Security UPDATE, January 2, 2002

[InfoSec News <isn () c4i org>]

********************
Windows & .NET Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows .NET, 2000, and NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

VeriSign--The Value of Trust
   http://list.winnetmag.com/cgi-bin3/flo?y=eJ1H0CJgSH0CBw0Lo50AX 

Connected Home Magazine
   http://list.winnetmag.com/cgi-bin3/flo?y=eJ1H0CJgSH0CBw0oUX0AH 
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: VERISIGN--THE VALUE OF TRUST ~~~~
   Secure your servers with 128-bit SSL encryption! Grab your copy of 
VeriSign's FREE Guide, "Securing Your Web site for Business," and 
you'll learn everything you need to know about using 128-bit SSL to 
encrypt your e-commerce transactions, secure your corporate intranets 
and authenticate your Web sites. 128-bit SSL is serious security for 
your online business. Get it now!
   http://list.winnetmag.com/cgi-bin3/flo?y=eJ1H0CJgSH0CBw0Lo50AX 

********************

January 2, 2002--In this issue:

1. IN FOCUS
     - Microsoft's Security Initiative Misses the Most Obvious Target

2. SECURITY RISKS
     - Multiple Vulnerabilities in Microsoft UPnP 
     - DoS in Microsoft Group Policy 
     - Multiple Vulnerabilities in Microsoft IE 6.0 and 5.5

3. ANNOUNCEMENTS
     - Windows & .NET Magazine Spring 2002 Conference Schedule
     - If You Like Reading This UPDATE, You'll Love . . .      

4. SECURITY ROUNDUP
     - News: FBI Issues Windows XP Warning; Pundits Jump on Microsoft
     - News: Datakey Partners with CA for Single Sign-On Authentication
     - News: Kaspersky Antivirus Suite Now Available in French, 
       Spanish, German, and Italian
     - News: Microsoft's New Partner Program for Security Solutions
     - News: Microsoft Releases Cumulative IE Patch

5. INSTANT POLL
     - Results of Previous Poll: ISP Response
     - Instant Poll: Hunting Bugs

6. SECURITY TOOLKIT
     - Virus Center
     - FAQ: How Can I Disable the New Features of the Windows XP and 
       Windows 2000 Shell?

7. NEW AND IMPROVED
     - Enforce Security Configurations for Remote PCs
     - Stop Viruses Before They Hit the Network

8. HOT THREADS
     - Windows 2000 Magazine Online Forums
         - Featured Thread: Lost Windows 2000 Password
     - HowTo Mailing List:
         - Featured Thread: NetBIOS Trouble

9. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== IN FOCUS ====

* MICROSOFT'S SECURITY INITIATIVE MISSES THE MOST OBVIOUS TARGET 

Hello everyone,

Certainly you've heard about the recent security concerns with 
Microsoft's Universal Plug and Play (UPnP) implementation. The problems 
let intruders completely take over an affected system. You can read 
more about the problems in our vulnerability report in the SECURITY 
RISKS section of this newsletter and in Paul Thurrott's news story in 
the SECURITY ROUNDUP section. 

Microsoft originally released Security Bulletin MS01-054 about UPnP on 
November 1, 2001, and amended the bulletin on November 13. Yet we're 
still finding other serious problems in the UPnP service. What's wrong 
with this picture? 

On October 10, I wrote about Microsoft's new Strategic Technology 
Protection Program (STPP), which is designed to help companies "get 
secure and stay secure." (Go to the URL below to read the editorial.) I 
questioned whether such a program is enough to bolster the security of 
Windows-based networks, and Microsoft commented that it developed the 
new tools to help its developers write better code. Obviously, the 
efforts are just not enough, as evidenced by the company's three 
attempts to eliminate serious problems with UPnP.
   http://www.secadministrator.com/articles/index.cfm?articleid=22860

Even though Microsoft was aware of serious problems with its UPnP 
implementation, the company didn't make an adequate effort to discover 
and remedy all the possible bugs. This isn't the first time Microsoft 
has failed to thoroughly examine faulty components to ensure that all 
bugs are removed--it's happened numerous times over the years. So we're 
still left to wonder what other services and applications still contain 
gaping holes that leave users exposed to intruders. I suspect that when 
Microsoft first published Security Bulletin MS01-054, intruders 
immediately tried to discover how far Microsoft went toward correcting 
errors in its UPnP code. eEye Digital Security (who discovered this 
latest UPnP problem) once again reveals that Microsoft has fallen short 
of thorough research about services known to contain faults.

Why hasn't Microsoft applied its much-ballyhooed STPP program to 
itself? How can Microsoft lead companies to believe it can help secure 
their systems and networks through STPP when the company can't even 
squash all the known bugs in its application and service code? Why 
hasn't Microsoft contracted with excellent bug hunters (e.g., eEye 
Digital Security and others) to help investigate compiled code for 
dangerous risks? 

The problem is glaring at this point, and Microsoft's lack is putting 
all Windows users at further risk. Microsoft will probably claim once 
again that writing bug-free code is incredibly difficult--which is 
true--and that it's hard to hunt down bugs in code after the fact. But 
as intruders continually prove, finding bugs is not as hard as some 
might wish us to believe. It simply takes time, money, and lots of 
cooperation--investments Microsoft should consider making.
   http://www.secadministrator.com/articles/index.cfm?articleid=23161

Microsoft recently announced a new "Gold Certified Partner Program for 
Security Solutions" (URL below), which through its membership 
guidelines prevents member companies from informing anyone about newly 
discovered security problems--presumably even their own customers--
until Microsoft has developed and released a patch. Even after the 
patch becomes available, Microsoft forbids partners from publicly 
disclosing any details of vulnerabilities that might let nonpartners 
develop code to further investigate these vulnerabilities. How would 
those guidelines have affected the situation concerning this latest 
UPnP risk, given the fact that the bugs let someone hijack users' 
systems? Security consulting firms have rested on their laurels for 
years without any "gold certification" from Microsoft, so it's rather 
puzzling to contemplate how any partnership would benefit security 
researchers, consultants, and Windows users.
   http://www.secadministrator.com/Articles/Index.cfm?ArticleID=23587

We're conducting a new survey this week. We'd like to know if you think 
Microsoft should continue to hunt for security bugs on its own, 
contract with bug hunters, or release source code for public bug 
hunting efforts? Please stop by our home page and take the Instant 
Poll. 

Before I sign off this week, I want to let you know that a reader 
pointed out that although Microsoft's Windows Update Web site is a 
decent and adequate service that truly helps users discover what 
patches they need to apply, the service lacks protection for customers 
who download and install patches. The Web-based service doesn't allow 
Secure Sockets Layer (SSL) connections and thus leaves the Windows 
update process more vulnerable to man-in-the-middle attacks. Surprised? 
   http://windowsupdate.microsoft.com

Until next time, have a great week. 

Sincerely,

Mark Joseph Edwards, News Editor
mark () ntsecurity net
********************

~~~~ SPONSOR: CONNECTED HOME MAGAZINE ~~~~
   Connected Home Magazine--Try It Free!
   Connected Home Magazine is the new magazine to help you manage all 
the PCs, devices, and components in your home and in your life. We can 
show you how to install a home network, tackle home automation, build a 
home theater system, or integrate your PDA with your PC. Get a free 
sample of the February/March issue today!
   http://list.winnetmag.com/cgi-bin3/flo?y=eJ1H0CJgSH0CBw0oUX0AH 

2. ==== SECURITY RISKS ====

* MULTIPLE VULNERABILITIES IN MICROSOFT UPNP
   Multiple vulnerabilities exist in Microsoft's implementation of 
Universal Plug and Play (UPnP). The first vulnerability is a remotely 
exploitable buffer overflow that can result in system-level access to 
the host. This vulnerability results from an unchecked buffer in one of 
the service's components that handles notify directives. The second 
vulnerability involves a variant of this first vulnerability; the UPnP 
service doesn't take sufficient steps to limit how far the service goes 
to obtain information about a discovered service. Microsoft has 
released a patch for the problems, and the National Infrastructure 
Protection Center (NIPC) recommends that users disable the service. 
   http://www.secadministrator.com/articles/index.cfm?articleid=23594

* DOS IN MICROSOFT GROUP POLICY 
   A Denial of Service (DoS) condition exists in Windows 2000 Group 
Policy. Win2K's file-locking mechanism might let an application put an 
exclusive lock on a file, making that file unavailable to another 
application, even if that application doesn't attempt to lock the file. 
The OS doesn't check file permissions before locking occurs, so even 
unprivileged users can lock files. Microsoft hasn't released a fix or 
workaround for this problem.
   http://www.secadministrator.com/articles/index.cfm?articleid=23582

* MULTIPLE VULNERABILITIES IN MICROSOFT IE 6.0 AND 5.5
   Three new vulnerabilities exist in Microsoft Internet Explorer (IE) 
6.0 and 5.5. The first vulnerability results from a problem in the way 
that IE handles the Content-Type and Content-Disposition header fields 
in an HTML stream. By modifying these fields in a specific way, an 
attacker can fool IE into thinking that the file is a different file 
type, and the attacker can insert harmful files. To work around this 
problem, users must disable file downloads under the appropriate IE 
security zones. The second vulnerability involves a variant of the 
Frame Domain Verification vulnerability that lets a malicious intruder 
use a Web site to read any file on the local computer. The third 
vulnerability involves a problem with the filenames that IE displays in 
the File Download dialog box. In an attempt to trick the user, an 
attacker can use this vulnerability to misrepresent the name of the 
file presented for download. Microsoft has released Security Bulletin 
MS01-058 to address these vulnerabilities and recommends that affected 
users apply the patch provided at this URL. This patch is a cumulative 
rollup of all patches the company has previously issued for these 
versions of IE. Microsoft no longer supports previous IE versions. 
   http://www.secadministrator.com/articles/index.cfm?articleid=23552

3. ==== ANNOUNCEMENTS ====

* WINDOWS & .NET MAGAZINE SPRING 2002 CONFERENCE SCHEDULE
   Save these dates! Windows & .NET Magazine LIVE! and SQL Server 
Magazine LIVE! are scheduled for May 5 through 8, 2002, in Palm 
Springs, California. Microsoft ASP.NET Connections and Visual Studio 
Connections run from April 30 through May 3, 2002, in New Orleans. For 
more information, go to the following URL. 
   http://list.winnetmag.com/cgi-bin3/flo?y=eJ1H0CJgSH0CBw0pXI0A5 

* IF YOU LIKE READING THIS UPDATE, YOU'LL LOVE . . .
   Windows & .NET Magazine UPDATE. Every Tuesday, we deliver news, 
commentary, and tips so that, in about 5 minutes, you can catch up on 
the latest Windows industry happenings, learn a new skill, and face 
your day a little more informed. It's free, so subscribe today! 
   http://www.winnetmag.com/email/index.cfm?id=1

4. ==== SECURITY ROUNDUP ====

* NEWS: FBI ISSUES WINDOWS XP WARNING; PUNDITS JUMP ON MICROSOFT 
   After speaking with Microsoft officials, the National Infrastructure 
Protection Center (NIPC), an arm of the Federal Bureau of Investigation 
(FBI), issued an advisory late last week regarding the Universal Plug 
and Play (UPnP) vulnerability in Windows XP. To learn more, go to the 
URL below.
   http://www.secadministrator.com/articles/index.cfm?articleid=23598

* NEWS: DATAKEY PARTNERS WITH CA FOR SINGLE SIGN-ON AUTHENTICATION 
   Datakey announced that it has partnered with Computer Associates 
(CA) and received CA's "ca smart" certification for its smart card 
single sign-on (SSO) and authentication technology. 
   http://www.secadministrator.com/articles/index.cfm?articleid=23593

* NEWS: KASPERSKY ANTIVIRUS SUITE IS NOW AVAILABLE IN FRENCH, SPANISH, 
GERMAN, AND ITALIAN 
   Kaspersky Labs, a data-security software-development company, 
announced that its Kaspersky Anti-Virus suite is now available in 
French, Spanish, German, and Italian.
   http://www.secadministrator.com/articles/index.cfm?articleid=23592

* NEWS: MICROSOFT'S NEW PARTNER PROGRAM FOR SECURITY SOLUTIONS 
   Microsoft announced its new Gold Certified Partner Program for 
Security Solutions, along with a list of requirements that partners 
must meet on an ongoing basis to maintain partner status. 
   http://www.secadministrator.com/articles/index.cfm?articleid=23587

* NEWS: MICROSOFT RELEASES CUMULATIVE IE PATCH 
   Microsoft released a new patch that fixes all known security 
vulnerabilities in Internet Explorer (IE) 6.0 and IE 5.5 Service Pack 2 
(SP2).
   http://www.secadministrator.com/articles/index.cfm?articleid=23548

5. INSTANT POLL

* RESULTS OF PREVIOUS POLL: ISP RESPONSE
   The voting has closed in Windows & .NET Magazine's Security 
Administrator Channel nonscientific Instant Poll for the question, "If 
you caught someone intruding into your network and you reported it to 
your ISP, did the ISP respond immediately?" Here are the results (+/-2 
percent) from the 287 votes:
  17% a) Yes
  83% b) No
  
* INSTANT POLL: HUNTING BUGS
   The current Instant Poll question is, "Should Microsoft continue to 
hunt bugs alone, contract with bug hunters, or release source code for 
public bug-hunting efforts?" The choices are 1) Continue to do it 
alone, 2) Contract with bug hunters to assist, 3) Release source code 
for public efforts, or 4) Answers 2 and 3 above. Go to the Security 
Administrator Channel home page and submit your vote.
   http://www.secadministrator.com 

6. ==== SECURITY TOOLKIT ====

* VIRUS CENTER
   Panda Software and the Windows & .NET Magazine Network have teamed 
to bring you the Center for Virus Control. Visit the site often to 
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: HOW CAN I DISABLE THE NEW FEATURES OF THE WINDOWS XP AND WINDOWS 
2000 SHELL?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. You can use Group Policy to disable the new features (e.g., Active 
Desktop, quick launch, Web view) of the XP and Win2K shell and 
configure the classic shell. To configure the classic shell, perform 
the following steps: 

   1. Open Group Policy in Group Policy Editor (GPE). 
   2. Expand User Configuration, Administrative Templates, Windows
   Components, Windows Explorer. 
   3. Double-click Enable Classic Shell. 
   4. Select Enabled, and click OK. 
   5. Close GPE. 

You can also use the registry to configure this setting by performing 
the following steps: 

   1. Start a registry editor (e.g., regedit.exe). 
   2. Navigate to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows
\CurrentVersion\Policies\Explorer. 
   3. From the Edit menu, select New - DWORD Value. 
   4. Enter a name of ClassicShell, and press Enter. 
   5. Double-click the new value, set it to 1, and click OK. 
   6. Close the registry editor.

7. ==== NEW AND IMPROVED ====
   (contributed by Scott Firestone, IV, products () winnetmag com)

* ENFORCE SECURITY CONFIGURATIONS FOR REMOTE PCS
   InfoExpress released the CyberGatekeeper Suite, which gives users 
one platform to define and enforce security configurations for remote 
PCs to access corporate networks. The software proactively enforces 
corporate security by auditing remote systems to ensure that they're 
safe before they can access the network. If a system isn't safe, 
CyberGatekeeper automatically shuts down access to the network. The 
suite includes CyberGatekeeper Agent, which monitors the remote system 
and reports back to the CyberGatekeeper Server. Prices start at $59 per 
seat and $4995 for the server. Contact InfoExpress at 650-623-0260.
   http://www.infoexpress.com

* STOP VIRUSES BEFORE THEY HIT THE NETWORK
   Ositis Software released AVStripper, a hardware product that stops 
viruses before they penetrate the corporate network. The product is 
self-updating and implements current antivirus files and pattern 
updates without any intervention from the network administrator. 
AVStripper comes bundles with Trend Micro's antivirus-scanning engine. 
For pricing, contact Ositis Software at 925-225-8900 or 888-946-7769.
   http://www.ositis.com

8. ==== HOT THREADS ====

* WINDOWS 2000 MAGAZINE ONLINE FORUMS
   http://www.winnetmag.net/forums 

Featured Thread: Lost Windows 2000 Password 
   (Four messages in this thread)

Mark has a Win2K Professional user who has lost his logon password. The 
user's computer is not on a network. Mark wants to know whether he can 
recover the lost password without reinstalling the OS. Can you help? 
Read the responses or lend a hand at the following URL: 
   http://www.secadministrator.com/forums/thread.cfm?thread_id=89511
   
* HOWTO MAILING LIST
   http://www.secadministrator.com/listserv/page_listserv.asp?s=howto

Featured Thread: NetBIOS Trouble
   (Eleven messages in this thread)

Alexey has a problem with NetBIOS. He has three computers, two running 
Windows 98 and one running Windows NT. One computer running Win98 sees 
the other two computers on the network, but the two others (the NT 
system and the other Win98 system) can ping but can't see each other. 
Read the responses or lend a hand at the following URL:
   http://63.88.172.96/listserv/page_listserv.asp?a2=ind0112b&l=howto&p=189

9. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- mlibbey () winnetmag com (please
mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.net/forums

* PRODUCT NEWS -- products () winnetmag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdate () winnetmag com

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com

********************

   Receive the latest information about the Windows and .NET topics of 
your choice. Subscribe to our other FREE email newsletters.
   http://www.winnetmag.net/email

|-+-+-+-+-+-+-+-+-+-| 

Thank you for reading Security UPDATE.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.