, Penton Media, Inc. All rights reserved.

Help InfoSec News with a donation: http://www.c4i.org/donation.html

This archive was generated by hypermail 2.1.3 : Fri Jul 16 2004 - 01:00:09 PDT