Security UPDATE--More Bugs and Preemptive Fixes--July 14, 2004

==== This Issue Sponsored By ====

Free Download! New Sitekeeper(R) 3.1

http://executive.com/sitekeeper/skland.asp?ad=wandnetnl26

Free Security White Paper from Postini

http://www.winnetmag.com/whitepapers/postini/silentkiller/index.cfm?code=0713securitysecondary

1. In Focus: More Bugs and Preemptive Fixes

2. Security News and Features

- Recent Security Vulnerabilities - News: Extended Version of XCACLS Available

- News: Two New Tools and One Updated Tool for ISA Server 2004

3. Instant Poll

4. Security Toolkit

- FAQ

- Featured Thread

5. New and Improved

- Insulate Your Network

- Reduce Network Security Threats

==== Sponsor: Executive Software ====

Free Download! New Sitekeeper(R) 3.1

Keeping track of your software licenses and staying up-to-date with the latest patches is a pain -- especially if you have to do it manually. But unless you stay on top of licenses and patches, you're opening your site up to legal action and security breaches. *** NEW Sitekeeper 3.1 is the simple, affordable way to automate your systems management. Sitekeeper handles hardware and software inventories, license compliance reports and software/patch installation with just a few clicks of your mouse. No special training or dedicated hardware needed -- in fact, you can start managing within minutes of installation. It's systems management software -- simplified!

Try Sitekeeper FREE -- click on

http://executive.com/sitekeeper/skland.asp?ad=wandnetnl26

==== 1. In Focus: More Bugs and Preemptive Fixes ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net

Another problem was recently discovered in Microsoft Internet Explorer (IE): An intruder could use the Shell.Application object to launch a command shell on an affected system. This capability could lead to all sorts of dangerous activity. To protect systems, you can disable the object by navigating to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Internet Explorer\ActiveX Compatibility\\{13709620-C279-11CE-A49E-444553540000\} registry subkey and setting the Compatibility Flags entry (type REG_DWORD) to 00000400.

Yesterday, Microsoft released Microsoft Security Bulletin MS04-024 (Vulnerability in Windows Shell Could Allow Remote Code Execution) and a related patch for that problem, so you can now load the patch instead of editing the registry. The company also released six other bulletins and patches as part of its monthly security patch release. The patches fix vulnerabilities in HTML-based Help files, the Task Scheduler, Microsoft IIS 4.0, the POSIX subsystem, and Utility Manager (all of which might allow the execution of remote code), and Microsoft Outlook Express (for which the company issued a cumulative patch for Denial of Service--DoS--conditions). You can learn more about these fixes at Microsoft's TechNet Security Web site.

http://www.microsoft.com/technet/security

After the Shell.Application bug was published on various security mailing lists, researchers began checking the Mozilla Web browser for a similar problem, and it turns out that Mozilla is affected to some extent. According to Mozilla's security advisory, it's possible to use the shell: URL scheme to launch executables on a remote user's system. The developers issued a workaround for the problem, which is available at the Mozilla Web site.

http://www.mozilla.org/security/shell.html

The discovery of these serious security risks points out the need to regularly adjust your defenses to protect against attack. Sometimes you need to apply a vendor patch, and other times you can perform a configuration workaround. Another tactic you can use to mitigate unforeseen security problems is to employ the security tools available from various vendors.

For example, security scanners might find the shell problem as well as the ADO databases (ADODB) problem I've discussed in recent issues of this newsletter. Scanning tools that find these problems probably also would let you make registry adjustments to protect against attacks.

Another tool, which I've mentioned recently, is PivX Solutions' Qwik-Fix Pro. Qwik-Fix Pro doesn't scan your systems; instead, it lets you change configuration settings to strengthen the overall security of various applications, including IE.

Alex Tosheff, chief technology officer at PivX, told me that the company plans an official release of the enterprise version of Qwik-Fix Pro on August 2 (the product has been in public beta testing for quite some time). The enterprise version integrates with Active Directory (AD), uses Group Policy to define security configuration settings, and includes a Microsoft Management Console (MMC) snap-in.

According to Thor Larholm, a lead researcher at PivX, the release version will include features such as strengthened security for IE security zones (e.g., My Computer, Trusted Sites, Internet), which Microsoft Outlook also uses. Larholm also said that the product will be expanded to include application protection for Microsoft Office, Microsoft IIS, Apache HTTP Server, Mozilla, Opera Software's Opera, Microsoft SQL Server, MySQL, Windows .NET Framework, Instant Messaging (IM) applications, IBM's Lotus Notes, and other popular Windows applications. The company is also working on features that will perform "runtime process modification and virtual application patching, ... generic C runtime and Win32 API replacements, ... generic buffer overflow protection, and generic process privilege compartmentalization."

I've pointed out before that I don't know of any products that offer the same functionality as Qwik-Fix Pro. I'm sure some other products offer some of the features, but as far as I know, the solution is rather unique in its approach. And it clearly defends against hundreds of known and untold numbers of unknown attack methods well in advance of their release. If you haven't tested Qwik-Fix Pro already, then you might want to take a close look at the release version when it becomes available.

http://www.pivx.com/qwikfix

==== Sponsor: Postini ====

The Silent Killer: How spammers are stealing your email directory

Have you ever had your end users complain about how slow your email system seems to be responding when you have no visible reason for this problem in performance? Are your Microsoft Exchange server deferral queues constantly full, slowing server performance to a crawl? All of these are signs that spammers are probing your email system in an attempt to identify and "harvest" legitimate email addresses from your organization. This is what is known as the "silent killer" or "directory harvest attack" (DHA). Download this whitepaper now and learn how you can protect your organization against the "silent killer".

http://www.winnetmag.com/whitepapers/postini/silentkiller/index.cfm?code=0713securitysecondary

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.winnetmag.com/departments/departmentid/752/752.html

News: Extended Version of XCACLS Available

Microsoft released an updated version of Extended Change Access Control List (xcacls.exe), a tool that can help view and modify permissions for files and directories. The new version, xcacls.vbs, is a Visual Basic script that runs via the cscript.exe version of the Windows Script Host (WSH).

http://www.winnetmag.com/article/articleid/43182/43182.html

News: Two New Tools and One Updated Tool for ISA Server 2004

Microsoft released new and updated tools that help administrators manage Microsoft Internet Security and Acceleration Server 2004 (ISA Server). The new tools help you configure client systems, quarantine clients, and monitor and change ISA Server firewall configurations.

http://www.winnetmag.com/article/articleid/43248/43248.html

==== Announcements ====

(from Windows & .NET Magazine and its partners)

New! The Shifting Tactics of Spammers: How to Stop the Newest Email Threats

Stopping new spam techniques requires detection and prevention in real time at the SMTP connection point. In this free Web seminar, you'll learn how spam filters operate as well as real-world examples of spammers new attacks and threats so that you can learn what you must do to protect your organization. Register now!

http://www.winnetmag.com/seminars/newspamtechniques/index.cfm?code=0712emailannc

We're Bringing the Experts Directly to You with 2 New IT Pro Workshop Series About Security and Exchange

Don't miss two intense workshops designed to give you simple and free tools to better secure your networks and Exchange servers. Discover how to prevent attackers from attacking your network and how to perform a security checkup on your Exchange Server deployment. Get a free 12-month subscription to Windows & .NET Magazine and enter to win an Xbox! Register now.

http://www.winnetmag.com/workshops/securingwindowsandexchange/index.cfm?tc=0712emailannc

==== Hot Release ====

Need to Secure Multiple Domain or Host Names?

Securing multiple domain or host names need not burden you with unwanted administrative hassles. Learn more about how the cost-effective Thawte Starter PKI program can streamline management of your digital certificates.

Click here to download our free guide:

http://ad.doubleclick.net/clk;9435476;9685119;c

==== 3. Instant Poll ====

Results of Previous Poll

The voting has closed in the Windows & .NET Magazine Network Security Web page nonscientific Instant Poll for the question, "Which Web browser does your company currently use for Internet (as opposed to intranet) browsing?" Here are the results from the 191 votes.

- 68% Microsoft Internet Explorer (IE)

- 9% Mozilla

- 19% Firefox

- 3% Opera

- 1% Other

New Instant Poll

The next Instant Poll question is, "Do you now use or do you plan to use 802.11i on your wireless LANs?" Go to the Security Web page and submit your vote for

- Yes, we use 802.11i now

- Yes, we plan to use 802.11i in the next 3 months

- Yes, we plan to use 802.11i in the next 6 months

- Yes, we plan to use 802.11i in the next year

- No, we don't plan to use 802.11i

http://www.winnetmag.com/windowssecurity

==== 4. Security Toolkit ====

FAQ: How Can I Merge Multiple Primary Versions of the Same DNS Zone for Different Servers into One Active Directory (AD)-Integrated Zone?

by John Savill, http://www.winnetmag.com/windowsnt20002003faq

A. Only one primary version of the DNS zone should exist for zones that aren't AD-integrated. If necessary, you can create additional secondary versions of zones on other DNS servers to support fault tolerance and load balancing.

If you have multiple primary versions of a zone that isn't AD-integrated, those zones won't replicate or remain synchronized. The possible actions that can occur when you move these multiple versions into AD for storage are:

* After the first DNS server stores its zone information in AD, all subsequent DNS servers lose their DNS zone content and use the first DNS server's zone information in AD.

* As each DNS server is modified to store its information in AD, the new DNS zone data overwrites the existing DNS zone data in AD.

* As each DNS server is modified to store its information in AD, the new DNS server's data merges with the existing data.

When you opt to integrate the second (or any subsequent) instance of the zone on a different DNS server in AD--as explained in the FAQ "How can I change how DNS information is stored on a DNS server?" ( http://www.winnetmag.com/articles/index.cfm?articleid=43104 )--you can choose between the first and second options. In the Active Directory Service box, you must select either "Discard the new zone, and load the existing zone from Active Directory" or "Overwrite the existing zone in Active Directory with the new zone." After you make your selection, click OK, then click OK again to confirm it.

Featured Thread: USB Hub Security

(Three messages in this thread)

A reader wants to know if he can somehow set security on USB devices based on the device type. He wants to allow USB-based printer devices and disallow USB-based storage devices for users. Do you know whether this is possible and how to do it? Lend a hand or read the responses on our Security forum.

http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=123393

==== Events Central ====

(A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events )

New! Extending Microsoft Office with Integrated Fax Messaging

Are you "getting by" using fax machines or relying on a less savvy solution that doesn't offer truly integrated faxing from within user applications? Attend this free Web seminar and learn what questions to ask when selecting an integrated fax solution, discover how an integrated fax solution is more efficient than traditional faxing methods, and learn how to select the fax technology that's right for your organization. Register now!

http://www.winnetmag.com/seminars/faxsolutions/index.cfm?code=0712emailannc

==== 5. New and Improved ====

by Jason Bovberg, [email protected]

Insulate Your Network

MetaInfo has developed the MetaInfo Appliance 250 Series and MetaInfo Appliance 500 Series of hardware platforms upon which you can easily deploy and maintain MetaInfo's Meta IP services. These appliances help prevent malicious users from exploiting and thus compromising your company's DNS and DHCP services. The 250 Series is ideal for midsized networks, and the 500 Series is best for larger networks. For pricing information, contact MetaInfo at 206-674-3700 or on the Web.

http://www.metainfo.com Reduce Network Security Threats

ElcomSoft released Proactive Windows Security Explorer 1.0, which executes a comprehensive audit of account passwords and exposes all unsecure passwords. You can identify patterns and trends that weaken security and develop the appropriate policies to improve network security. You can also use Proactive Windows Security Explorer to recover lost passwords and access users' Windows accounts. Proactive Windows Security Explorer 1.0 runs on Windows 2003/XP/Me/2000/NT 4.0/98. Prices begin at $299. For more information, contact ElcomSoft on the Web.

http://www.elcomsoft.com

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected].

==== Sponsored Links ====

Argent

Comparison Paper: The Argent Guardian Easily Beats Out MOM

http://ad.doubleclick.net/clk;6480843;8214395;q?http://www.argent.com/products/download_whitepaper.cgi?product=mom&&Source=WNTTextLink

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected]. If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.winnetmag.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

==== Contact Our Sponsors ====

Primary Sponsor:

Executive Software -- http://executive.com

Secondary Sponsor:

Postini -- http://www.postini.com -- 1-888-584-3150

Hot Release Sponsor:

thawte -- http://www.thawte.com -- 1-650-426-7400