Subject: Security UPDATE, March 26, 2003
Windows & .NET Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows Server 2003, Windows 2000, and Windows NT systems. http://www.secadministrator.com
~~~~ THIS ISSUE SPONSORED BY ~~~~
FREE White Paper on SQL Injection http://www.spidynamics.com/mktg/sqlinjection38
Appliance Filtering Offers Simplicity and Lower TCO http://www.stbernard.com/src/secupdate1-ip.asp (below IN FOCUS)
~~~~ SPONSOR: FREE WHITE PAPER ON SQL INJECTION ~~~~ ALERT: How a Hacker Launches a SQL Injection Attack - Step-by-Step! It's as simple as placing additional SQL commands into an input box on a web form giving hackers complete access to all your backend data! Firewalls and IDS will not stop SQL Injection attempts because they are NOT seen as intrusions. Download this *FREE* white paper from SPI Dynamics for a complete guide to protection! http://www.spidynamics.com/mktg/sqlinjection38 ~~~~~~~~~~~~~~~~~~~~
March 26, 2003--In this issue:
1. IN FOCUS - Security Research: A Double-Edged Sword
2. SECURITY RISKS - Code Execution Vulnerability in Windows Script Engine - DoS in Microsoft ISA Server
3. ANNOUNCEMENTS - Get a Sample Issue of Exchange & Outlook Administrator - Get the eBook That Will Help You Get Certified!
4. SECURITY ROUNDUP - News: New Book Helps You Manage Corporate Security - News: Microsoft Warns About IIS WebDAV Component
5. SECURITY TOOLKIT - Virus Center - FAQ: How Can I Use DiskPart to Create a RAID 5 Set?
6. NEW AND IMPROVED - Track Configuration Changes - Secure Enterprise with Firewall/VPN Appliance - Submit Top Product Ideas
7. HOT THREADS - Windows & .NET Magazine Online Forums - Featured Thread: IIS Server Security
8. CONTACT US See this section for a list of ways to contact us.
* SECURITY RESEARCH: A DOUBLE-EDGED SWORD
Many people work to discover security risks in software and also to ensure that users aren't unnecessarily exposed to those risks. In the past, researchers often released complete details about security problems and simultaneously notified the public at large about the problems--while everyone awaited the vendor's response, including the production of a patch.
Over the past couple of years, most researchers have changed how they handle the security risks they discover. Currently, most researchers report their findings to the appropriate vendor and give the vendor enough information to create an adequate patch. Researchers typically try to work within vendors' time frames for patch production and customer notification. When vendors aren't responsive enough or completely fail to acknowledge and repair security problems in their products, researchers usually release details about the discovered problems, sometimes accompanied by scathing remarks about the vendors' lackadaisical attitude.
Some time ago, several companies (including but not limited to Microsoft, @stake, Foundstone, Oracle, Internet Security Systems--ISS, Guardent, BindView) teamed together to form the Organization for Internet Safety (OIS). One of OIS's first projects was to draft a specification that includes guidelines to help security researchers and product vendors interact to achieve vulnerability remedies and reporting procedures for public notification.
From what I understand, the specification is close to completion, and it should help researchers--whether independent or not--fine-tune how they handle their discoveries. Security forum operators might also use the guidelines to support a sense of diplomacy and responsibility among today's security researchers.
One team of researchers, CERT, already has a process in place that defines the way the organization handles problems reported to it. CERT works to ensure that vendors know about discovered security problems and coordinates with vendors to release information to the public. CERT and various vendors pass information back and forth and prepare bulletins for public notification.
However, at least one rogue researcher has been undermining CERT's efforts to protect the public at large. Over the past couple of weeks, someone has posted four messages to public discussion forums that leaked sensitive information before CERT had a chance to finish its coordinated process. During the CERT process, someone gained unpublished vulnerability information and anonymously exposed it to potential intruders before vendors had time to finish their coordinated efforts to protect users. You can read about the problem in the "eWeek" story "More CERT Documents Leaked." http://www.eweek.com/article2/0,3959,962679,00.asp
I think you'll agree that this behavior is irresponsible, self-centered, and manipulative. The anonymous person who posted the stolen vulnerability information has pledged to continue leaking CERT bulletin data--that is, until CERT finds out who's leaking the information and changes its process to prevent the exploitation. The anonymous person thinks that vulnerability information should be available to potential intruders before administrators have time to patch or modify their systems for better protection.
Such irresponsible activity might eventually place a heavy burden on mailing list operators to better research messages sent to their lists for publication. Right now, security mailing list moderators basically ensure messages are relevant to list topics, and they guide conversation to limit inordinate amounts of fruitless discussion. However, posting on-topic information that any user wants to submit can be a problem, as we see in this matter of publishing vulnerability information leeched from CERT. Such actions place list moderators in a difficult situation because moderators can't always know where or how users obtain their submitted information.
~~~~ SPONSOR: APPLIANCE FILTERING OFFERS SIMPLICITY AND LOWER TCO ~~~~ Using the appliance-based approach for web filtering provides administrators with significant advantages over software only filtering, including: Lower Overall TCO, Platform Independence, and Minimal Ongoing Maintenance. With the iPrism Web Filtering solution, a single, self-contained appliance is all you need to manage your web filtering. iPrism uses a unique, 100% human-reviewed database that is updated daily, provides built-in reports, and real-time override capabilities. FREE Online Test Drive! http://www.stbernard.com/src/secupdate1-ip.asp ~~~~~~~~~~~~~~~~~~~~
* CODE EXECUTION VULNERABILITY IN WINDOWS SCRIPT ENGINE A new vulnerability in the Windows Script Engine can result in the execution of arbitrary code on the vulnerable system. This vulnerability stems from a flaw in the way the Windows Script Engine for JScript processes information. Microsoft has released Security Bulletin MS03-008 (Flaw in Windows Script Engine Could Allow Code Execution) to address this vulnerability and recommends that affected users immediately apply the appropriate patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=38384
* DoS IN MICROSOFT ISA SERVER A new vulnerability in Microsoft Internet Security and Acceleration (ISA) Server 2000 can result in a Denial of Service (DoS) condition. This vulnerability stems from a flaw in the way ISA Server's DNS intrusion-detection application filter handles a specific type of request when the filter scans incoming DNS requests. Microsoft has released Security Bulletin MS03-009 (Flaw In ISA Server DNS Intrusion Detection Filter Can Cause Denial Of Service) to address this vulnerability and recommends that affected users immediately apply the patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=38385
* GET A SAMPLE ISSUE OF EXCHANGE & OUTLOOK ADMINISTRATOR Exchange & Outlook Administrator, the monthly print newsletter from Windows & .NET Magazine, gives you the in-depth articles you need to secure, maintain, and troubleshoot your messaging environment. Try an issue of Exchange & Outlook Administrator, and discover for yourself what our expert authors know that you don't. Click here! http://www.exchangeadmin.com/rd.cfm?code=fsei233xup
* GET THE eBOOK THAT WILL HELP YOU GET CERTIFIED! The "Insider's Guide to IT Certification," from the Windows & .NET Magazine Network, has one goal: to help you save time and money on your quest for certification. Find out how to choose the best study guides, save hundreds of dollars, and be successful as an IT professional. The amount of time you spend reading this book will be more than made up by the time you save preparing for your certification exams. Order your copy today! http://winnet.bookaisle.com/ebookcover.asp?ebookid=13475
* NEWS: NEW BOOK HELPS YOU MANAGE CORPORATE SECURITY Butterworth-Heinemann has released a new book, "The Manager's Handbook for Corporate Security: Establishing and Managing a Successful Assets Protection Program," that helps managers learn how to better handle corporate security needs. A company spokesperson said that the new book, by Gerald Kovacich and Edward Halibozek, covers a range of information, including physical security, information security, merger and acquisitions security, emergency/contingency planning, executive protection, personnel security, event security, and many other security processes. http://www.secadministrator.com/articles/index.cfm?articleid=38394
* NEWS: UPDATE: MICROSOFT WARNS ABOUT IIS WEBDAV COMPONENT Microsoft issued Security Bulletin MS03-007 (Unchecked Buffer In Windows Component Could Cause Web Server Compromise) regarding a serious problem in WWW Distributed Authoring and Versioning (WebDAV). Users who installed Microsoft's URLScan tool for Microsoft IIS were thought to be protected against intrusion from this latest vulnerability--unless they modified the URLScan configuration in a way that would keep it from catching excessively long URLs. However, Russ Cooper posted a message to the NTBugTraq mailing list stating that Mark and David Litchfield of Next Generation Security Software (NGSSoftware) had discovered variant ways to exploit such an attack on IIS systems, and that based on knowledge Cooper has about the matter, disabling WebDAV wouldn't stop these attacks. The only way to prevent the attacks is to load the patch immediately. To read the original article and link to the Microsoft bulletin and patch, click on the URL below. http://www.secadministrator.com/articles/index.cfm?articleid=38374
* VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda
* FAQ: HOW CAN I USE DISKPART TO CREATE A RAID 5 SET? ( contributed by John Savill, http://www.windows2000faq.com )
A. A RAID 5 set consists of data spread across three physical disks, of which one can fail without causing any data loss. To use the DiskPart utility from the "Microsoft Windows 2000 Server Resource Kit" or the "Microsoft Windows 2000 Professional Resource Kit" to create a RAID 5 set, perform the following steps: 1. Download and install the DiskPart utility from the Microsoft Web site. 2. Go to Start, Run, then type "cmd" to start a command-line session. 3. Type "diskpart" to start a DiskPart session. 4. Type "create volume raid size= 6.
* TRACK CONFIGURATION CHANGES Ecora Software released Ecora Enterprise Auditor 3.0, a product suite for automated, cross-platform configuration reporting and change management. The software installs on an administrative desktop (no agents required) and collects configuration data from Windows, UNIX, Linux, Novell NetWare, Cisco Systems, Microsoft SQL Server, Exchange Server, IIS, Active Directory (AD), Citrix, Oracle, and Lotus Domino platforms into a SQL Server database. The data can be used to audit, report, and identify and track changes. Hundreds of built-in reports are incorporated, and a drag-and-drop interface lets you create customized Fact Finding Reports. You can run reports interactively, schedule them for off-hours, or schedule them to run regularly. Ecora Enterprise Auditor 3.0 gives you a before and after view for all changes and lets you observe changes that took place in any given time period. Contact Ecora Software at 877-923-2672, 603-436-1616, and firstname.lastname@example.org. http://www.ecora.com
* SECURE ENTERPRISE WITH FIREWALL/VPN APPLIANCE WatchGuard Technologies announced the Firebox V60L, a wire-speed 100Mbps firewall for midsized enterprises that provides 50Mbps Triple DES (3DES) VPN throughput and up to 150 VPN tunnels. The 1U (1.75") appliance supports network separation with multiple LAN interfaces and includes networking features such as Quality of Service (QoS), dynamic routing, server load balancing, and Virtual LAN (VLAN) support. The Firebox V60L is based on an intelligent custom security application-specific integrated circuit (ASIC) that accelerates firewall, VPN, Network Address Translation (NAT), and QoS actions. Secure central management is Java-based. Available through distributors or resellers, the price is $3990. Contact WatchGuard at 800-734-9905 and 206-521-8340. http://www.watchguard.com
* SUBMIT TOP PRODUCT IDEAS Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to email@example.com.
* WINDOWS & .NET MAGAZINE ONLINE FORUMS http://www.winnetmag.com/forums
Featured Thread: IIS Server Security (Three messages in this thread)
A user writes that he has Windows 2000 Server running Microsoft IIS for his organization's Web site, which uses Secure Sockets Layer (SSL). He says he's diligent about making sure that all Win2K Server, IIS, and Microsoft Internet Explorer (IE) patches have been installed. He wants to know whether any software applications he can install on his Web server will further enhance its security. Lend a hand or read the responses: http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=56028
* ABOUT IN FOCUS -- firstname.lastname@example.org
* ABOUT THE NEWSLETTER IN GENERAL -- email@example.com (please mention the newsletter name in the subject line)
* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums
* PRODUCT NEWS -- firstname.lastname@example.org
* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer Support -- email@example.com
* WANT TO SPONSOR SECURITY UPDATE? firstname.lastname@example.org
******************** This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today! http://www.secadministrator.com/sub.cfm?code=saei25xxup
Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters. http://www.winnetmag.com/email
Thank you for reading Security UPDATE.
Thank you! __________________________________________________________ Copyright 2003, Penton Media, Inc.