Security UPDATE, June 5, 2002

Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems.
http://www.secadministrator.com


THIS ISSUE SPONSORED BY

Fast, Easy-to-Use—UltraBac Disaster Recovery
http://www.ultrabac.com/default.asp?src=SQLUpdateJun6502&tgt=./

Connected Home Virtual Tour
http://www.connectedhomemag.com/virtualtour
(below IN FOCUS)


SPONSOR: FAST, EASY-TO-USE—ULTRABAC DISASTER RECOVERY

UltraBac's Image-Based Disaster Recovery software is now GUI based and backs up all hidden and active partition types including 'extended' and LIVE OPERATING SYSTEM partitions. A new wizard is available for users to easily create a network boot floppy that will allow recovery of a failed machine by quickly booting from a single floppy (or other media). The machine's OS partition is recovered from either tape or a network UNC path in record time. To learn more about our Windows 2000 Advanced Server Certified products or to download a free live trial visit
http://www.ultrabac.com/default.asp?src=SQLUpdateJun6502&tgt=./


June 5, 2002—In this issue:

1. IN FOCUS

  • Security Conferences

2. SECURITY RISKS

  • Buffer-Overrun Vulnerability in Macromedia's JRun Server 3.1 and Jrun 3.0
  • Denial of Service in Microsoft Exchange 2000 Server
  • Unauthorized File Disclosure in Deerfield.com's WebSite Pro 3.1.11.0
  • Authentication Flaw in Windows Debugger

3. ANNOUNCEMENTS

  • Raising Windows 2000 Availability—Free Webinar
  • Register for Our Latest Web Seminar and Get a Free Subscription to SQL Server Magazine!
  • Submit Top Product Ideas

4. SECURITY ROUNDUP

  • News: Will Electronic Eavesdropping Become a M-o-o-t Point?
  • News: Microsoft's Buffer-Overrun Problem: Fact or Fallacy?
  • News: Microsoft Patches Critical Exchange Hole
  • Feature: New IE Update Blocks IFRAME in Outlook HTML Messages

5. SECURITY TOOLKIT

  • Virus Center
  • FAQ: How Can I Recover a Deleted Dynamic NTFS or FAT32 Volume in Windows XP or Windows 2000?

6. NEW AND IMPROVED

  • Enhanced Virus Scanner
  • PnP Policy Enforcer

7. HOT THREAD

  • Windows & .NET Magazine Online Forums
  • Featured Thread: Restoring Encrypted Files After Format and Reinstall

8. CONTACT US

  • See this section for a list of ways to contact us.

1. IN FOCUS
(contributed by Mark Joseph Edwards, News Editor, [email protected])

  • SECURITY CONFERENCES

  • Last week, I mentioned an article in CIO Magazine that discusses several ways to hire and keep security personnel. The article suggests that companies can retain staff by offering incentives such as letting employees attend yearly training conferences. A lot of security conferences and seminars are available, and the number of new events continues to grow. The cost of such events isn't cheap, and determining which events to attend isn't always easy. This week, I describe three of the more popular choices: the NetSec conference, the Black Hat Briefings, and SANSFIRE training seminars.

    NetSec 2002
    Computer Security Institute (CSI) hosts NetSec 2002, which takes place in San Francisco June 17 through 19. The conference will offer more than 85 sessions on a wide variety of subject matter, including Internet and intranets, secure e-commerce, VPNs, computer crime, Denial of Service (DoS) attacks, forensic investigation, response teams, cryptography and public key infrastructure (PKI), intrusion detection, Windows NT, privacy, policies, awareness, remote access, and more. In addition to the learning tracks, an exhibition will feature products from more than 70 network security vendors. Just about anyone involved in network security should consider attending NetSec 2002, and CSI is expecting more than 1500 attendees this year.
    http://www.gocsi.com

    Black Hat Briefings
    The next Black Hat USA 2002 Briefings and Training is scheduled for July 29 through August 1 in Las Vegas. Windows & .NET Magazine and the Security Administrator newsletter are sponsoring this popular event that includes a series of informational briefings and a training series. The briefings include more than 30 talks by notable industry insiders covering a wide range of topics such as using biometrics, auditing source code, tracing anonymous users, securing databases, using second-generation honeypots, securing email, attacking wireless networks, cracking Voice over IP (VoIP) Cisco Systems router forensics, and more. The training series includes 12 sessions that cover security-related tools and toolkits, Active Directory (AD) security, advanced Internet Control Message Protocol (ICMP) scanning techniques, and a variety of hacking techniques (e.g., hacking into Cisco networks).
    http://www.blackhat.com/html/bh-usa-02/bh-usa-02-index.html

    SANSFIRE 2002
    The System Administration, Networking, and Security (SANS) Institute hosts numerous training events each year. The Institute's SANSFIRE 2002 event is scheduled for June 25 through July 2 in Boston. The event is for new and experienced security practitioners and includes several learning tracks, including security essentials, firewalls, perimeter protection and VPNs, intrusion detection in-depth, hacker techniques, exploits and incident handling, securing Windows, securing UNIX, auditing, forensic investigation and response, information security officer training, and more.
    http://www.sans.org/SANSFIRE02

    If you're looking for a seminar to attend outside the United States, CSI, Black Hat, and SANS all host conferences in various countries. For information about these international events, visit each organization's respective Web site. Of course, you can perform a simple Web search to locate a variety of conferences and seminars presented by other organizations. For example, I used the URLs below to search Google, and the search results revealed dozens and dozens of interesting events. Although most security-related conferences are hosted by non-vendor-affiliated organizations, many security product and service vendors offer seminars to create a better understanding of how particular products fit into a given security strategy.
    http://www.google.com/search?hl=en&lr=&q=security+%2bseminar
    http://www.google.com/search?hl=en&lr=&q=security+%2bconference


    SPONSOR: CONNECTED HOME VIRTUAL TOUR

    WIN A FREE $200 GIFT CERTIFICATE TO ROADWIRED.COM!
    Visit the Connected Home Virtual Tour and browse through the latest home entertainment, home networking, and home automation options. Sign up for prize drawings, too, and you might win a free gift certificate to RoadWired.com. Take the tour today!
    http://www.connectedhomemag.com/virtualtour


    2. SECURITY RISKS
    (contributed by Ken Pfeil, [email protected])

  • Buffer-Overrun Vulnerability in Macromedia'S JRun Server 3.1 anD JRUN 3.0

  • David Litchfield of Next Generation Security Software discovered a buffer-overrun condition in Macromedia's JRun Server 3.1 and Jrun 3.0. The Internet Server API (ISAPI) .dll filter that JRun uses to handle requests for .jsp resources doesn't properly handle overly long host header fields. As a result, an attacker can gain control over the process's execution. A more detailed advisory is located on Litchfield's Web site. Macromedia has released a bulletin regarding this vulnerability and recommends that affected users apply the appropriate patch listed in the bulletin.
    http://www.secadministrator.com/articles/index.cfm?articleid=25406

  • DENIAL OF SERVICE IN MICROSOFT EXCHANGE 2000 SERVER

  • Several people from the Computing Center, Johannes Gutenberg University, Mainz, Germany, discovered a Denial of Service (DoS) condition in Exchange 2000. This vulnerability stems from a flaw in the way Exchange 2000 handles certain malformed message attributes specified in Request for Comments (RFC) 821 and RFC 822 on received mail. An attacker can use these malformed messages to cause the Store service to consume 100 percent of CPU resources until the Exchange server processes the mail message. Rebooting the server or restarting the service won't help because the Exchange server still must process the malformed message. Microsoft Security Bulletin MS02-025 (Malformed Mail Attribute can Cause Exchange 2000 to Exhaust CPU Resources) addresses this vulnerability and recommends that affected users apply the appropriate patch listed at the URL below.
    http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-025.asp

  • Unauthorized File Disclosure in Deerfield.cOM's WebSite Pro 3.1.11.0

  • Ory Segal discovered a vulnerability in Deerfield.com's WebSite Pro 3.1.11.0 that can disclose source-script code to an unauthorized user. This condition appears when the software attempts to serve files with at least a four-character extension (e.g., .shtml), which it requests by using 8.3-format filenames. Deerfield has released version 3.1.13.0, which addresses this vulnerability.
    http://www.secadministrator.com/articles/index.cfm?articleid=25385

  • Authentication Flaw in Windows Debugger

  • A vulnerability exists in the authentication mechanism of the Windows 2000 and Windows NT 4.0 debugging facility that can let an unauthorized program gain access to the debugger. An attacker can use this vulnerability to cause a running program to execute a program of the attacker's choice under the system security context. Microsoft Security Bulletin MS02-024 (Authentication Flaw in Windows Debugger can Lead to Elevated Privileges) addresses these vulnerabilities and recommends that affected users apply the appropriate patch listed in the bulletin at the second URL below.
    http://www.secadministrator.com/articles/index.cfm?articleid=25367 http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/ms02-024.asp

    3. ANNOUNCEMENTS
    (brought to you by Windows & .NET Magazine and its partners)

  • RAISING WINDOWS 2000 AVAILABILITY—FREE WEBINAR

  • How can you reduce (or eliminate) data loss and downtime in the event of a site-wide disaster? Attend the latest free webinar from Windows & .NET Magazine and get the answers, including what kind of fault-tolerant disk setup to use, what clustering is (and isn't) good at, and best practices for boosting SQL Server and Exchange 2000 Server availability. Register (for FREE) today!
    http://www.winnetmag.com/seminars/veritas

  • REGISTER FOR OUR LATEST WEB SEMINAR AND GET A FREE SUBSCRIPTION TO SQL SERVER MAGAZINE!

  • SQL Server Magazine, the premier source of technical, how-to information for database professionals, has an unbeatable lineup of educational tools. Register today for our upcoming Web seminar "Identifying SQL Server Performance Problems," presented by Brian Moran (just $29.95!), and get a 1-year subscription to SQL Server Magazine—absolutely free!
    http://www.sqlmag.com/sub.cfm?code=bmae2esu

  • SUBMIT TOP PRODUCT IDEAS

  • Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column in Windows & .NET Magazine. Send your product suggestions to [email protected]

    4. SECURITY ROUNDUP

  • NEWS: Will Electronic Eavesdropping Become a M-o-o-t Point?

  • A group of self-proclaimed civil libertarians have launched an effort to create an OS and a set of applications that prevent computer eavesdropping and data collection. The new open-source OS, dubbed "M-o-o-t," will ship in the form of a single CD-ROM that you can boot on popular PC hardware platforms.
    http://www.secadministrator.com/articles/index.cfm?articleid=25370

  • NEWS: Microsoft's Buffer-Overrun Problem: Fact or Fallacy?

  • You're accustomed to hearing about Microsoft security flaws. However, a recent warning regarding Visual C++ .NET might not have been as straightforward or helpful as it first appeared. Gary McGraw, the chief technology officer (CTO) for Cigital, claimed that the Visual C++ .NET compiler, a part of the Visual Studio .NET suite, contains an improperly implemented feature (known as Buffer Security Checking) that causes a buffer-overrun problem to appear in code written with the tool.
    http://www.secadministrator.com/articles/index.cfm?articleid=24882

  • NEWS: Microsoft Patches Critical Exchange Hole

  • Microsoft has released a patch that corrects what the company calls a "critical" security flaw in Microsoft Exchange 2000 Server. The flaw lets attackers send a specially formatted message that ties up 100 percent of the server's resources.
    http://www.secadministrator.com/articles/index.cfm?articleid=25392

  • FEATURE: New IE Update Blocks IFRAME in Outlook HTML Messages

  • Microsoft issued a critical update for Microsoft Internet Explorer (IE) in Microsoft Security Bulletin MS02-023 (15 May 2002 Cumulative Patch for Internet Explorer) that eliminates a longstanding vulnerability in HTML-format messages. The update prevents an <IFRAME> tag from using the Internet Sites security zone, rather than the Restricted Sites zone, to launch a file attached to a message or to open a Web page inside a message.
    http://www.secadministrator.com/articles/index.cfm?articleid=25269

    5. SECURITY TOOLKIT

  • VIRUS CENTER

  • Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
    http://www.secadministrator.com/panda

  • FAQ: How can I recover a deleted dynamic NTFS or FAT32 volume in WinDOWS XP or WINDOWS 2000?

  • ( contributed by John Savill, http://www.windows2000faq.com )

    A. When you delete a dynamic volume in Win2K or XP, the OS erases the volume's file-system boot sector (sector 0) and removes the volume entry from the Microsoft Management Console (MMC) Disk Management snap-in private region database. However, as part of this process, the OS leaves the rest of the drive intact, including the data. Both FAT32 and NTFS store a backup copy of the boot sector. You can copy this boot sector back to sector 0 and restore the volume as long as you know the original volume size. For detailed step-by-step instructions about how to recover the volume, visit our Win2K FAQ at the URL below.
    http://www.windows2000faq.com/articles/index.cfm?articleid=25375

    6. NEW AND IMPROVED
    (contributed by Judy Drennen, [email protected])

  • ENHANCED VIRUS SCANNER

  • Rockliffe released MailSite SE 5.0 for Small Enterprises, featuring integrated virus scanning, security improvements, and personal calendaring. With the new antivirus support in MailSite SE, customers no longer need to worry about viruses sneaking into their system through email. MailSite SE automatically eliminates viruses without any administrator intervention. Prices for MailSite SE start at $595 for 50 mailboxes. For more information, contact Rockliffe at 408-879-5600, or to purchase online, visit Rockliffe's Web site.
    http://www.rockliffe.com

  • PnP POLICY ENFORCER

  • InfoExpress released CyberGatekeeper Server, a Plug and Play (PnP) appliance that proactively enforces remote and mobile desktop configurations and applications. CyberGatekeeper Server is vendor neutral and can enforce desktop configurations connected through VPNs, extranets, dial-up connections, wireless LANs (WLANs), and wired LANs. The appliance audits systems before permitting access to the network. CyberGatekeeper Server is $6500 per appliance. For more information, contact InfoExpress at 650-623-0260, or [email protected].
    http://www.infoexpress.com

    7. HOT THREAD

  • WINDOWS & .NET MAGAZINE ONLINE FORUMS

  • http://www.winnetmag.com/forums

  • Featured Thread: Restoring Encrypted Files After Format and Reinstall

  • (Twenty-eight messages in this thread)

    Christer writes that he runs an FTP server and noticed a COM1 directory within his PUB directory. The COM1 directory contains 600GB of data, but he can't open or delete the folder. When he tries to access the directory, Windows reports that it can't be found. Do you know how he can remove the folder?
    http://www.secadministrator.com/forums/thread.cfm?thread_id=99095

    8. CONTACT US
    Here's how to reach us with your comments and questions:

    (please mention the newsletter name in the subject line)

    This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
    http://www.secadministrator.com/sub.cfm?code=saei25xxup

    Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
    http://www.winnetmag.net/email

    Hide comments

    Comments

    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.
    Publish