Security UPDATE, June 11, 2003

==== This Issue Sponsored By ====

Shavlik Technologies http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB076e0AA

Windows & .NET Magazine http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB06cX0Af

1. In Focus: Windows 2003 Patches; Responsible Vulnerability Reporting

2. Security Risks - Buffer Overruns in IE

3. Announcements - Get Exclusive VIP Web Site Access! - Learn 10 Ways to Deal with Spam!

4. Security Roundup - News: Windows & .NET Magazine Names TechEd 2003 Best of Show Winners - News: Microsoft Adds New Security Certification Program - News: Microsoft and VeriSign Partner on PKI - Feature: IPSec Enhancements for XP and Win2K

5. Instant Poll - Results of Previous Poll: Windows Update and SUS - New Instant Poll: Certifications and Hiring

6. Security Toolkit - Virus Center - Virus Alert: Bugbear.B - FAQ: How Do I Ensure that GPOs Are Applied When I Move a Computer to a New OU?

7. Event - Security 2003 Road Show 8. New and Improved - Secure Your PC - Token User Authentication - Submit Top Product Ideas

9. Hot Thread - Windows & .NET Magazine Online Forums - Featured Thread: Blocking KaZaA

10. Contact Us See this section for a list of ways to contact us.

==== Sponsor: Shavlik Technologies ====

Shavlik HFNetChkPro - Get 20% off in June! Buy HFNetChkPro in June and receive 20% off! Shavlik HFNetChkPro 4.0, the leader in automated patch management, assesses your network for missing security patches and automatically deploys patches, saving you thousands of hours. It includes loads of features that save time for busy security professionals while offering greater enterprise security. HFNetChkPro 4.0 automates patch remediation for Microsoft Office, Windows Server 2003, Exchange, SQL, Outlook, Java Virtual Machine and more. Now's the time to download our free HFNetChkLT version at www.shavlik.com and take a test drive! http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB076e0AA

==== 1. In Focus: Windows 2003 Patches; Responsible Vulnerability Reporting ==== by Mark Joseph Edwards, News Editor, [email protected]

You're probably aware by now that Microsoft recently released security patches for Internet Explorer (IE) 6.0, IE 5.5, and IE 5.01, including IE 6.0 for Windows Server 2003. The problems relate to unchecked buffers that could let arbitrary code execute on a user's machine. Patching your machines against these problems is probably critical. You can read about the problems in the article, "Buffer Overruns in IE," in this issue of Security UPDATE.

The patch represents the first for the new Windows 2003 OS, and it came less than 2 months after the initial release. It's good to know that the company has taken care of that particular problem quickly, but apparently another patch for the new OS might be necessary soon.

According to SecurityFocus, a user reported that Windows systems might be vulnerable to Denial of Service (DoS) attacks under certain conditions. If a Windows 2003, Windows XP, or Windows 2000 system has IP version 6 (IPv6) enabled, an attacker might be able flood the server with Internet Control Message Protocol (ICMP) packets resulting in a DoS condition for the target system. http://www.securityfocus.com/bid/7788

Microsoft is undoubtedly aware of the problem, but at the time of this writing, the company hasn't released a bulletin or patch. The problem is probably moderate and won't affect a huge number of systems because IPv6 isn't as widely deployed as IPv4. Nevertheless, we can probably expect Microsoft to issue a patch soon. Both the recently patched problems with IE and this DoS problem point out that faults found in code used across multiple versions of products families will, more often than not, carry over into the Windows 2003 OS, as has been the case with previous product versions.

Speaking of newly reported vulnerabilities, the Organization for Internet Safety (OIS) has finally released its long-awaited draft proposal that outlines a process that security researchers and vendors can use to coordinate their efforts to patch security vulnerabilities.

You recall that in 2001, Guardent, Foundstone, BindView, @stake, and Internet Security Systems (ISS) established OIS, which now counts the SCO Group, Network Associates, Oracle, and Symantec among its members. The group initially submitted a draft proposal to the Internet Engineering Task Force (IETF) as a Request for Comments (RFC). However, the IETF decided its forum wasn't suited for guideline proposals about responsible reporting. So the group struck out on its own to finish its draft, "Security Vulnerability Reporting and Response Process," now available to the public at the URL below. http://www.oisafety.org/resources.html

According to an OIS press release, the draft "provides specific, prescriptive guidance that establishes a framework in which researchers and vendors can collaborate to improve the speed and quality of security investigations, thereby helping better protect Internet users and infrastructure." OIS is offering a period of time (until July 7) for the public to provide its own commentary about the draft. According to OIS, it will respond to the comments as best it can and post the comments to its Web site for everyone to read (excluding the commentators' personal contact information, of course).

The draft proposal suggests that researchers not disclose their findings to the public until either a patch is released or researchers have exhausted their efforts to interact with a vendor and have reached an irreconcilable impasse. Symantec is a member of OIS and also owns SecurityFocus along with various mailing lists now associated with SecurityFocus, including the popular BugTraq list.

Historically, BugTraq has offered researchers a place to openly reveal any information they feel necessary, including demonstration code, even if that code could lead to exploitation of a given vulnerability. SecurityFocus also operates a mailing list called Vuln-Dev, in which researchers can and do discuss possible security problems with various products. The discussions sometimes include code used to test particular would-be security problems and sometimes include considerable detail about researcher findings.

I wonder whether the OIS proposal, which Symantec obviously supports, will eventually affect the operation of those mailing lists and other mailing lists operated by other entities? We'll have to wait and see.

One final note about vulnerabilities: Be sure your systems are protected against the Bugbear.B worm. It's a nasty one. You can learn more about it in the associated "Virus Alert" in this issue of the newsletter.

Correction: In last week's Security UPDATE commentary, ".html" was omitted from the URL given for more information about Bayesian filtering. The correct URL is http://www.paulgraham.com/articles.html

=== Sponsor: Windows & .NET Magazine ====

Insider's Guide to IT Certification eBook Get the eBook that will help you get certified! The "Insider's Guide to IT Certification," from the Windows & .NET Magazine Network, has one goal: to help you save time and money on your quest for certification. Find out how to choose the best study guides, save hundreds of dollars, and be successful as an IT professional. The amount of time you spend reading this book will be more than made up by the time you save preparing for your certification exams. Order your copy today! http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB06cX0Af

==== 2. Security Risks ==== contributed by Ken Pfeil, [email protected]

Buffer Overruns in IE eEye Digital Security discovered two new vulnerabilities in Microsoft Internet Explorer (IE) that can result in the execution of arbitrary code on the vulnerable system. The vulnerabilities are a buffer-overrun vulnerability that results from IE improperly determining an object type a Web server returns and a condition in which IE doesn't implement an appropriate block on a file-download dialog box. Microsoft has released Security Bulletin MS03-020 (Cumulative Patch for Internet Explorer) to address these vulnerabilities and recommends that affected users immediately apply the appropriate patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=39227

==== 3. Announcements ==== (from Windows & .NET Magazine and its partners)

Get Exclusive VIP Web Site Access! The Windows & .NET Magazine VIP Site is a subscription-based online technical resource that's chock-full of problem-solving articles from all our publications. For a limited time, you can access this banner-free site at which you'll find exclusive content usually reserved for VIP Site members only. Only VIP subscribers can access this site after June 13, so check it out today! http://vip.winnetmag.com

Learn 10 Ways to Deal with Spam! In this audiocast event, you'll discover simple but effective ways to fight spam, plus learn the common tricks spammers use to get your email address. You'll also receive a free white paper from NetIQ about controlling spam and the chance to download a free trial of NetIQ MailMarshal SMTP. Register today! http://www.winnetmag.com/seminars/spam

==== 4. Security Roundup ====

News: Windows & .NET Magazine Names TechEd 2003 Best of Show Winners Windows & .NET Magazine named Best of Show products in seven categories as well as an overall winner at TechEd 2003 in Dallas. Michele Crockett, Windows & .NET Magazine editor, presented awards to Windows technology vendors and announced an overall Best of Show winner. The field included more than 211 entries, and the judges evaluated products based on their strategic importance in the market, the competitive advantage they offer, and their value to the customer. http://www.secadministrator.com/articles/index.cfm?articleid=39225

News: Microsoft Adds New Security Certification Program Microsoft announced that it will offer a new security specialization program under its Microsoft Certified Systems Administrator (MCSA) and Microsoft Certified Systems Engineer (MCSE) credentials. http://www.secadministrator.com/articles/index.cfm?articleid=39214

News: Microsoft and VeriSign Partner on PKI Microsoft and VeriSign announced plans to extend interoperability between Windows Server 2003 and VeriSign's Managed PKI Services. http://www.secadministrator.com/articles/index.cfm?articleid=39213

Feature: IPSec Enhancements for XP and Win2K Until recently, Microsoft platforms didn't support the use of Layer Two Tunneling Protocol (L2TP) connections in combination with Network Address Translation (NAT). To improve the interoperability of Windows XP and Windows 2000 systems with Windows Server 2003 systems, Microsoft recently released an update for XP and Win2K platforms that lets clients create secure IP Security (IPSec) connections to a Windows 2003 server when the clients are behind a firewall or a router running NAT. Read more about the update in this article on our Web site. http://www.winnetmag.com/windowsserver2003/index.cfm?articleid=39166

==== 5. Instant Poll ====

Results of Previous Poll: Windows Update and SUS The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Do you use either Windows Update or Software Update Services (SUS)?" Here are the results from the 239 votes. - 67% Yes - 10% Yes--We also use a third-party update tool - 18% No - 5% No--We use only a third-party update tool

New Instant Poll: Certifications and Hiring The next Instant Poll question is, "Does your company hire IT administrators based on certifications?" Go to the Security Administrator Channel home page and submit your vote for a) We hire based largely on certifications, b) We hire based on certifications and experience, c) We consider certifications secondary to work experience, or d) We hire based only on proven experience. http://www.secadministrator.com

==== 6. Security Toolkit ====

Virus Center Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda

Virus Alert: Bugbear.B A new and dangerous worm, Bugbear.B, is spreading rapidly through email and network shares. The email messages used to spread the worm use random subjects and random file attachment names. The worm can be triggered by simply viewing the message in a Microsoft Outlook preview pane if the user's system isn't configured for tight security and doesn't have the proper security patches installed. The worm tries to disable various pieces of security-related software, installs Trojan horse software, and logs keystrokes. For more details about the worm, be sure to visit the URL below. http://www.pandasoftware.com/virus_info/encyclopedia/overview.aspx?idvirus=39823

FAQ: How Do I Ensure that GPOs Are Applied When I Move a Computer to a New OU? by Randy Franklin Smith, [email protected]

A. You don't have to create computer accounts in the correct organizational unit (OU) from the beginning; you can move accounts from OU to OU at any time and expect new Group Policy Objects (GPOs) to take effect. However, a computer checks the path of the OU in which it resides only at boot-up. After that, whenever the computer reapplies Group Policy, it simply checks to see whether the GPOs applied previously have changed. If you move the computer to a new OU, the computer doesn't recognize the move until the next reboot. Therefore, GPOs linked to the computer's new OU won't take effect until you reboot the computer.

==== 7. Event ====

Security 2003 Road Show Join Mark Minasi and Paul Thurrott as they deliver sound security advice at our popular Security 2003 Road Show event. http://www.winnetmag.com/roadshows/security2003

==== 8. New and Improved ==== by Sue Cooper, [email protected]

Secure Your PC SOFTWIN released BitDefender Professional 7.0 to provide antivirus, active content control, Internet filtering, and data confidentiality for Windows systems. The software blocks malicious applications, specified URLs, ports, and IPs--and lets you to block ActiveX, Java Applets, or Java Script code based on your configurations. BitDefender alerts you if your system settings let inappropriate codes run or if an application is trying to access the Internet. It filters incoming and outgoing cookie-type files to preserve your confidentiality and filters against viruses transmitted through Instant Messaging (IM) software. BitDefender Professional 7.0 is available in four languages; you can download it from the Web site listed below. The software runs on Windows XP/2000/NT/Me/98. Prices start at $44.95 for a single license. Contact SOFTWIN at [email protected]. http://www.bitdefender.com

Token User Authentication Pointserve Data launched Passholder, which provides two-factor authentication (i.e., based on something you have and something you know) for your users. The software resides on a cryptographically protected secure USB token. The token (instead of the PC) can store a users' name, domain, and corporate and personal passwords, which users can retrieve when needed with their user PIN number. The token can also store digital certificates. You can decide whether users will manually update their Windows password to the token or whether Passholder will automatically generate and update the password without user intervention to comply with corporate security policy. Passholder supports Windows XP/2000/NT. Contact Pointserve at [email protected] or on the company's Web site. http://www.passholder.net

Submit Top Product Ideas Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected].

==== 9. Hot Thread ====

Windows & .NET Magazine Online Forums http://www.winnetmag.com/forums

Featured Thread: Blocking KaZaA (Three messages in this thread)

A user writes that he has a network environment of 30 sites and wants to block the use of KaZaA. He wants to know the best way to go about blocking peer-to-peer (P2P) file sharing on his networks. Lend a hand or read the responses: http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=59679

==== Sponsored Link ====

FaxBack Integrate FAX into Exchange/Outlook (Whitepaper, ROI, Trial) http://www.faxback.com/w2ksponorlink

==== 10. Contact Us ====

About the newsletter -- [email protected] About technical questions -- http://www.winnetmag.com/forums About product news -- [email protected] About your subscription -- [email protected] About sponsoring Security UPDATE -- [email protected]