Security UPDATE, July 31, 2002

[InfoSec News <isn () c4i org>]

********************
Windows & .NET Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows .NET Server, Windows 2000, and
Windows NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

Real-World Strategies for Infrastructure Success
   http://www.ibm.com/e-business/playtowin/n152

St. Bernard Software
   http://list.winnetmag.com/cgi-bin3/flo?y=eMrg0CJgSH0CBw0rf10Ab
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: REAL-WORLD STRATEGIES FOR INFRASTRUCTURE SUCCESS ~~~~
   Learn how your company can tackle the challenge of continually
integrating to remain competitive as e-business technologies evolve.
The IBM white paper, "Managing e-business integration challenges," can
help you understand how to identify key integration components. So
even as today's systems becomes tomorrow's legacy systems, you'll be
able to support ever-changing business goals. Also included is a
discussion of how to assess your integration requirements for whatever
state of e-business adoption your infrastructure has reached. Visit us
online to get your complimentary copy today at
   http://www.ibm.com/e-business/playtowin/n152

~~~~~~~~~~~~~~~~~~~~

July 31, 2002--In this issue:

1. IN FOCUS
     - Wireless Honeypots; Microsoft's New Vulnerability Reporting
       Preference

2. SECURITY RISKS
     - Authentication Vulnerability in Microsoft Metadirectory
       Services 2.2
     - Buffer Overrun in SQL Server 2000 Utilities
     - Multiple Vulnerabilities in SQL Server 2000
     - Buffer Overrun in Exchange Server 5.5
     - Correction: Symantec, Not Semantic

3. ANNOUNCEMENTS
     - Get Kudos & a Free Trip to SQL Server Magazine LIVE! in
       Orlando!
     - If You Have an Urgent or Annoying Windows NT/2000 Problem

4. SECURITY ROUNDUP
     - News: Rumors About Windows XP SP1 WPA Changes Not True
     - Feature: Firewall Buyer's Guide

5. HOT RELEASES
     - IBM e-business Integration White Paper
     - VeriSign - The Value of Trust

6. SECURITY TOOLKIT
     - Virus Center
     - FAQ: How Can I Prevent WMP from Processing HTML Scripts
       Contained Within Media Files?

7. NEW AND IMPROVED
     - New Email Security Tests
     - Intrusion Protection Software
     - Submit Top Product Ideas

8. HOT THREADS
     - Windows & .NET Magazine Online Forums
         - Featured Thread: Recovery Console Password Recovery

9. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== IN FOCUS ====
   (contributed by Mark Joseph Edwards, News Editor,
mark () ntsecurity net)

* WIRELESS HONEYPOTS; MICROSOFT'S NEW VULNERABILITY REPORTING
PREFERENCE

I've discussed honeypots several times in the Security UPDATE
newsletter. Now, several organizations are developing another type of
honeypot to trap intruders. The Science Applications International
Corporation (SAIC) has established the Wireless Information Security
Experiment (WISE), which runs under the 802.11b wireless communication
specification. According to SAIC, the new wireless honeypot network
"sits behind a device where all inbound and outbound data is
controlled and captured. [The] information is then analyzed to learn
the tools, tactics, and motives of wireless system exploitation in
order to develop information security tools and defenses."
   http://www.incident-response.org/WISE.htm
   http://www.saic.com

In the March 27, 2002, edition of Security UPDATE, I discussed "war
driving" (see the URL below), a phrase that describes the act of
driving around with a wireless connectivity device with an antenna
attempting to connect to unprotected wireless LANs (WLANs). SAIC's
wireless honeypot is a response to intruders who perform war driving.
WISE will be located in a major metropolitan area in which war drivers
often search for vulnerable networks. The WISE honeypot network,
designed to "develop effective information security, intrusion
detection, and incident response, and forensic methodologies for
wireless networks," will consist of several bridged wireless nodes
designed to cover a large city area. SAIC will eventually connect the
wireless honeypot to a satellite broadband system that will in turn
connect the initial honeypot network to a similar network in another
major city.
   http://www.secadministrator.com/articles/index.cfm?articleid=24616

SAIC's wireless honeypot is part of the Honeynet Research Alliance, a
group of organizations "actively researching, developing and deploying
Honeynets and sharing the lessons learned." The alliance currently
consists of 10 organizations around the world, each of which is
involved in various aspects of honeypot development and research.
Alliance members include the South Florida HoneyNet Project, Nodal
Intrusion Forensics Technology Initiative, Incidents.org Virtual
Honeynet Project, Paladion Networks Honeynet Project, Internet
Systematics Lab Honeynet Project, SAIC Wireless Honeynet, AT&T Mexico
Honeynet, NetForensics Honeynet, Azusa Pacific University Honeynet,
and the Brazilian Honeynet Project. You'll find more information about
honeypots and the alliance at the first URL below. Check out the Web
site, especially if you're considering establishing a honeypot or
honeynet of your own. For Windows & .NET Magazine articles about
honeypots, visit our Web site at the second URL below.
   http://project.honeynet.org/alliance
   http://search.winnetmag.com/query.html?qt=honeypot

Did you know that Microsoft has changed how users submit vulnerability
reports? Formerly, users emailed vulnerability information to
secure () microsoft com. However, the company recently removed that
contact address from its Web site and now requests that users contact
the company about security vulnerabilities through a Secure Sockets
Layer (SSL)-enabled Web form. The new Web form will help the company
collect more complete information for vulnerability reports through
the many fields that users must complete before they submit a report.
For example, when you visit the Web page, you'll find that the form
requests information such as OS, additional hardware installed on the
system, and installed security patches and service packs. The form
also provides space in which to describe how someone could mount an
attack by using a given flaw and what results would occur. Be sure to
look at the new form at the URL below. During the transition to the
new Web form, the company will still monitor the secure () microsoft com
email address.
   https://www.microsoft.com/technet/security/bulletin/alertus.asp

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: WORST CASE SCENARIO: Hacker Attacks Your Network ~~~~
   Security exploits are often a direct result of missing patches.
UpdateEXPERT is a patch remediation tool that scans your network for
missing hotfixes, and FIXES discovered weaknesses for increased
network protection. UpdateEXPERT features an exclusive database of
patches that are researched and tested for interdependencies by our
in-house patch experts. Supporting Windows NT4/2000/XP, SQL Server,
Exchange Server, IE, Outlook and other mission-critical applications,
UpdateEXPERT installs updates to all servers and workstations remotely
without a required client agent.
   FREE Live Trial:
   http://list.winnetmag.com/cgi-bin3/flo?y=eMrg0CJgSH0CBw0rf10Ab

~~~~~~~~~~~~~~~~~~~~

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, ken () winnetmag com)

* AUTHENTICATION VULNERABILITY IN MICROSOFT METADIRECTORY SERVICES 2.2
   Dan Pascal Huijbers and Thomas de Klerk of Info Support discovered
a flaw that could let an unprivileged user access and manipulate data
within Microsoft Metadirectory Services (MMS) that, by design, only
MMS administrators should be able to access. Microsoft has released
Security Bulletin MS02-036 (Authentication Flaw in Microsoft
Metadirectory Services Could Allow Privilege Elevation) to address
this vulnerability and recommends that affected users download and
apply the service pack mentioned in the security bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=26073

* BUFFER OVERRUN IN SQL SERVER 2000 UTILITIES
   Cesar Cerrudo discovered two vulnerabilities in Microsoft SQL
Server 2000 and Microsoft SQL Server Desktop Engine (MSDE). The
vulnerabilities are related to a buffer overrun and SQL injection.
Microsoft has released Security Bulletin MS02-038 (Unchecked Buffer in
SQL Server 2000 Utilities Could Allow Code Execution) to address these
vulnerabilities and recommends that affected users download and apply
the appropriate patch mentioned in the security bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=26074

* MULTIPLE VULNERABILITIES IN SQL SERVER 2000
   Cesar Cerrudo discovered three new vulnerabilities in Microsoft SQL
Server 2000 and Microsoft SQL Server Desktop Engine (MSDE). The
vulnerabilities are two buffer overruns and a potential for Denial of
Service (DoS) attacks. Microsoft has released Security Bulletin
MS02-039 (Buffer Overruns in SQL Server 2000 Resolution Service Could
Enable Code Execution) to address this vulnerability and recommends
that affected users download and apply the appropriate patch mentioned
in the security bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=26075

* BUFFER OVERRUN IN EXCHANGE SERVER 5.5
   Dan Ingevaldson of Internet Security Systems (ISS) discovered a
buffer-overrun vulnerability in Microsoft Exchange Server 5.5 that can
let an attacker remotely compromise the server. This vulnerability is
the result of an unchecked buffer in the Internet Mail Connector (IMC)
code that generates the response to the Extended Hello protocol
command. Microsoft has released Security Bulletin MS02-037 (Server
Response To SMTP Client EHLO Command Results In Buffer Overrun) to
address this vulnerability and recommends that affected users download
and apply the appropriate patch mentioned in the bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=26048

* CORRECTION: SYMANTEC, NOT SEMANTIC
   We apologize for inadvertently misspelling Symantec's name in the
July 24, 2002, edition of Security UPDATE as we described a
vulnerability in Symantec's Norton Personal Firewall that an attacker
can exploit to execute code on the vulnerable system. We appreciate
those readers who pointed out the error.

3. ==== ANNOUNCEMENTS ====
   (brought to you by Windows & .NET Magazine and its partners)

* GET KUDOS & A FREE TRIP TO SQL SERVER MAGAZINE LIVE! IN ORLANDO!
   Get the recognition you deserve for your cutting-edge SQL Server
solution and take home the SQL Server Innovator's Cup. If you work
with SQL Server and have created a technical solution to a problem or
enhanced a program or system feature to improve performance or return
on investment, you qualify to enter this awards program sponsored by
Microsoft. Enter today at: http://list.winnetmag.com/cgi-bin3/flo?y=eMrg0CJgSH0CBw02hN0A3

* IF YOU HAVE AN URGENT OR ANNOYING WINDOWS NT/2000 PROBLEM
   Then you need to visit our JSI FAQ site. Updated daily, this vast
list of FAQs includes more than 4000 tips, tricks, and registry hacks
to help you solve your toughest problems. Check it out!
   http://list.winnetmag.com/cgi-bin3/flo?y=eMrg0CJgSH0CBw0rQT0Ap

4. ==== SECURITY ROUNDUP ====

* NEWS: RUMORS ABOUT WINDOWS XP SP1 WPA CHANGES NOT TRUE
   A bizarre rumor about Microsoft making sweeping changing to its
Windows Product Activation (WPA) technology in Windows XP Service Pack
1 (SP1) is completely untrue, the company has stated. The rumor, which
a small technology-enthusiast Web site started, had Microsoft changing
the product keys for all its customers who use volume licensing.
   http://www.secadministrator.com/articles/index.cfm?articleid=26051

* FEATURE: FIREWALL BUYER'S GUIDE
   Today's centrally managed, software-based firewalls go well beyond
packet filtering. Although interrogating a network datagram for IP
addresses and port numbers is still a prerequisite, vendors, such as
those in this firewall software Buyer's Guide, are including more
functionality. To distinguish between excellent and run-of-the-mill
firewalls, you need to look at a product's level of automation,
additional features, and ease of management.
   http://www.secadministrator.com/articles/index.cfm?articleid=25651

5. ==== HOT RELEASES ====

* IBM E-BUSINESS INTEGRATION WHITE PAPER
   Learn to remain competitive as e-business technologies evolve. The
IBM white paper, "Managing e-business integration challenges," will
help you understand how to identify key integration components. Get
your complimentary copy at
   http://www.ibm.com/e-business/playtowin/n122

* VERISIGN - THE VALUE OF TRUST
   Get the strongest server security -- 128-bit SSL encryption!
   Download VeriSign's FREE guide, "Securing Your Web Site for
Business" and learn everything you need to know about using SSL to
encrypt your e-commerce transactions for serious online security.
Click here!
   http://list.winnetmag.com/cgi-bin3/flo?y=eMrg0CJgSH0CBw014e0AY

6. ==== SECURITY TOOLKIT ====

* VIRUS CENTER
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: HOW CAN I PREVENT WMP FROM PROCESSING HTML SCRIPTS CONTAINED
WITHIN MEDIA FILES?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. Microsoft Security Bulletin MS02-032 (Cumulative Patch for Windows
Media Player) identifies several version-specific patches to secure
Windows Media Player (WMP) against script attacks. To manually disable
WMP's HTML-processing feature, perform the following steps:

   1. Start a registry editor (e.g., regedit.exe).
   2. Navigate to the
HKEY_CURRENT_USER\Software\Microsoft\MediaPlayer\Preferences registry
 subkey.
   3. From the Edit menu, select New, DWORD Value.
   4. Enter a name of PlayerScriptCommandsEnabled, then press Enter.
   5. Double-click the new value, set it to 0 to prevent WMP from
processing HTML scripts in media files, then click OK.
   6. Close the registry editor.
   7. Restart WMP.

7. ==== NEW AND IMPROVED ====
   (contributed by Judy Drennen, products () winnetmag com)

* NEW EMAIL SECURITY TESTS
   GFI's Email Security Testing Zone launched three new free email
tests. Administrators can test whether their networks are protected
against attacks using the Iframe Remote and Object Codebase exploits
and whether their antivirus software is working. Email users can sign
up for these tests by submitting their names and email addresses to
GFI's Email Security Testing Zone.
   http://www.gfi.com/emailsecuritytest

* INTRUSION PROTECTION SOFTWARE
   Abtrusion Security announced Abtrusion Protector, an intrusion and
virus protection software for Windows NT OSs. The software verifies
that a file is permitted to execute. If the software doesn't recognize
the file, Abtrusion Protector prevents Windows from loading it.
Abtrusion Protector works with firewalls and antivirus scanners and
provides a last line of defense against malicious software. The
software is undergoing beta testing for release later this year. For
noncommercial private use, Abtrusion Protector is available for free.
Abtrusion Security licenses the product for corporate use at $20 per
workstation. Server licenses are $400. Volume discounts are available.
For more information, email Abtrusion Security at info () abtrusion com
or go to the Web site.
   http://www.abtrusion.com

* SUBMIT TOP PRODUCT IDEAS
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to whatshot () winnetmag com.

8. ==== HOT THREADS ====

* WINDOWS & .NET MAGAZINE ONLINE FORUMS
   http://www.winnetmag.com/forums

Featured Thread: Recovery Console Password Recovery
   (One message in this thread)

Kris believes that when he promotes a Windows 2000 server to a domain
controller (DC), the local Administrator account is no longer
accessible but might still be used for functions such as booting to
the Recovery Console (RC) and restoring Active Directory (AD). Kris
wants to know whether this is true and, if so, how he can get to the
LAN Manager (LM)/NT LAN Manager (NTLM) hashes for the local
Administrator account to run a password cracker against it. Read the
responses or lend a hand:
   http://www.secadministrator.com/forums/thread.cfm?thread_id=110175

9. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- vpatterson () winnetmag com (please
mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums

* PRODUCT NEWS -- products () winnetmag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdate () winnetmag com

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com

********************

   This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing a Windows 2000/Windows NT enterprise.
Subscribe today!
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

   Receive the latest information about the Windows and .NET topics of
your choice. Subscribe to our other FREE email newsletters.
   http://www.winnetmag.com/email

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE.


MANAGE YOUR ACCOUNT
   You can manage your entire Windows & .NET Magazine Network email
newsletter account on our Web site. Simply log on and you can change
your email address, update your profile information, and subscribe or
unsubscribe to any of our email newsletters all in one place.
   http://www.winnetmag.com/email

Thank you!



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.