Windows & .NET Magazine Security UPDATE--July 2, 2003

===============

==== This Issue Sponsored By ====

Shavlik http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB076e0AA

Panda Security http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BBDp0Aq

==========

1. In Focus: Win2K SP4: A Few Things to Know

2. Security Risks - Vulnerability in Microsoft WMP 9 Could Allow Media Library Access - Arbitrary Code-Execution Vulnerability in Microsoft Windows Media Server - Buffer-Overflow Vulnerability in Alt-N Technologies WebAdmin.exe - Multiple Buffer Overflows in Atrium Software MERCUR Mail Server

3. Announcements - Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas - Windows & .NET Magazine Connections: Fall Dates Announced

4. Security Roundup - News: Windows 2003 SP1 to Feature New Security Tool - News: Microsoft's Gates Opens War on Spam - Feature: Snort Reporting and Alerting

5. Security Toolkit - Virus Center - FAQ: Why Can't I Access the Encrypted Data on My Clustered Shared Disk?

6. Event - New--Mobile & Wireless Road Show! 7. New and Improved - Prevent Threats to Web Servers - Submit Top Product Ideas

8. Hot Thread - Windows & .NET Magazine Online Forums - Featured Thread: Gpedit vs. Security Templates

9. Contact Us See this section for a list of ways to contact us.

==========

==== Sponsor: Shavlik ==== Get FREE 25% Maintenance and Easily Deploy Win2K SP4! Get FREE 25% maintenance for the first year & manage Win2K SP4 when you order HFNetChkPro by 7/31/03! Easily scan for & install Win2K SP4 with Shavlik HFNetChkPro and make a powerful impact on your enterprise security. Now's the time to get patched and stay patched with the leading security patch management solution. Download our free version at http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB076e0AA

==========

==== 1. In Focus: Win2K SP4: A Few Things to Know ==== by Mark Joseph Edwards, News Editor, mark@ntsecurity.net

Microsoft has released Windows 2000 Service Pack 4 (SP4). So far, I haven't heard about any installation problems, except on Citrix MetaFrame XP systems, and I don't know exactly what those problems are. You can find installation information in our Windows & .NET Magazine Forums discussions at the following URL: http://63.88.172.222/forums/messageview.cfm?catid=10&threadid=39892

As usual, the new service pack contains all the previous fixes that Microsoft has made available for Win2K. SP4 might offer a good way for you to update systems with all fixes available. I'm aware of one caveat--though so far few users have openly complained about the following occurrence.

If you have Windows Update service disabled on your systems--and I'm willing to bet that most of you do--when you install SP4, the installation program reenables Windows Update without notifying you. That move isn't exactly user-friendly, so heads up.

Also, you should take time to read the SP4 Supplemental End User License Agreement (EULA). You'll notice that Item 3, "Automatic Internet-based Services," describes several features that automatically contact Microsoft or third-party computers--in some cases, without prompting you before doing so.

In five instances, Win2K might contact Microsoft without prompting you first. The first is, of course, the Windows Update service itself. Microsoft points out that when you connect a device to your system, the correct device driver might not already be on your system. So for "ease of use" regarding Plug and Play (PnP) functionality, your system might contact Microsoft's computers transparently to obtain the proper drivers.

The second instance is rather vague because Microsoft doesn't iterate all the circumstances under which such contact might occur. According to the company, "If you are connected to the Internet, several features of the software are enabled by default to retrieve content from Microsoft computer systems and display it to you. When you activate such a feature, it uses standard Internet protocols, which transmit the type of operating system, browser and language code of your Computer to the Microsoft computer system so that the content can be viewed properly from your Computer. These features only operate when you activate them, and you may choose to switch them off or not use them. An example of this feature is Appshelp." So you have one example, Appshelp, but Microsoft doesn't offer any other examples.

The third instance in which your system contacts Microsoft transparently involves X.509 digital certificate revocation lists (CRLs) and root authority updates. Your system might also contact third parties in the process of validating certificates.

The fourth instance involves Digital Rights Management (DRM). When you download licenses to use secured content, your system also receives a list of revoked content (DRM-secured content that has been compromised). Also, if content owners ask Microsoft to revoke licenses, the revocations will be included in any revocation list. You can switch off DRM features that access the Internet if you want to.

The final instance in which software might contact Microsoft transparently involves Windows Media Player (WMP). If you don't have the proper codec, when you try to play media, the software might check for new codecs. In addition, WMP periodically checks for updates to the player itself.

Another thing about SP4 is that if you install SP4 on a system that has SP2 installed, SP4 will upgrade that system to 128-bit encryption. Also, SP4 contains more than 650 patches. Some of those patches are reportedly new security patches, which, if true, is a good reason to install the service pack--although I'm not sure why Microsoft would place new security fixes in a service pack without releasing associated security bulletins.

Before you install SP4, take time to do some reading. Read the EULA, of course, and consider reading comments from those who've installed the service pack in our Forums or on your favorite mailing lists. You can find comments in our Forums by searching on "SP4". http://search.win2000mag.net/query.html?qt=SP4&st=1&rf=1

==========

==== Sponsor: Panda Security ====

Viruses like Bugbear.B are routinely infecting networks that are "fully protected". What to do? Is total protection possible? Find the answer in the free guide HOW TO KEEP YOUR COMPANY 100% VIRUS FREE from Panda Software. Learn how the latest viruses enter networks, what they can do, and the most effective weapons to combat them. Protect your network effectively and permanently - download this free guide today! http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BBDp0Aq

==== 2. Security Risks ==== contributed by Ken Pfeil, ken@winnetmag.com

Vulnerability in Microsoft WMP 9 Could Allow Media Library Access Jelmer discovered that a new vulnerability in Microsoft Windows Media Player (WMP) 9 Series can result in the modification of Windows Media Library entries. This vulnerability stems from a flaw in the way an ActiveX control provides access to information on the user's computer. Microsoft has released Security Bulletin MS03-021 (Flaw In Windows Media Player May Allow Media Library Access) to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=39398

Arbitrary Code-Execution Vulnerability in Microsoft Windows Media Server Brett Moore discovered that a new vulnerability in Windows 2000 can result in the execution of arbitrary code on the vulnerable computer. This vulnerability stems from a flaw in the way the Internet Server API (ISAPI) extension nsiislog.dll processes incoming client requests. Microsoft has released Security Bulletin MS03-022 (Flaw in ISAPI Extension for Windows Media Services Could Cause Code Execution) to address this vulnerability and recommends that affected users immediately apply the patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=39399

Buffer-Overflow Vulnerability in Alt-N Technologies WebAdmin.exe Mark Litchfield of Next Generation Security Software (NGSSoftware) discovered a buffer-overflow vulnerability in Alt-N Technologies' WebAdmin that can result in the execution of arbitrary code on the vulnerable computer. Alt-N Technologies has released a patch to fix this vulnerability. http://www.secadministrator.com/articles/index.cfm?articleid=39388

Multiple Buffer Overflows in Atrium Software MERCUR Mail Server NC Agent discovered multiple buffer-overflow vulnerabilities in Atrium Software International's MERCUR Mail Server 4.02.09 that can result in the execution of arbitrary code on the vulnerable computer. Atrium Software has released version 4.2.15.0, which doesn't contain these vulnerabilities. http://www.secadministrator.com/articles/index.cfm?articleid=39387

==== 3. Announcements ==== (from Windows & .NET Magazine and its partners)

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas This is the world's premier technical IT security event, with lots of Windows sessions! 10 tracks, 15 training sessions, 1800 delegates from 30 nations including all of the top experts from CSOs to "underground" security specialists. See for yourself what the buzz is all about! Early-bird registration ends July 3. This event will sell out. http://www.blackhat.com

Windows & .NET Magazine Connections: Fall Dates Announced Jump-start your fall 2003 training plans by securing your seat for Windows & .NET Magazine Connections Fall, scheduled for November 2 through 6, 2003, in Orlando, Florida. Register now to receive the lowest possible registration fee. Call 800-505-1201 or 203-268-3204 for more information. http://www.devconnections.com

==== 4. Security Roundup ====

News: Windows 2003 SP1 to Feature New Security Tool The first service pack for Windows Server 2003--due in December--will include a roles-based Security Configuration Wizard that will provide administrators with a definitive list of the services required for each Windows 2003-based server. The wizard will be based on an XML database that includes information about Windows 2003, Exchange, SQL Server, and other Microsoft products. http://www.secadministrator.com/articles/index.cfm?articleid=39365

News: Microsoft's Gates Opens War on Spam In an open letter to customers posted to the Microsoft Web site, Chairman and Chief Software Architect Bill Gates pledged to step up his company's efforts to combat spam through technological innovation and partnerships with other companies and governments. Gates notes that spam is a "ridiculous ... nuisance and a distraction," and a plague that preys on less sophisticated email users, including children. http://www.secadministrator.com/articles/index.cfm?articleid=39389

Feature: Snort Reporting and Alerting Before you begin to use Snort, you'll want to know about some of the popular and effective reporting and alerting tools available, including the Analysis Console for Intrusion Databases (ACID) and Silicon Defense's SnortSnarf reporting tools--and receive tips about how to send real-time alerts when events trigger specific signatures. You can download the latest version of Snort, several reporting and alerting add-ons, and several good step-by-step white papers that describe how to configure and run Snort at Snort.org. If you haven't used Snort before, Jeff Fellinge recommends that you read these white papers before you do. To get a head start on using Snort, be sure to read the article on our Web site. http://www.secadministrator.com/articles/index.cfm?articleid=39235&pg=1&show=479

==== 5. Security Toolkit ====

Virus Center Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda

FAQ: Why Can't I Access the Encrypted Data on My Clustered Shared Disk? ( contributed by John Savill, http://www.windows2000faq.com )

A. If you're having trouble accessing encrypted data on a clustered shared disk, the reason might be that you're using a local profile rather than a roaming profile, and the server by which you accessed the shared disk has failed, leaving another machine in the cluster to host access. When you encrypt a file, the cluster node that provides access creates a certificate (i.e., an encryption key) and stores it in your profile. If the node fails, another node in the cluster will begin hosting the resource, and you'll no longer have the encryption key to access the data. To work around this problem, use a roaming profile or regularly export your encryption keys from the node where you encrypted the data to the other nodes where you might have local profiles.

==== 6. Event ====

New--Mobile & Wireless Road Show! Learn more about the wireless and mobility solutions that are available today! Register now for this free event! http://www.winnetmag.com/roadshows/wireless

==== 7. New and Improved ==== by Sue Cooper, products@winnetmag.com

Prevent Threats to Web Servers Privacyware released ThreatSentry, a threat-prevention and management solution for Windows Web servers. An advanced neural application that combines modeled metrics and machine learning, it offers protection from known and undocumented network threats and other misuse. ThreatSentry collects, analyzes, and organizes Microsoft IIS server events to create an evolving baseline of acceptable activity. ThreatSentry compares your server connections to this baseline to identify and prevent any activity that falls outside of acceptable parameters. You can configure the software to prevent suspicious connections, block untrusted IPs, generate error-code responses, or completely stop Web services. ThreatSentry supports Windows Server 2003/2000 and IIS 5.0. Contact Privacyware at 732-212-8110 or info@privacyware.com. http://www.privacyware.com

Submit Top Product Ideas Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to whatshot@winnetmag.com.

==== 8. Hot Thread ====

Windows & .NET Magazine Online Forums http://www.winnetmag.com/forums

Featured Thread: Gpedit vs. Security Templates (Three messages in this thread)

A user understands that on a single non-networked machine he can use predefined security templates (e.g., basicdc.inf) and compare them with the current setup. He wants to know whether these type of templates are applied to all users including administrators and whether they can be tailored for specific users or groups. Lend a hand or read the responses: http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=60584

==== Sponsored Links ====

FaxBack Integrate FAX into Exchange/Outlook (Whitepaper, ROI, Trial) http://www.faxback.com/w2ksponsorlink

AutoProf Jerry Honeycutt Desktop Deployment Whitepaper http://www.AutoProf.com/Update_TextLinks_2003_06_23.html

=========

==== 9. Contact Us ====

About the newsletter -- letters@winnetmag.com About technical questions -- http://www.winnetmag.com/forums About product news -- products@winnetmag.com About your subscription -- securityupdate@winnetmag.com About sponsoring Security UPDATE -- emedia_opps@winnetmag.com

=============== This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing Windows and related technologies. Subscribe today. http://www.secadministrator.com/sub.cfm?code=saei25xxup

Thank you! __________________________________________________________ Copyright 2003, Penton Media, Inc.