Security News > 2001 > June > Security UPDATE, June 27, 2001
******************** Windows 2000 Magazine Security UPDATE--brought to you by the Windows 2000 Magazine Network **Watching the Watchers** http://www.win2000mag.net/Channels/Security ******************** ~~~~ THIS ISSUE SPONSORED BY ~~~~ Webtrends Firewall Suite -- Download Free Trial! http://go.win2000mag.net/UM/T.asp?A2153.23115.1167.1.532985 ~~~~~~~~~~~~~~~~~~~~ ~~~~ WEBTRENDS FIREWALL SUITE -- DOWNLOAD FREE TRIAL! ~~~~ Experienced IT Managers know security requires insight! With WebTrends Firewall Suite, you'll get in-depth analysis of both incoming and outgoing traffic through your network. Monitor bandwidth usage, measure VPN activity, and receive alerts by email or pager whenever critical security events occur. Firewall Suite 3.1 provides support for 35 leading firewall and proxy servers, including Cisco and Check Point. Currently a featured download on Tech Republic. Click here for your FREE trial, download now: http://go.win2000mag.net/UM/T.asp?A2153.23115.1167.1.532985 ******************** June 27, 2001--In this issue: 1. IN FOCUS - To Disclose or Not to Disclose, That Is the Question 2. SECURITY RISKS - Malformed Word Document Lets Macro Run Automatically - Unchecked Buffer in FrontPage Server Extension Sub-component RAD 3. ANNOUNCEMENTS - Learn to Use Problem-Solving Scripts That Simplify Life - Check Out This Great Email Newsletter Search Engine 4. SECURITY ROUNDUP - News: TRUSTe Launches Icon-Based Privacy Initiative - News: AD Backup Bug: Microsoft Comes Clean - News: Massive Compaq Reorganization to Include Alpha Death - News: Microsoft Hotmail Service in New Privacy Flap - News: Buyer's Guide: 802.11 Wireless Devices 5. SECURITY TOOLKIT - Book Highlight: Cisco Secure Internet Security Solutions - Virus Center - Virus Alert: W32/MSInit.B - Tip: A Licensing Problem - Win2K Security: IP Security Filtering 6. NEW AND IMPROVED - Protect Your Data After Someone Steals Your Mobile Device - Protect Your Information 7. HOT THREADS - Windows 2000 Magazine Online Forums - Featured Thread: Changing the Time Privilege in NT - Win2KsecAdvice Mailing List: - Featured Thread: Warning to McAfee.com VirusScan Online Users 8. CONTACT US See this section for a list of ways to contact us. 1. ==== COMMENTARY ==== Hello everyone, The practice of full disclosure of security risk information is again under attack. According to an article at MSNBC (linked below), Russ Cooper, moderator of the NTBugTraq mailing list, has undertaken a project to create what he calls the "Responsible Disclosure Forum." Cooper thinks such a forum will better govern the release of security risk information to the public because the forum will decide what information to release and when to release it. Cooper didn't say how the forum will entice membership from the worldwide hacker community, but nonetheless, its objective seems clear: Curb the release of risk details in a manner that prevents exploitation. http://www.msnbc.com/news/592066.asp In the article, Cooper said, "It's better for everyone if we keep [this data] to ourselves. Why not keep it among the people who are considered responsible security practitioners? Most attackers aren't smart enough to write exploits themselves, so they rely on other people to release them." Actually, Cooper's statements make sense to me, but such a forum simply won't work. The rogues of the hacker community have already proven that when given only minor details about a bug, they can produce a working exploit in a relatively short amount of time. Also, heated discussions have taken place in past years about full disclosure of security risk details. Those discussions eventually led to several written policies that suggest a proper course of action that hackers should take with any release of security risk information. Russ Cooper has such a policy posted on his Web site (linked at the first URL below); however, a policy known as RFPolicy, authored by a person using the alias "rain forest puppy," is probably the most widely used standard in the hacker community today. http://ntbugtraq.ntadvice.com/policy.asp http://www.wiretrip.net/rfp/policy.html According to either policy, the basic course of action is for the hacker to notify the vendor about the alleged bug, give the vendor a reasonable response time, give the vendor time to produce a patch, and release the bug information in relative unison (not beforehand) with the company suffering from the bug. Both policies seem reasonable, and many hackers adhere to the policies. But now it seems those practices are no longer good enough. Case in point: eEye Digital Security. When eEye recently produced a sample program that demonstrates a security problem with Microsoft IIS, many users frowned on the company for doing so. Even though eEye worked with Microsoft to correct the problem and timed the release of its research with the release of Microsoft's own security bulletin and patch, certain circles still chastised eEye because the company's information included a working example. Certain people prefer that this practice--the open sharing of security-related scientific research and working models--be completely eliminated. Why? Because it's too easy for someone to turn such a model into a weapon. That's a weak argument in my opinion. The problems with network intrusion aren't based on the number of script kiddies using hand-me-down code snagged from a full-disclosure mailing list or Web site. The problems actually seem to be based on only two factors: the quality of the code and the quality of the network administration. With solid code and solid network administration in place, the actions of script kiddies, and even many of the best hackers, become relatively moot. The reality is that if someone intrudes on a computer system and the intrusion is because of a bug for which there is no patch, the code's vendor is at fault because the vendor wrote the code. Certainly, software vendors disclaim legal liability, but such disclaimers don't change where the fault truly lies. A faulty product is a faulty product, so trying to reduce a person's ability to obtain usable exploit code is like placing a Band-Aid on the wounds from a shotgun blast to the head. It only masks a small part of an incredibly serious problem. And that problem is firmly in vendors' hands. It's up to them to stop bug-related intrusion by producing better code before releasing that code into production. Typically, hackers do a lot of research to figure out all the details about a security risk they've discovered. When they hand that research over to a vendor in its entirety, they generally don't receive any compensation other than a simple written thanks from the vendor. These hackers are left to generate a living from their work in some other manner while the vendor freely enjoys the results of the hackers' labor. That's the way the security bug discovery game works today. If vendors want to see an end to full disclosure, they just might get a lot more than they bargained for. What if vendors no longer received full disclosure offerings from bug hunters? What if bug hunters change their policies so that they typically go to a vendor and say, for example, "We've been researching your product XYZ123 for 3 months and have found two dangerous holes in the ABC321 component of that product that grant complete system access to a remote user. We'll release full details of our research to the public in exactly 30 days unless you release a patch first, in which case, we'll release our details to coincide with your own release. Happy hunting!"? How would vendors react to that kind of cessation of full disclosure? If nothing else, it would teach vendors to become better bug hunters, if only after the fact. Instead of creating a "Responsible Disclosure Forum," I think Cooper would better spend his time trying to help vendors develop better debugging practices--especially more extensive beta testing programs. Why don't companies such as Microsoft develop tailored beta programs that seriously entice top-notch bug hunters to find holes in their products before releasing the products? Why can't a beta program remain operational even after a vendor releases a product into production? After all, a large number of security problems are found after vendors release products to the public. Why shouldn't a beta program also compensate bug hunters handsomely for their efforts? Microsoft and other software vendors certainly have the money to do so, and frankly, I think that'd be a fantastic investment on their part--everyone benefits. But will such a program come into existence? Don't hold your breath. Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor, mark () ntsecurity net 2. ==== SECURITY RISKS ==== (contributed by Ken Pfeil, ken () win2000mag com) * MALFORMED WORD DOCUMENT LETS MACRO RUN AUTOMATICALLY Steve McLeod discovered a vulnerability in Microsoft Word that lets an attacker modify a Word document in a way that prevents the security scanner from recognizing an embedded macro while still letting the macro execute. This vulnerability lets an attacker run a macro automatically when a user opens the document. Such a macro can take any action that the user can take, including disabling the user's Word security settings so that the user can no longer check subsequently opened Word documents for macros. Microsoft has acknowledged this vulnerability and recommends that users immediately apply the applicable patch contained in Security Bulletin MS01-034, which is linked at the URL below. http://www.windowsitsecurity.com/articles/index.cfm?articleID=21580 * UNCHECKED BUFFER IN FRONTPAGE SERVER EXTENSION SUB-COMPONENT RAD Nsfocus discovered that a buffer overflow condition exists in the optional sub-component of the FrontPage server extension called Visual Studio RAD (Remote Application Deployment) Support. This sub-component contains an unchecked buffer in a section that processes input information. An attacker can exploit this vulnerability to execute code on the server by sending a specially malformed packet to this component and can execute this code under the IUSR_machinename security context. Under the right circumstances, the attacker can also run the code under the system's security context, letting the attacker take any desired action on the server, including assuming full control of the server. This optional component of the FrontPage server extensions is not part of the default installation. Microsoft has released security bulletin MS01-035 for this vulnerability and recommends that users of this optional component immediately apply the patch. http://www.windowsitsecurity.com/articles/index.cfm?articleID=21581 3. ==== ANNOUNCEMENTS ==== * LEARN TO USE PROBLEM-SOLVING SCRIPTS THAT SIMPLIFY LIFE OK, so you're not a programmer. But if you read Windows Scripting Solutions, a monthly print newsletter, you don't need to be. Tackle common problems and automate everyday, time-consuming tasks with our simple tools, tricks, and scripts. Subscribe today! http://www.winscriptingsolutions.com/sub.cfm?code=nwei261e1a * TIRED OF THE SAME OLD SALES PITCH? Now there's a better way to find the perfect IT vendor or solution--absolutely free! The IT Buyer's Network (ITBN) lets you search through thousands of vendor solutions. You'll love the ITBN's one-stop shopping approach for hardware, network and systems software, IT services, and much more! Visit the ITBN today! http://www.itbuynet.com 4. ==== SECURITY ROUNDUP ==== * NEWS: TRUSTE LAUNCHES ICON-BASED PRIVACY INITIATIVE To help consumers better understand how Web sites use their personal information, TRUSTe launched a new initiative called the Privacy Symbols and Labels Initiative. TRUSTe also hopes to expand its privacy protection beyond the Internet to other electronic devices, such as cell phones and Personal Digital Assistants (PDAs), that can gather personal information. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21542 * NEWS: THE AD BACKUP BUG: MICROSOFT COMES CLEAN (contributed by Sean Daily, Senior Contributing Editor, Windows 2000 Magazine, sean () realtimepublishers com) In my guest article in the June 6 issue of WinInfo Daily UPDATE, I discussed a major bug in the Active Directory (AD) backup and restore API that affects a vast number of Windows 2000-based organizations. The bug, which Aelita Software first discovered, corrupts a high percent--in some cases, as high as 50 percent--of all AD backups. When you restore these corrupt backups to a Win2K domain controller (DC), the directory services won't start, and the system records several errors in the system event log. The problem affects all applications that use these APIs to perform AD backups (including system state backups performed with Win2K's built-in Ntbackup.exe utility and most third-party backup applications). When I wrote that column, Microsoft hadn't documented the issue, either in the Microsoft Product Support Services (PSS) Knowledge Base or elsewhere. Given the problem's severity, I thought the omission was rather peculiar. Even more peculiar was that empirical data seemed to support the fact that Win2K Service Pack 2 (SP2) silently resolved the problem as quickly as it appeared--although Microsoft doesn't mention the problem or that SP2 provides a resolution in the SP2 documentation. On June 13, Microsoft officially acknowledged the problem with a PSS article (Q295932) titled "Windows 2000 Domain Controllers Restored with System State Backups Made Prior to SP2 May Not Boot." The article describes the symptoms I mentioned in my June 6 article and acknowledges that SP2 does provide a fix. The article also sheds light on the underlying reasons for when and why the problem occurs. In the article, Microsoft states that the problem occurs in this situation: When you perform an AD backup on one Win2K DC, enough changes occur to the AD replica (because of local changes or replication) that the backup generates additional transaction logs, which in turn advance the Joint Engine Technology (JET) database checkpoint. Simultaneously, the system performs a second backup on another, relatively inactive DC, during which time the log-file generation and JET-checkpoint advancement don't occur. The second backup completes before the first backup can generate log files and advance the checkpoint. In this situation, the second DC backup is corrupt; if it's restored, the restored DC can't initialize the directory service. As a result, the problem will more likely occur when the first backup is relatively large because a commensurately larger window of time is available for the second backup to complete (and for the JET checkpoint to advance on the first DC). According to Microsoft, the situation is less likely to happen in busy AD network environments because in those situations, the usual, steady advancement of the JET checkpoint creates a lower exposure of risk for the second backup (if there are no additional logs and no advancement of the checkpoint). The end result--and the core of the problem--is that the system writes an outdated record of required transaction log files and checkpoint data to the backup media, then later restores it in the second backup. When the system restores the data, the header in the restored database references logs that aren't required for AD recovery, and some of these log files aren't included in the backup. This explains the appearance of "Log files are missing from system state" log entries. However, this information is misleading because the log files aren't missing; the number of log files referenced in the restored database header is incorrect. You'll find the article that discusses this problem on Microsoft's Web site (see URL below). If you've already updated your Win2K DCs to SP2, you don't need to worry. However, if you aren't planning to upgrade to SP2 immediately, you should seriously consider installing the hotfix Microsoft mentions in the article. (You'll need to contact Microsoft directly to obtain the hotfix, which works with both base-release and SP1 systems). http://support.microsoft.com/support/kb/articles/q295/9/32.asp * NEWS: MASSIVE COMPAQ REORGANIZATION TO INCLUDE ALPHA DEATH Compaq Computer will announce a massive reorganization today, retargeting itself at the service market and specific PC markets. The most controversial part of this plan, however, includes a de-emphasis of Compaq's current focus on hardware. Specifically, the company will announce that it's dropping its Alpha microprocessor in lieu of Intel's 64-bit Itanium, which was announced earlier this month. The move is a disappointment for Alpha fans, who suffered through an acrimonious split with Windows 2000/NT support a few years back, only to be left in a high-end UNIX niche. http://www.wininformant.com/Articles/Index.cfm?ArticleID=21582 * NEWS: MICROSOFT HOTMAIL SERVICE IN NEW PRIVACY FLAP This spring, privacy activists revealed that Microsoft's free email service, Hotmail, sends its subscribers' email address, city, and state information to InfoSpace, an Internet white pages service. InfoSpace then combines this information with the subscribers' telephone numbers and home addresses. The result is a user database that spam advertisers (advertisers that send bulk mailings) can--and do--access. http://www.wininformant.com/Articles/Index.cfm?ArticleID=21135 * NEWS: BUYER'S GUIDE: 802.11 WIRELESS DEVICES Buyer's Guide: 802.11 Wireless Devices consists of products in two general categories: wireless NICs and wireless network infrastructure devices, which are generally known as access points (APs). The APs in this guide cover environments from the home office to the enterprise, but before you choose an 802.11b solution, be sure to assess your performance requirements and expectations. Wall and ceiling composition and other potential obstructions can contribute to interference, which can degrade performance of wireless networks. You should look also at relationships between speed and range and at the environmental factors that can affect these relationships. As with any product purchase, be sure to do your homework ahead of time, and choose the vendor that can satisfy your performance, reliability, and service requirements. http://www.win2000mag.com/Articles/Index.cfm?ArticleID=21146 5. ==== SECURITY TOOLKIT ==== * BOOK HIGHLIGHT: CISCO SECURE INTERNET SECURITY SOLUTIONS By Andrew G. Mason, Mark J. Newcomb Fatbrain Online Price: $55.00 Hardcover; 528 pages Published by Cisco Press, June 2001 ISBN 1587050161 For more information or to purchase this book, go to http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=1587050161 and enter WIN2000MAG as the discount code when you order the book. * VIRUS CENTER Panda Software and the Windows 2000 Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.windowsitsecurity.com/panda Virus Alert: W32/Msinit.B W32/MSInit.B is a worm that uses a TCP/IP connection to access other systems. To do this, it searches for IP addresses at random. When it finds an IP address that allows access to a disk where Windows is installed, the worm creates a copy of itself in the Windows\System directory in the form of a file called Wininit.exe. Visit the following URL for complete details about this worm. http://63.88.172.96/Panda/Index.cfm?FuseAction=Virus&VirusID=799 * TIP: A LICENSING PROBLEM ( contributed by David Carroll, dcarroll () carida com ) Q. Why do we have license-related issues after upgrading from Windows NT to Windows 2000? Our company upgraded its client machines to Windows 2000 Professional, and we decided to upgrade from NT Server 4.0, Terminal Server Edition (TSE) to Win2K Server Terminal Services at the same time. Now, however, when some users try to access the terminal server from Win2K Pro machines, they can't connect. According to the Event Viewer, the temporary licenses have expired. I didn't think that Win2K Pro clients needed terminal services client access licenses (TSCALs). What am I missing, and how do I fix this problem? A. Win2K Pro clients have built-in TSCALs. Nevertheless, if you don't have a Terminal Services licensing server set up and registered on your network, your Win2K Pro clients might still experience the problems you described. The first time the clients connect, they grab 90-day temporary licenses. The next time they connect, they try to upgrade those temporary licenses to full TSCALs. Consult the Terminal Services licensing tool to see which licenses your terminal server has issued. Get more information about this issue on our Web site. http://www.win2000mag.com/Articles/Index.cfm?ArticleID=21535 * WIN2K SECURITY: IP SECURITY FILTERING One of the lesser-known features of Windows 2000's IP Security (IPSec) is packet filtering based on IP addresses and port filtering. With IPSec filtering, you wrap your servers or workstations with another layer of security that protects them against attackers who try to connect from elsewhere on your internal network or from the Internet. You can use this technology in many ways, but in this article, Randy Franklin Smith shows you how to protect onsite workstations exposed to the Internet, laptops that employees use to dial into an ISP when traveling off site, and computers that employees use to telecommute. http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21546 6. ========== NEW AND IMPROVED ========== (contributed by Scott Firestone, IV, products () win2000mag com) * PROTECT YOUR DATA AFTER SOMEONE STEALS YOUR MOBILE DEVICE Solagent released Solagent Secure, software that lets you protect and manage data on your mobile computing devices after someone steals your device. The software lets you remotely encrypt data and determine whether anyone compromised the data on your laptop or Personal Digital Assistant (PDA) without alerting the unauthorized user. The software is available on a subscription basis and costs $29.95 per year for an individual subscription. Contact Solagent at 800-229-8661. http://www.solagent.com * PROTECT YOUR INFORMATION Auscomp released Auscomp Fort Knox 3.0, software that uses one master password to securely encrypt and protect any private files or information--PINs, passwords, accounts, documents, passports, images, programs, and spreadsheets. The software features network and Internet synchronization capability, password repository, file locker, and an auto-logon feature. Auscomp Fort Knox 3.0 runs on Windows 2000, Windows NT, Windows Me, and Windows 9x systems. The software is available in free, personal, and network licenses. Contact Auscomp at team () auscomp com http://www.auscomp.com 7. ==== HOT THREADS ==== * WINDOWS 2000 MAGAZINE ONLINE FORUMS http://www.win2000mag.net/forums Featured Thread: Changing the Time Privilege in NT (Ten messages in this thread) This user has problems with other users in a domain not being able to change the system time because they don't have the proper privilege level. The user has set up the users' profiles in User Manager (Policies\user rights\change the system time), but the other users are still unable to change the time. Read the responses of others or lend a helping hand at the following URL: http://www.win2000mag.net/forums/rd.cfm?app=64&id=66697 * WIN2KSECADVICE MAILING LIST http://www.windowsitsecurity.com/go/win2ks-l.asp?A0=WIN2KSECADVICE Featured Thread: Warning to McAfee.com VirusScan Online Users (One message in this thread) This user is experiencing permission problems that prevent McAfee VirusScan Online from starting up. As a result, the user might think that virus protection is active on his or her system when in fact it might not be active. The problems began to happen after a recent upgrade, when the user went to download the most recent virus signature files. Have you experienced a similar condition on your system? Read the responses or lend a hand at the following URL: http://63.88.172.96/go/win2ks-l.asp?A2=IND0106D&L=WIN2KSECADVICE&P=89 8. ==== CONTACT US ==== Here's how to reach us with your comments and questions: * ABOUT THE COMMENTARY -- mark () ntsecurity net * ABOUT THE NEWSLETTER IN GENERAL -- tfaubion () win2000mag com; please mention the newsletter name in the subject line. * TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums * PRODUCT NEWS -- products () win2000mag com * QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer Support at securityupdate () win2000mag com * WANT TO SPONSOR Security UPDATE? emedia_opps () win2000mag com ******************** This weekly email newsletter is brought to you by Windows 2000 Magazine, the leading publication for Windows 2000/NT professionals who want to learn more and perform better. Subscribe today. http://www.win2000mag.com/sub.cfm?code=wswi201x1z Receive the latest information about the Windows 2000 and Windows NT topics of your choice. Subscribe to our other FREE email newsletters. http://www.win2000mag.net/email |-+-+-+-+-+-+-+-+-+-| Thank you for reading Security UPDATE. SUBSCRIBE To subscribe send a blank email to subscribe-Security_UPDATE () list win2000mag net If you have questions or problems with your UPDATE subscription, please contact securityupdate () win2000mag com ISN is hosted by SecurityFocus.com --- To unsubscribe email isn-unsubscribe () SecurityFocus com