Security UPDATE, June 27, 2001

[InfoSec News <isn () c4i org>]

********************
Windows 2000 Magazine Security UPDATE--brought to you by the Windows
2000 Magazine Network
   **Watching the Watchers**
   http://www.win2000mag.net/Channels/Security
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

Webtrends Firewall Suite -- Download Free Trial!
   http://go.win2000mag.net/UM/T.asp?A2153.23115.1167.1.532985

~~~~~~~~~~~~~~~~~~~~

~~~~ WEBTRENDS FIREWALL SUITE -- DOWNLOAD FREE TRIAL! ~~~~
   Experienced IT Managers know security requires insight! 
With WebTrends Firewall Suite, you'll get in-depth analysis of both
incoming and outgoing traffic through your network. Monitor bandwidth
usage, measure VPN activity, and receive alerts by email or pager
whenever critical security events occur. Firewall Suite 3.1 provides
support for 35 leading firewall and proxy servers, including Cisco and
Check Point. Currently a featured download on Tech Republic.  
Click here for your FREE trial, download now:
   http://go.win2000mag.net/UM/T.asp?A2153.23115.1167.1.532985

********************

June 27, 2001--In this issue:

1. IN FOCUS
     - To Disclose or Not to Disclose, That Is the Question

2. SECURITY RISKS
     - Malformed Word Document Lets Macro Run Automatically
     - Unchecked Buffer in FrontPage Server Extension Sub-component
       RAD

3. ANNOUNCEMENTS
     - Learn to Use Problem-Solving Scripts That Simplify Life
     - Check Out This Great Email Newsletter Search Engine

4. SECURITY ROUNDUP
     - News: TRUSTe Launches Icon-Based Privacy Initiative
     - News: AD Backup Bug: Microsoft Comes Clean
     - News: Massive Compaq Reorganization to Include Alpha Death
     - News: Microsoft Hotmail Service in New Privacy Flap
     - News: Buyer's Guide: 802.11 Wireless Devices

5. SECURITY TOOLKIT
     - Book Highlight: Cisco Secure Internet Security Solutions
     - Virus Center
         - Virus Alert: W32/MSInit.B
     - Tip: A Licensing Problem 
     - Win2K  Security: IP Security Filtering

6. NEW AND IMPROVED
     - Protect Your Data After Someone Steals Your Mobile Device
     - Protect Your Information

7. HOT THREADS
     - Windows 2000 Magazine Online Forums
         - Featured Thread: Changing the Time Privilege in NT
     - Win2KsecAdvice Mailing List:
         - Featured Thread: Warning to McAfee.com VirusScan Online
Users

8. CONTACT US
   See this section for a list of ways to contact us.

1. ==== COMMENTARY ====

Hello everyone,

The practice of full disclosure of security risk information is again
under attack. According to an article at MSNBC (linked below), Russ
Cooper, moderator of the NTBugTraq mailing list, has undertaken a
project to create what he calls the "Responsible Disclosure Forum."
Cooper thinks such a forum will better govern the release of security
risk information to the public because the forum will decide what
information to release and when to release it. Cooper didn't say how the
forum will entice membership from the worldwide hacker community, but
nonetheless, its objective seems clear: Curb the release of risk details
in a manner that prevents exploitation.
   http://www.msnbc.com/news/592066.asp

In the article, Cooper said, "It's better for everyone if we keep [this
data] to ourselves. Why not keep it among the people who are considered
responsible security practitioners? Most attackers aren't smart enough
to write exploits themselves, so they rely on other people to release
them." 

Actually, Cooper's statements make sense to me, but such a forum simply
won't work. The rogues of the hacker community have already proven that
when given only minor details about a bug, they can produce a working
exploit in a relatively short amount of time. Also, heated discussions
have taken place in past years about full disclosure of security risk
details. Those discussions eventually led to several written policies
that suggest a proper course of action that hackers should take with any
release of security risk information. Russ Cooper has such a policy
posted on his Web site (linked at the first URL below); however, a
policy known as RFPolicy, authored by a person using the alias "rain
forest puppy," is probably the most widely used standard in the hacker
community today.
   http://ntbugtraq.ntadvice.com/policy.asp
   http://www.wiretrip.net/rfp/policy.html

According to either policy, the basic course of action is for the hacker
to notify the vendor about the alleged bug, give the vendor a reasonable
response time, give the vendor time to produce a patch, and release the
bug information in relative unison (not beforehand) with the company
suffering from the bug. Both policies seem reasonable, and many hackers
adhere to the policies. But now it seems those practices are no longer
good enough. 

Case in point: eEye Digital Security. When eEye recently produced a
sample program that demonstrates a security problem with Microsoft IIS,
many users frowned on the company for doing so. Even though eEye worked
with Microsoft to correct the problem and timed the release of its
research with the release of Microsoft's own security bulletin and
patch, certain circles still chastised eEye because the company's
information included a working example. Certain people prefer that this
practice--the open sharing of security-related scientific research and
working models--be completely eliminated. Why? Because it's too easy for
someone to turn such a model into a weapon. That's a weak argument in my
opinion.

The problems with network intrusion aren't based on the number of script
kiddies using hand-me-down code snagged from a full-disclosure mailing
list or Web site. The problems actually seem to be based on only two
factors: the quality of the code and the quality of the network
administration. With solid code and solid network administration in
place, the actions of script kiddies, and even many of the best hackers,
become relatively moot. The reality is that if someone intrudes on a
computer system and the intrusion is because of a bug for which there is
no patch, the code's vendor is at fault because the vendor wrote the
code. Certainly, software vendors disclaim legal liability, but such
disclaimers don't change where the fault truly lies. A faulty product is
a faulty product, so trying to reduce a person's ability to obtain
usable exploit code is like placing a Band-Aid on the wounds from a
shotgun blast to the head. It only masks a small part of an incredibly
serious problem.

And that problem is firmly in vendors' hands. It's up to them to stop
bug-related intrusion by producing better code before releasing that
code into production. Typically, hackers do a lot of research to figure
out all the details about a security risk they've discovered. When they
hand that research over to a vendor in its entirety, they generally
don't receive any compensation other than a simple written thanks from
the vendor. These hackers are left to generate a living from their work
in some other manner while the vendor freely enjoys the results of the
hackers' labor. That's the way the security bug discovery game works
today.

If vendors want to see an end to full disclosure, they just might get a
lot more than they bargained for. What if vendors no longer received
full disclosure offerings from bug hunters? What if bug hunters change
their policies so that they typically go to a vendor and say, for
example, "We've been researching your product XYZ123 for 3 months and
have found two dangerous holes in the ABC321 component of that product
that grant complete system access to a remote user. We'll release full
details of our research to the public in exactly 30 days unless you
release a patch first, in which case, we'll release our details to
coincide with your own release. Happy hunting!"? How would vendors react
to that kind of cessation of full disclosure? If nothing else, it would
teach vendors to become better bug hunters, if only after the fact.

Instead of creating a "Responsible Disclosure Forum," I think Cooper
would better spend his time trying to help vendors develop better
debugging practices--especially more extensive beta testing programs.
Why don't companies such as Microsoft develop tailored beta programs
that seriously entice top-notch bug hunters to find holes in their
products before releasing the products? Why can't a beta program remain
operational even after a vendor releases a product into production?
After all, a large number of security problems are found after vendors
release products to the public. Why shouldn't a beta program also
compensate bug hunters handsomely for their efforts? Microsoft and other
software vendors certainly have the money to do so, and frankly, I think
that'd be a fantastic investment on their part--everyone benefits. But
will such a program come into existence? Don't hold your breath. Until
next time, have a great week.

Sincerely,
Mark Joseph Edwards, News Editor, mark () ntsecurity net

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, ken () win2000mag com)

* MALFORMED WORD DOCUMENT LETS MACRO RUN AUTOMATICALLY
   Steve McLeod discovered a vulnerability in Microsoft Word that lets
an attacker modify a Word document in a way that prevents the security
scanner from recognizing an embedded macro while still letting the macro
execute. This vulnerability lets an attacker run a macro automatically
when a user opens the document. Such a macro can take any action that
the user can take, including disabling the user's Word security settings
so that the user can no longer check subsequently opened Word documents
for macros. Microsoft has acknowledged this vulnerability and recommends
that users immediately apply the applicable patch contained in Security
Bulletin MS01-034, which is linked at the URL below.  
   http://www.windowsitsecurity.com/articles/index.cfm?articleID=21580

* UNCHECKED BUFFER IN FRONTPAGE SERVER EXTENSION SUB-COMPONENT RAD
   Nsfocus discovered that a buffer overflow condition exists in the
optional sub-component of the FrontPage server extension called Visual
Studio RAD (Remote Application Deployment) Support. This sub-component
contains an unchecked buffer in a section that processes input
information. An attacker can exploit this vulnerability to execute code
on the server by sending a specially malformed packet to this component
and can execute this code under the IUSR_machinename security context.
Under the right circumstances, the attacker can also run the code under
the system's security context, letting the attacker take any desired
action on the server, including assuming full control of the server.
This optional component of the FrontPage server extensions is not part
of the default installation. Microsoft has released security bulletin
MS01-035 for this vulnerability and recommends that users of this
optional component immediately apply the patch.
   http://www.windowsitsecurity.com/articles/index.cfm?articleID=21581

3. ==== ANNOUNCEMENTS ====

* LEARN TO USE PROBLEM-SOLVING SCRIPTS THAT SIMPLIFY LIFE
   OK, so you're not a programmer. But if you read Windows Scripting
Solutions, a monthly print newsletter, you don't need to be. Tackle
common problems and automate everyday, time-consuming tasks with our
simple tools, tricks, and scripts. Subscribe today!
   http://www.winscriptingsolutions.com/sub.cfm?code=nwei261e1a

* TIRED OF THE SAME OLD SALES PITCH?     
   Now there's a better way to find the perfect IT vendor or
solution--absolutely free! The IT Buyer's Network (ITBN) lets you search
through thousands of vendor solutions. You'll love the ITBN's one-stop
shopping approach for hardware, network and systems software, IT
services, and much more! Visit the ITBN today! 
   http://www.itbuynet.com

4. ==== SECURITY ROUNDUP ====

* NEWS: TRUSTE LAUNCHES ICON-BASED PRIVACY INITIATIVE
   To help consumers better understand how Web sites use their personal
information, TRUSTe launched a new initiative called the Privacy Symbols
and Labels Initiative. TRUSTe also hopes to expand its privacy
protection beyond the Internet to other electronic devices, such as cell
phones and Personal Digital Assistants (PDAs), that can gather personal
information.
   http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21542

* NEWS: THE AD BACKUP BUG: MICROSOFT COMES CLEAN 
   (contributed by Sean Daily, Senior Contributing Editor, Windows 2000
Magazine, sean () realtimepublishers com)
 
In my guest article in the June 6 issue of WinInfo Daily UPDATE, I
discussed a major bug in the Active Directory (AD) backup and restore
API that affects a vast number of Windows 2000-based organizations. The
bug, which Aelita Software first discovered, corrupts a high percent--in
some cases, as high as 50 percent--of all AD backups. When you restore
these corrupt backups to a Win2K domain controller (DC), the directory
services won't start, and the system records several errors in the
system event log. The problem affects all applications that use these
APIs to perform AD backups (including system state backups performed
with Win2K's built-in Ntbackup.exe utility and most third-party backup
applications).

When I wrote that column, Microsoft hadn't documented the issue, either
in the Microsoft Product Support Services (PSS) Knowledge Base or
elsewhere. Given the problem's severity, I thought the omission was
rather peculiar. Even more peculiar was that empirical data seemed to
support the fact that Win2K Service Pack 2 (SP2) silently resolved the
problem as quickly as it appeared--although Microsoft doesn't mention
the problem or that SP2 provides a resolution in the SP2 documentation.


On June 13, Microsoft officially acknowledged the problem with a PSS
article (Q295932) titled "Windows 2000 Domain Controllers Restored with
System State Backups Made Prior to SP2 May Not Boot." The article
describes the symptoms I mentioned in my June 6 article and acknowledges
that SP2 does provide a fix. The article also sheds light on the
underlying reasons for when and why the problem occurs. 

In the article, Microsoft states that the problem occurs in this
situation: When you perform an AD backup on one Win2K DC, enough changes
occur to the AD replica (because of local changes or replication) that
the backup generates additional transaction logs, which in turn advance
the Joint Engine Technology (JET) database checkpoint. Simultaneously,
the system performs a second backup on another, relatively inactive DC,
during which time the log-file generation and JET-checkpoint advancement
don't occur. The second backup completes before the first backup can
generate log files and advance the checkpoint. In this situation, the
second DC backup is corrupt; if it's restored, the restored DC can't
initialize the directory service. As a result, the problem will more
likely occur when the first backup is relatively large because a
commensurately larger window of time is available for the second backup
to complete (and for the JET checkpoint to advance on the first DC).
According to Microsoft, the situation is less likely to happen in busy
AD network environments because in those situations, the usual, steady
advancement of the JET checkpoint creates a lower exposure of risk for
the second backup (if there are no additional logs and no advancement of
the checkpoint). The end result--and the core of the problem--is that
the system writes an outdated record of required transaction log files
and checkpoint data to the backup media, then later restores it in the
second backup. When the system restores the data, the header in the
restored database references logs that aren't required for AD recovery,
and some of these log files aren't included in the backup. This explains
the appearance of "Log files are missing from system state" log entries.
However, this information is misleading because the log files aren't
missing; the number of log files referenced in the restored database
header is incorrect.

You'll find the article that discusses this problem on Microsoft's Web
site (see URL below). If you've already updated your Win2K DCs to SP2,
you don't need to worry. However, if you aren't planning to upgrade to
SP2 immediately, you should seriously consider installing the hotfix
Microsoft mentions in the article. (You'll need to contact Microsoft
directly to obtain the hotfix, which works with both base-release and
SP1 systems).  
   http://support.microsoft.com/support/kb/articles/q295/9/32.asp

* NEWS: MASSIVE COMPAQ REORGANIZATION TO INCLUDE ALPHA DEATH
   Compaq Computer will announce a massive reorganization today,
retargeting itself at the service market and specific PC markets. The
most controversial part of this plan, however, includes a de-emphasis of
Compaq's current focus on hardware. Specifically, the company will
announce that it's dropping its Alpha microprocessor in lieu of Intel's
64-bit Itanium, which was announced earlier this month. The move is a
disappointment for Alpha fans, who suffered through an acrimonious split
with Windows 2000/NT support a few years back, only to be left in a
high-end UNIX niche.
   http://www.wininformant.com/Articles/Index.cfm?ArticleID=21582

* NEWS: MICROSOFT HOTMAIL SERVICE IN NEW PRIVACY FLAP
   This spring, privacy activists revealed that Microsoft's free email
service, Hotmail, sends its subscribers' email address, city, and state
information to InfoSpace, an Internet white pages service. InfoSpace
then combines this information with the subscribers' telephone numbers
and home addresses. The result is a user database that spam advertisers
(advertisers that send bulk mailings) can--and do--access.
   http://www.wininformant.com/Articles/Index.cfm?ArticleID=21135

* NEWS: BUYER'S GUIDE: 802.11 WIRELESS DEVICES
   Buyer's Guide: 802.11 Wireless Devices consists of products in two
general categories: wireless NICs and wireless network infrastructure
devices, which are generally known as access points (APs). The APs in
this guide cover environments from the home office to the enterprise,
but before you choose an 802.11b solution, be sure to assess your
performance requirements and expectations. Wall and ceiling composition
and other potential obstructions can contribute to interference, which
can degrade performance of wireless networks. You should look also at
relationships between speed and range and at the environmental factors
that can affect these relationships. As with any product purchase, be
sure to do your homework ahead of time, and choose the vendor that can
satisfy your performance, reliability, and service requirements.
   http://www.win2000mag.com/Articles/Index.cfm?ArticleID=21146

5. ==== SECURITY TOOLKIT ====

* BOOK HIGHLIGHT: CISCO SECURE INTERNET SECURITY SOLUTIONS
   By Andrew G. Mason, Mark J. Newcomb
   Fatbrain Online Price: $55.00
   Hardcover; 528 pages
   Published by Cisco Press, June 2001
   ISBN 1587050161

For more information or to purchase this book, go to
http://www1.fatbrain.com/asp/bookinfo/bookinfo.asp?theisbn=1587050161
and enter WIN2000MAG as the discount code when you order the book.

* VIRUS CENTER
   Panda Software and the Windows 2000 Magazine Network have teamed to
bring you the Center for Virus Control. Visit the site often to remain
informed about the latest threats to your system security.
   http://www.windowsitsecurity.com/panda

Virus Alert: W32/Msinit.B
   W32/MSInit.B is a worm that uses a TCP/IP connection to access other
systems. To do this, it searches for IP addresses at random. When it
finds an IP address that allows access to a disk where Windows is
installed, the worm creates a copy of itself in the Windows\System
directory in the form of a file called Wininit.exe. Visit the following
URL for complete details about this worm.
   http://63.88.172.96/Panda/Index.cfm?FuseAction=Virus&VirusID=799

* TIP: A LICENSING PROBLEM
   ( contributed by David Carroll, dcarroll () carida com )

Q. Why do we have license-related issues after upgrading from Windows NT
to Windows 2000? Our company upgraded its client machines to Windows
2000 Professional, and we decided to upgrade from NT Server 4.0,
Terminal Server Edition (TSE) to Win2K Server Terminal Services at the
same time. Now, however, when some users try to access the terminal
server from Win2K Pro machines, they can't connect. According to the
Event Viewer, the temporary licenses have expired. I didn't think that
Win2K Pro clients needed terminal services client access licenses
(TSCALs). What am I missing, and how do I fix this problem?
 
A. Win2K Pro clients have built-in TSCALs. Nevertheless, if you don't
have a Terminal Services licensing server set up and registered on your
network, your Win2K Pro clients might still experience the problems you
described. The first time the clients connect, they grab 90-day
temporary licenses. The next time they connect, they try to upgrade
those temporary licenses to full TSCALs. Consult the Terminal Services
licensing tool to see which licenses your terminal server has issued.
Get more information about this issue on our Web site.
   http://www.win2000mag.com/Articles/Index.cfm?ArticleID=21535

* WIN2K SECURITY: IP SECURITY FILTERING
   One of the lesser-known features of Windows 2000's IP Security
(IPSec) is packet filtering based on IP addresses and port filtering.
With IPSec filtering, you wrap your servers or workstations with another
layer of security that protects them against attackers who try to
connect from elsewhere on your internal network or from the Internet.
You can use this technology in many ways, but in this article, Randy
Franklin Smith shows you how to protect onsite workstations exposed to
the Internet, laptops that employees use to dial into an ISP when
traveling off site, and computers that employees use to telecommute.
   http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=21546

6. ========== NEW AND IMPROVED ==========
   (contributed by Scott Firestone, IV, products () win2000mag com)

* PROTECT YOUR DATA AFTER SOMEONE STEALS YOUR MOBILE DEVICE
   Solagent released Solagent Secure, software that lets you protect and
manage data on your mobile computing devices after someone steals your
device. The software lets you remotely encrypt data and determine
whether anyone compromised the data on your laptop or Personal Digital
Assistant (PDA) without alerting the unauthorized user. The software is
available on a subscription basis and costs $29.95 per year for an
individual subscription. Contact Solagent at 800-229-8661.
   http://www.solagent.com

* PROTECT YOUR INFORMATION
   Auscomp released Auscomp Fort Knox 3.0, software that uses one master
password to securely encrypt and protect any private files or
information--PINs, passwords, accounts, documents, passports, images,
programs, and spreadsheets. The software features network and Internet
synchronization capability, password repository, file locker, and an
auto-logon feature. Auscomp Fort Knox 3.0 runs on Windows 2000, Windows
NT, Windows Me, and Windows 9x systems. The software is available in
free, personal, and network licenses. Contact Auscomp at
team () auscomp com.
   http://www.auscomp.com

7. ==== HOT THREADS ====

* WINDOWS 2000 MAGAZINE ONLINE FORUMS
   http://www.win2000mag.net/forums 

Featured Thread: Changing the Time Privilege in NT
   (Ten messages in this thread)

This user has problems with other users in a domain not being able to
change the system time because they don't have the proper privilege
level. The user has set up the users' profiles in User Manager
(Policies\user rights\change the system time), but the other users are
still unable to change the time. Read the responses of others or lend a
helping hand at the following URL:
   http://www.win2000mag.net/forums/rd.cfm?app=64&id=66697

* WIN2KSECADVICE MAILING LIST
   http://www.windowsitsecurity.com/go/win2ks-l.asp?A0=WIN2KSECADVICE

Featured Thread: Warning to McAfee.com VirusScan Online Users
   (One message in this thread)

This user is experiencing permission problems that prevent McAfee
VirusScan Online from starting up. As a result, the user might think
that virus protection is active on his or her system when in fact it
might not be active. The problems began to happen after a recent
upgrade, when the user went to download the most recent virus signature
files. Have you experienced a similar condition on your system? Read the
responses or lend a hand at the following URL:
 
http://63.88.172.96/go/win2ks-l.asp?A2=IND0106D&L=WIN2KSECADVICE&P=89

8. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT THE COMMENTARY -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- tfaubion () win2000mag com; please
mention the newsletter name in the subject line.

* TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums

* PRODUCT NEWS -- products () win2000mag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer
Support at securityupdate () win2000mag com.

* WANT TO SPONSOR Security UPDATE? emedia_opps () win2000mag com

********************
   This weekly email newsletter is brought to you by Windows 2000
Magazine, the leading publication for Windows 2000/NT professionals who
want to learn more and perform better. Subscribe today.
   http://www.win2000mag.com/sub.cfm?code=wswi201x1z

   Receive the latest information about the Windows 2000 and Windows NT
topics of your choice. Subscribe to our other FREE email newsletters.
   http://www.win2000mag.net/email

|-+-+-+-+-+-+-+-+-+-|

Thank you for reading Security UPDATE.


SUBSCRIBE
To subscribe send a blank email to
subscribe-Security_UPDATE () list win2000mag net.

If you have questions or problems with your UPDATE subscription, please
contact securityupdate () win2000mag com. 













ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.