Security UPDATE, May 15, 2002

Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems.
http://www.secadministrator.com


THIS ISSUE SPONSORED BY

FREE Security eBook from NetIQ—HOT off the Press!
http://www.netiq.com/offers/securityebook/register.asp?origin=secupdate515

Windows & .NET Magazine Webinar: Understanding PKI
http://www.winnetmag.com/webinar/pki.cfm
(below IN FOCUS)


SPONSOR: FREE SECURITY EBOOK FROM NETIQ—HOT OFF THE PRESS!

Need real-world, in-the-trenches advice on securing your Microsoft Windows .NET servers? Register now for "The Tips and Tricks Guide to Securing .NET Server." You'll gain best practices and technical advice that will open your eyes to Microsoft Windows .NET security. Get the inside scoop on legacy systems, .NET group policy, resource management, secure remote access and emerging .NET enhancements. Don't take chances with your .NET security. Register for the FREE eBook now!
http://www.netiq.com/offers/securityebook/register.asp?origin=secupdate515


May 15, 2002—In this issue:

1. IN FOCUS

  • IM Security Considerations in the Enterprise

2. SECURITY RISKS

  • Unchecked Buffer in MSN Messenger Chat ActiveX Control
  • Buffer Overflow in Macromedia's Flash Player ActiveX Control

3. ANNOUNCEMENTS

  • Get Valuable Info for Free with IT Consultant Newsletter
  • Immediate Access to T-SQL Solutions!

4. SECURITY ROUNDUP

  • News: Microsoft Remedy Hearings: Allchin Explains Genesis, Scope of Trustworthy Computing
  • Feature: Guarding Your CAs
  • Feature: Using the MBSA

5. INSTANT POLL

  • Results of Previous Poll: Security Information Notification
  • New Instant Poll: IM Use

6. SECURITY TOOLKIT

  • Virus Center
  • FAQ: How Can I Modify the Installation Credential Settings in Win2K?

7. NEW AND IMPROVED

  • Integrated Security Appliance
  • Universal Antivirus Rescue System

8. HOT THREADS

  • Windows & .NET Magazine Online Forums
  • Featured Thread: Blocking IM
  • HowTo Mailing List
  • Featured Thread: Not Recovering from a Missing SAM Database

9. CONTACT US

  • See this section for a list of ways to contact us.

1. IN FOCUS
(contributed by Mark Joseph Edwards, News Editor, [email protected])

  • IM SECURITY CONSIDERATIONS IN THE ENTERPRISE

  • Does your organization use Instant Messaging (IM) software? IM has become an incredibly popular tool in the corporate world. Several companies that offer IM networks, including AOL, ICQ ("I Seek You"), Microsoft, and Yahoo!, have IM client packages with various features and capabilities. However, some administrators virtually ignore IM security considerations. For example, IM communications often traverse a network in plain text format, which means someone could eavesdrop easily on private business communications.

    If you don't have IM software on your network, don't install it without planning. IM use carries considerable risk and requires not only the implementation of company policies, but also diligent ongoing attention to IM's vulnerabilities. For example, last week Microsoft reported that its MSN Chat Control software contains a buffer-overflow condition that could let intruders run the code of their choice on a user's machine. The problem affects MSN Chat Control, MSN Messenger, and Microsoft Exchange IM and is the third MSN chat security problem that Microsoft has reported this year. (See the related Security UPDATE story at the URL below.) But Microsoft isn't alone in having IM software security problems. So far this year, reports have documented eight security problems with AOL Instant Messenger (AIM), four with Yahoo! Messenger, and five with ICQ (which AOL owns).
    http://www.secadministrator.com/articles/index.cfm?articleid=25168

    You can address one IM security risk, for example, by using security software that protects IM's plain text transport. Cerulean Studios has an IM security solution that's definitely worth a look: Trillian (see the URL below). Among many security-related IM software packages, this solution stands out for two reasons: Trillian permits messaging between several popular IM networks—including AOL, ICQ, Internet Relay Chat (IRC), MSN, and Yahoo!—and it encrypts communications by using continually regenerated encryption keys. Trillian's encryption feature, SecureIM, uses the Blowfish encryption algorithm to generate a new encryption key each time the user begins a new secure chat session. After the software generates a key, it stores the key only in memory and never to disk, making it harder for an attacker to compromise the key.
    http://www.ceruleanstudios.com

    AOL recently announced its encrypted messaging client, Enterprise AIM. According to a Washington Post Newsbytes story, AOL has partnered with VeriSign to create the new IM client, which AOL intends to sell to enterprise users. In addition to encrypted communications, Enterprise AIM will use VeriSign's certificate technology to authenticate users, which will help prevent user impersonation.
    http://www.newsbytes.com/news/02/176517.html

    If you subscribe to the Security Administrator monthly print newsletter, you might have read Roger A. Grimes' article in the May issue, "IM Security Primer," InstantDoc ID 24665, which offers a detailed overview of the major IM networks and information about the security concerns they raise for the enterprise. (To learn more about the print newsletter, visit the Security Administrator Channel home page at the URL below.)
    http://www.secadministrator.com

    We're conducting a new Instant Poll this week: If your organization uses IM, we want to know which IM software you've standardized on. Stop by our home page and give us your answer.
    http://www.secadministrator.com


    SPONSOR: WINDOWS & .NET MAGAZINE WEBINAR: UNDERSTANDING PKI

    ATTEND OUR FREE WEBINAR: UNDERSTANDING PKI
    Implementing PKI successfully requires an understanding of the technology with all its implications. Attend the latest Webinar from Windows & .NET Magazine and develop the knowledge you need to address this challenging technology and make informed purchasing decisions. We'll also look closely at three possible content encryption solutions, including PKI. Register for FREE today!
    http://www.winnetmag.com/webinar/pki.cfm


    2. SECURITY RISKS
    (contributed by Ken Pfeil, [email protected])

  • Unchecked Buffer in MSN Messenger Chat ActiveX Control

  • eEye Digital Security discovered that a buffer-overflow condition exists in MSN Messenger Chat control that can result in unauthorized code execution. Even if users haven't installed MSN Messenger, an attacker can call the control from the codebase tag, which would prompt users to install the control with Microsoft's credentials because Microsoft signs the OLE custom control (OCX). eEye's advisory gives a detailed explanation of this vulnerability. Microsoft has released Security Bulletin MS02-022 (Unchecked Buffer in MSN Chat Control Can Lead to Code Execution) to address this vulnerability and recommends that affected users apply the appropriate patch listed in the bulletin.
    http://www.secadministrator.com/articles/index.cfm?articleid=25168

  • Buffer Overflow in Macromedia's Flash Player ActiveX Control

  • A buffer-overflow condition exists in Macromedia's Flash Player 6.0 ActiveX Control. An attacker can use this vulnerability to execute code through email, a Web site, or any other way that Microsoft Internet Explorer (IE) displays HTML. eEye Digital Security's advisory gives a detailed explanation of this vulnerability. Macromedia has released an updated version of Flash Player that addresses this vulnerability.
    http://www.secadministrator.com/articles/index.cfm?articleid=25152

    3. ANNOUNCEMENTS

  • GET VALUABLE INFO FOR FREE WITH IT CONSULTANT NEWSLETTER

  • Sign up today for IT ConsultantWire, a FREE email newsletter from Penton Media. This newsletter is specifically designed for IT consultants, bringing you news, product analysis, project management and business logic trends, industry events, and more. Find out more about this solution-packed resource and sign up for FREE at
    http://www.itconsultmag.com

  • IMMEDIATE ACCESS TO T-SQL SOLUTIONS!

  • Exclusive in-depth articles, tips, tricks, and code samples all at your fingertips. Content you can't get anywhere else—brought to you by the SQL Server experts you trust such as Kalen Delaney, Itzik Ben-Gan, and others. Increase your productivity today! Go to the following URL.
    http://www.tsqlsolutions.com

    4. SECURITY ROUNDUP

  • NEWS: Microsoft Remedy Hearings: Allchin Explains Genesis, Scope of Trustworthy Computing

  • Microsoft Group Vice President Jim Allchin admitted something yesterday that I've suspected ever since I first read the "Trustworthy Computing" email, a missive that Chairman and Chief Software Architect Bill Gates sent to Microsoft employees and that the company purposefully leaked to the press. Under questioning during cross-examination at the Microsoft remedy hearings, Allchin said that it was he, not Gates, who originally came up with the Trustworthy Computing idea. Allchin also described the Windows products that the initiative covers.
    http://www.secadministrator.com/articles/index.cfm?articleid=25159

  • FEATURE: GUARDING YOUR CAs

  • With the growing emphasis on information security, many companies turn to digital certificates to help increase the level of security on their networks. If your network relies on digital certificates, however, you need to implement some disaster-prevention and -recovery techniques to protect your digital certificates and the Certificate Authorities (CAs) that issue them. A brief review of public key infrastructure (PKI) and an introduction to digital certificates and their CAs will get you started. Then, let's examine some methods designed to help you better guard your certificates, your CAs, and the certificate databases that contain your CAs.
    http://www.secadministrator.com/articles/index.cfm?articleid=25156

  • FEATURE: Using the MBSA

  • If you follow the news about Microsoft security tools, you probably know that 6 weeks ago Microsoft released Microsoft Baseline Security Analyzer (MBSA), which has received a fair amount of negative press coverage.

    The complaints echo what David Chernicoff wrote last year about the Microsoft Personal Security Advisor (MPSA) tool: The information the tool provides isn't as useful as it could be, and you need to understand what each reported entry means before you'll find the tool useful. The MBSA tool that replaced the MPSA has similar problems, which isn't surprising because it uses the same design philosophy.
    http://www.secadministrator.com/articles/index.cfm?articleid=25161

    5. INSTANT POLL

  • RESULTS OF PREVIOUS POLL: SECURITY INFORMATION NOTIFICATION

  • The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "How should Microsoft notify its customers about new service packs and new or updated security-related rollup packages, tools, and TechNet articles?" Here are the results (+/- 2 percent) from the 378 votes:
    • 63% Microsoft should issue security bulletins for all security-related matters
    • 34% Microsoft should add a mailing list for non-bulletin security matters
    • 3% Microsoft needn't notify customers in any additional ways

  • NEW INSTANT POLL: IM USE

  • The next Instant Poll question is, "If your organization uses Instant Messaging (IM), which IM choice have you standardized on?" Go to the Security Administrator Channel home page and submit your vote for a) AOL Instant Messenger (AIM), b) ICQ, c) MSN Messenger, d) Yahoo! Messenger, or e) Other.
    http://www.secadministrator.com

    6. SECURITY TOOLKIT

  • VIRUS CENTER

  • Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
    http://www.secadministrator.com/panda

  • FAQ: How can I modify the installation credential settings in Win2K?

  • ( contributed by John Savill, http://www.windows2000faq.com )

    A. An administrator can lock down a system to prevent a user from installing new software, or the administrator can configure the system so that the user can provide credentials and continue the installation. To modify the installation credential settings for one machine, perform the following steps:

    1. Start a registry editor (e.g., regedit.exe).
    2. Navigate to the following subkey:
    3. HKEY_CURRENT_USER\Software\Microsoft\WindowsCurrentVersion\Policies\Explorer. 
    4. Double-click the NoRunasInstallPrompt value; set it to 1 to disable credentials or 0 to allow credentials.
    5. Click OK.

    To modify the installation credential settings for network installations, perform the following steps:

    1. Start a registry editor (e.g., regedit.exe).
    2. Navigate to the following subkey:
    3. HKEY_CURRENT_USER\Software\Microsoft\WindowsCurrentVersion\Policies\Explorer.
      
    4. Double-click the PromptRunasInstallNetPath value; set it to 1 to disable credentials or 0 to allow credentials.
    5. Click OK.

    7. NEW AND IMPROVED
    (contributed by Judy Drennen, [email protected])

  • INTEGRATED SECURITY APPLIANCE

  • Symantec announced Symantec Gateway Security, a security appliance that integrates firewall, gateway-level antivirus, intrusion-detection, content-filtering, and VPN capabilities in a single solution. Although designed for small and midsized offices, administrators can also manage local and remote appliances over the Internet including advanced configurations, rule sets, and cluster parameters, which reduces total cost of ownership (TCO). Symantec Gateway Security Model 5110 offers throughput of up to 40Mbps with a 50-node license for $11,790; Model 5200 offers a throughput of up to 80Mbps with a 250-node license for $23,590; Model 5300 provides a throughput of up to 80Mbps with an unlimited node license for $51,990. Contact Symantec at 408-517-8000.
    http://www.symantec.com

  • UNIVERSAL ANTIVIRUS RESCUE SYSTEM

  • Central Command released Vexira Antivirus Rescue Disk System, a free virus scanner that can scan Windows, Linux, UNIX, DOS, and OS/2 from a single CD-ROM or disk set. Vexira can remove more than 64,463 viruses, Trojan horses, and other malicious applications, thereby providing users with a safety net when they can't start a computer because of file corruption, alterations to the registry, or damaged partition tables. Contact Central Command at 330-723-2062.
    http://www.centralcommand.com

    8. HOT THREADS

  • WINDOWS & .NET MAGAZINE ONLINE FORUMS

  • http://www.winnetmag.com/forums
    Featured Thread: Blocking IM
    (Five messages in this thread)

    John wants to know whether he can prevent his network users from loading Yahoo! Messenger and similar Instant Messaging (IM) programs onto their systems for use through the company Internet connection.
    http://www.secadministrator.com/forums/thread.cfm?thread_id=81118

  • HOWTO MAILING LIST

  • http://www.secadministrator.com/listserv/page_listserv.asp?s=howto
    Featured Thread: Not Recovering from a Missing SAM Database
    (Two messages in this thread)

    Kit writes that with Windows 2000, if the SAM database is corrupted, the OS politely makes its own blank copy of the SAM and starts up—so you can immediately restore from backup. On some machines, he doesn't want that to happen. Is there a registry setting he can change to prevent this behavior? Can you help? Read the responses or lend a hand at the following URL:
    http://63.88.172.96/listserv/page_listserv.asp?a2=ind0205a&l=howto&p=503

    9. CONTACT US
    Here's how to reach us with your comments and questions:

    (please mention the newsletter name in the subject line)

    This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
    http://www.secadministrator.com/sub.cfm?code=saei25xxup

    Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
    http://www.winnetmag.net/email

    Hide comments

    Comments

    • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

    Plain text

    • No HTML tags allowed.
    • Web page addresses and e-mail addresses turn into links automatically.
    • Lines and paragraphs break automatically.
    Publish