Security UPDATE, August 13, 2003

1. In Focus: The Risks of Sharing Vulnerability Information

2. Security Risks - DoS in Crob FTP Server 2.60.1

3. Announcements - Windows & .NET Magazine Connections: for Security-Minded IT Pros - Try Windows & .NET Magazine!

4. Security Roundup - News: ISC Detects RPC/DCOM Worm - News: SuSE Linux Passes EAL2+ Security Test; EAL3 on the Horizon - Feature: New Features in SP3a

5. Security Toolkit - Virus Center - Virus Alert: W32/Mimail - FAQ: How Can I Ensure That Our Web Servers Aren't Enabled for IP Routing Between the Demilitarized Zone (DMZ) and the Internal Network?

6. Event - New--Mobile & Wireless Road Show!

7. New and Improved - Install Secure, Affordable Remote Access Appliance - Detect Critical Security Flaw and Repair Systems for Free - Submit Top Product Ideas

8. Hot Threads - Windows & .NET Magazine Online Forums - Featured Thread: Firewall Service on ISA Server Fails to Start - HowTo Mailing List - Featured Thread: Disabling Unneeded Services

9. Contact Us See this section for a list of ways to contact us.

==== Sponsor: Shavlik HFNetChkPro Patch Management ====

Patch MS03-026 and get FREE 25% Maintenance! Immediately deploy critical patch MS03-026 and get FREE 25% maintenance for the first year when you order HFNetChkPro by 8/31/03! Easily scan for & install SP4 and MS03-026 with Shavlik HFNetChkPro and make a powerful impact on your enterprise security. Now's the time to get patched and stay patched with the leading security patch management solution. Download our free version at http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB076e0AA

==== 1. In Focus: The Risks of Sharing Vulnerability Information ==== by Mark Joseph Edwards, News Editor, [email protected]

As you know, the past few weeks have been full of reports about possible impending attacks on Windows networks across the globe because of the recently discovered remote procedure call (RPC)/Distributed COM (DCOM) security problem. The release of code that attackers could use to exploit unprotected systems intensified those debates.

As I write this commentary, the speculation about a widespread attack is beginning to manifest itself in a new worm, known as Blaster, MBlast, or Lovesan. More than 10,000 systems probably infected with the worm are scanning to discover vulnerable systems. You can read about the worm in "ISC Detects RPC/DCOM Worm," in this edition of Security UPDATE.

At the same time, security professionals continue to debate the issues involved in having available knowledge about security vulnerabilities and having available code that attackers could twist into ready exploits--but the debates haven't reached any consensus. However, maybe this worm will shift the opinions.

A news story I read recently offers food for further thought. Although the story isn't related to computer security, it's related in a general sense to full disclosure and to a key element in determining someone's potential culpability--intent.

A young man (Sherman Austin) has been arrested, charged, and sent to prison for his alleged intentions regarding information to which he linked from his Web site. The Web site he linked to offered bomb-making information. As we know, anyone can obtain such information in the public domain (e.g., in libraries). Apparently, Austin's prosecution (which ended in a plea bargain) wasn't based on his use of "bomb-making" materials but on his linking from his Web site to such material. You can read more about the case at the URL below: http://www.eff.org/br/20030807_eff_pr.php

The matter of intent raises interesting questions about full disclosure in the computer security arena. At any given step in the disclosure proceedings, what's the intent of somebody who discloses security vulnerability information--and can that intent be known?

Amid much talk about cyber-terrorism, you hear debates about what kind of security vulnerability information to release, when to release it, and to whom to release it. The blame game is also popular: Some users are blamed for not patching their systems; other users are blamed for providing too much vulnerability information (whether information or code); and vendors are blamed for faults in their products. Because of the widespread use of various OSs, one tiny ripple not handled correctly can cause a tidal wave of problems. The hype about perceived potential damage often compounds the problem.

The RPC/DCOM problem offers a good example of how even the best intentions regarding vulnerability disclosure simply aren't enough. In this instance, those involved in discovering and reporting the problem followed the proposed guidelines of both the Organization for Internet Safety (OIS), which includes the vendor (Microsoft), in handling the vulnerability, subsequent disclosure, and patch provisioning. Even so, the proper process didn't stop people from learning more about the vulnerability and writing code to "demonstrate" the problem.

At the same time that intruders morphed the code into attack tools, the code revealed that the patch didn't work to prevent other aspects of vulnerability. Clearly, having the code available can be a distinct benefit.

Is such code the equivalent of "bomb-making" instructions? Might some people assume that Web site and mailing list operators who support full disclosure have malicious intent? Can a decision for or against full-disclosure ever benefit everyone? I wonder whether Austin's recent conviction offers a precedent that might apply to cyber-security.

In Austin's case, intent is an essential element. Some security researchers wear black hats and some white hats with pride. Still others swap hats in different situations. However, because intent is sometimes difficult if not impossible to know, prosecutors might make assumptions and everyone's rights might be at risk.

If you have comments or predictions about disclosure issues, discerning intent, and the rights involved, I'd like to hear them. Send me an email with your comments.

==== Sponsor: Ecora Software ====

Perform patch audits in minutes with Ecora Patch Manager How confident are you that all critical security patches are deployed and up-to-date on every single system in your infrastructure? Need some help figuring it all out before the next big worm attack? Try a free copy of Ecora Patch Manager. Designed for IT professionals short on time, Patch Manager completely automates and simplifies the entire patch management cycle in just minutes. See for yourself how automation can save time, reduce costs, and keep your IT infrastructure stable and secure. Download a free, fully-functional trial of Ecora Patch Manager now! http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BBrM0A2

==== 2. Security Risks ==== contributed by Ken Pfeil, [email protected]

DoS in Crob FTP Server 2.60.1 "Zero X" has discovered a Denial of Service (DoS) vulnerability in Crob FTP Server 2.60.1. If an attacker sends the FTP server a file whose name contains words such as CON, AUX, COM1, LPT1, the server might stop responding to legitimate requests. Crob Software Studio has been notified. http://www.secadministrator.com/articles/index.cfm?articleid=39821

==== Sponsor: Virus Update from Panda Software ====

Check for the latest anti-virus information and tools, including weekly virus reports, virus forecasts, and virus prevention tips, at Panda Software's Center for Virus Control. http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BBlT0A3

Viruses routinely infect "fully protected" networks. Is total protection possible? Find answers in the free guide HOW TO KEEP YOUR COMPANY 100% VIRUS FREE from Panda Software. Learn how viruses enter networks, what they do, and the most effective weapons to combat them. Protect your network effectively and permanently - download today! http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BBDp0Aq

==== 3. Announcements ==== (from Windows & .NET Magazine and its partners)

Windows & .NET Magazine Connections: for Security-Minded IT Pros How secure is your network? Have you ever been hacked? If you had to lock down 100 machines in 5 minutes, could you do it? How has Windows Server 2003 improved its security features? Want to stop spam? Register for Windows & .NET Magazine Connections 2003 coming this fall to Orlando, and get all the answers to these questions and much more! http://www.winconnections.com

Try Windows & .NET Magazine! Every issue of Windows & .NET Magazine includes intelligent, impartial, and independent coverage of security, Active Directory, Microsoft Exchange Server, and more. Our expert authors deliver how-to content you simply can't find anywhere else. Try a sample issue today, and find out what more than 100,000 readers know that you don't! http://www.winnetmag.com/rd.cfm?code=fsei203xup

==== 4. Security Roundup ====

News: ISC Detects RPC/DCOM Worm The Internet Storm Center (ISC) reports that it has captured an remote procedure call (RPC)/Distributed COM (DCOM) worm capable of spreading to Windows XP and Windows 2000 systems. According to ISC, the worm uses RPC/DCOM to propagate itself, sending a self-extracting 6176-byte compressed file (about 11KB uncompressed). After the worm executes on an infected system, it spawns a backdoor on port 4444, then tries to download more worm files from a range of Trivial FTP (TFTP) servers. http://www.secadministrator.com/articles/index.cfm?articleid=39837

News: SuSE Linux Passes EAL2+ Security Test; EAL3 on the Horizon SuSE Linux and IBM recently received the Evaluation Assurance Level 2+ (EAL2+) security certification, a security-based rating that the International Organization for Standardization (ISO) assigns under its ISO 15408 standard. ISO gave the rating to SuSE Linux Enterprise Server (SLES) 8 running on IBM's eServer xSeries hardware. http://www.secadministrator.com/articles/index.cfm?articleid=39803

Feature: New Features in SP3a All Microsoft SQL Server 2000 customers should have upgraded their production systems to Service Pack 3 (SP3) by now for protection against the Slammer worm and other security vulnerabilities. But Microsoft recently released SP3a without much fanfare. What does SP3a address, and who needs to upgrade to it? Microsoft's original Web page describing SP3a didn't specify what new features the service pack included or whether you needed to apply SP3a if you were already using SP3. However, Microsoft's SP3a download site has now provided clearer answers to these questions, which Brian Moran discusses in this article. http://www.secadministrator.com/articles/index.cfm?articleid=39761

==== 5. Security Toolkit ====

Virus Center Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda

Virus Alert: W32/Mimail The code that the W32/Mimail virus carries can spread rapidly through email. The virus exploits two Microsoft Internet Explorer (IE) vulnerabilities, both of which Microsoft resolved some time ago. W32/Mimail sends itself in email to the addresses it finds in various files with extensions other than .com, .wav, .cab, .pdf, .rar, .zip, .tif, .psd, .ocx, .vxd, .mp3, .mpg, .avi, .dll, .exe, .gif, .jpg, and .bmp. To learn more about the virus, visit Panda Software's site for a complete description. http://www.pandasoftware.com/about/press/viewnews.aspx?noticia=3961

FAQ: How Can I Ensure That Our Web Servers Aren't Enabled for IP Routing Between the Demilitarized Zone (DMZ) and the Internal Network? contributed by Jan De Clercq

A. On Windows NT systems, IP routing is disabled by default. To enable IP routing in NT, go to Network Settings, TCP/IP Properties. On the Routing tab, select the Enable IP Forwarding check box. You can also enable the feature from the registry. Navigate to the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters registry subkey, and set the EnableIPRouter value (of type REG_DWORD) to 1. Reboot the system to effect the change.

To guarantee that no one enables your Web servers for IP routing without your knowledge, make sure that you configure the appropriate NT access-control and auditing options on the EnableIPRouter registry subkey and that only authorized users have access to your Web servers. You might also invest in an integrity-checking tool that alerts you when your system's configuration changes. For an overview of NT system integrity-checking tools, see "NT Gatekeeper: Learning About NT Integrity-Checking Tools," February 2002, InstantDoc ID 23461. http://www.secadministrator.com/articles/index.cfm?articleid=23461

==== 6. Event ====

New--Mobile & Wireless Road Show! Learn more about the wireless and mobility solutions that are available today! Register now for this free event! http://www.winnetmag.com/roadshows/wireless

==== 7. New and Improved ==== by Sue Cooper, [email protected]

Install Secure, Affordable Remote Access Appliance Celestix Networks launched the Celestix RAS3000, a Windows 2003 Server-powered remote access appliance for VPNs. The rack-mounted appliance supports up to 1000 simultaneous VPN connections through wired or wireless connections. You can install multiple appliances for an unlimited total number of VPN clients. The RAS3000's management software offers load balancing, real-time alerting and monitoring, and historical reporting. The appliance supports all Windows OSs including Pocket PC 2002. The Celestix RAS3000 costs $5995 for up to 1000 concurrent connections and is available from authorized VARs and resellers. Contact Celestix on the company's Web site. http://www.celestix.com

Detect Critical Security Flaw and Repair Systems for Free Shavlik Technologies released a free Detection and Repair Kit to discover whether your network is at risk for attack because of the critical security flaw described in Microsoft Bulletin MS03-026 (Buffer Overrun In RPC Interface Could Allow Code Execution). The kit provides unlimited network scanning and assessment for a single machine or thousands of machines, to inform your IT staff where fixes are required. The Detection and Repair Kit automatically deploys the MS03-026 patch on up to 50 servers. To download the Detection and Repair Kit, go to https://www.shavlik.com/pdownloadform.aspx. Contact Shavlik Technologies at 800-690-6911, 651-426-6624, or [email protected]. http://www.shavlik.com

Submit Top Product Ideas Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected].

==== 8. Hot Threads ====

Windows & .NET Magazine Online Forums http://www.winnetmag.com/forums

Featured Thread: Firewall Service on ISA Server Fails to Start (One message in this thread)

A user writes that he just installed Internet Security and Acceleration (ISA) server on a Windows Server 2003, and it works well. However, he removed RRASto configure a VPN, then added it back. Since then, the firewall service won't start. The log states only that the service failed to start (no reasons given). The only way he can start the service is to change its logon type, remove RRAS, and restart the machine. He then changes the credentials back, starts the firewall service, and adds back RRAS. Without RRAS, his clients can't get to the Internet. He believes there might be some conflict with RRAS. Lend a hand or read the responses: http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=61902

HowTo Mailing List http://63.88.172.96/listserv/page_listserv.asp?s=howto

Feature Thread: Disabling Unneeded Services (Five messages in this thread)

A user wants to know where he can find out what services he can safely disable on his Windows 2000 Server. Lend a hand or read the responses: http://63.88.172.96/listserv/page_listserv.asp?A2=IND0308A&L=HOWTO&P=637

==== Sponsored Links ====

Ultrabac FREE live trial-Backup & Disaster Recovery software w/ encryption http://ad.doubleclick.net/clk;5945485;8214395;x?http://www.ultrabac.com/default.asp?src=WINTxtLAug03tgt=./

CrossTec Free Download - NEW NetOp 7.6 - faster, more secure, remote support http://ad.doubleclick.net/clk;5930423;8214395;j?http://www.crossteccorp.com/tryit/w2k.html

==== 9. Contact Us ====

About the newsletter -- [email protected] About technical questions -- http://www.winnetmag.com/forums About product news -- [email protected] About your subscription -- [email protected] About sponsoring Security UPDATE -- [email protected]