Security UPDATE--Security Researchers Vulnerable to Buffer Underflow Attack?--January 5, 2005

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE.

The Key to Stopping Email Attacks: Sender ID Can't Do It

Exchange & Outlook Administrator


1. In Focus: Security Researchers Vulnerable to Buffer Underflow Attack?

2. Security News and Features

- Recent Security Vulnerabilities

- Exploits on the Loose Against Unpatched Bugs in Windows

- Netcraft Joins the Anti-Phishing Brigades

3. Security Matters Blog

- Update Your Netcat Software for Windows

4. Security Toolkit


- Security Forum Featured Thread

5. New and Improved

- Remotely Change Network Passwords


==== Sponsor: Postini ====

The Key to Stopping Email Attacks: Sender ID Can't Do It

"Going nowhere fast," is how the media described recent efforts to develop an industry-wide email sender authentication standard. Even if some form of Sender ID is eventually adopted, spammers and hackers may be able to exploit the registration of IP addresses with Sender ID to improve their delivery of junk email. Effective real time IP address analysis and filtering is necessary — not sender authentication. This white paper explains why enterprises do not need to rely on Sender ID and discusses better, proven email intrusion prevention solutions that already work today to stop spam, viruses and email attacks. Get answers now!


==== 1. In Focus: Security Researchers Vulnerable to Buffer Underflow Attack? ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

It's inevitable: Someone posts proof-of-concept code, and almost immediately someone goes to work developing a malicious exploit. Do these exploiters have nothing better to do, nothing better to think about?

Anyway, as you probably know by this time, a series of new Windows vulnerabilities was recently published in the usual places. And now at least one exploit, the Phel worm, is on the loose. The worm installs code on penetrated systems to open back doors and make those systems part of a Distributed Denial of Service (DDoS) network. The worm infects systems by using inroads through Microsoft Internet Explorer (IE), often without the user's knowledge.

On the surface, these vulnerabilities and exploits might seem to come from opposing forces: On one side are "researchers" who release proof-of-concept code for their discoveries. On the other side are people who turn the proven concept into something malicious for their own nefarious purposes.

The side that puzzles me is the alleged "researchers." Are they suffering some sort of mental buffer underflow attack (i.e., not clearly thinking things through)? They're very adept at finding security vulnerabilities, yet some of them fail to recognize one of the most obvious security problems of all--their own premature public revelations of explicit details of security weaknesses. It's possible that some researchers do see the problem and they simply don't care, which could mean that those particular researchers and the malicious coders are, for all intents and purposes, cohorts playing a dastardly game.

Other researchers make a half-hearted effort to contact a vendor. In one relatively recent case of vulnerability reporting, a researcher claimed that he tried to contact a vendor but couldn't, so he thought it reasonable to release his detailed findings to the public. I happen to use the product in question, so I decided to try to contact the vendor myself. After about 60 seconds of clicking around on the vendor Web site, I found several contacts and emailed them the researcher's findings. Within 24 hours, the vendor emailed me back a solution. I then forwarded the vendor-provided solution to the researcher, who didn't bother to publish it! In this case, a so-called "researcher" could scour code for vulnerabilities, yet couldn't find any contact info for the vendor! Obviously, such researchers aren't really researchers at all. They too play a dastardly game.

On another note, last week I wrote about an incident that involved Microsoft's release of a critical update for Windows Firewall that improves the way in which the firewall handles local subnet restrictions. The update wasn't part of Microsoft's monthly security bulletins. If you missed last week's newsletter, then you can read about the reasons why this happened in the December 29, 2004 Security UPDATE commentary (first URL below) and in the related news story "Critical Update for Windows Firewall Flies Under the Radar" (second URL below).

A reader wrote in response to the commentary that, "The \[Microsoft Baseline Security Analyzer (MBSA)\] for use with SMS 2003 doesn't report the firewall update patch." The reader did add that, in his situation, the lack isn't an issue because he doesn't rely on local subnet restrictions for defining firewall exceptions. Nevertheless, the reader does point out another aspect of notifying users about critical updates that needs better attention from Microsoft.

We posted an Instant Poll question last week that asks, "Do you think Microsoft should improve its security alerting process?" The possible answers are "Yes, it should send alerts about all security updates" and "No, the process works fine for me the way it is." So far, we haven't had a huge flood of people answer the question, but most of those who have answered have said "Yes." If you haven't taken 30 seconds to visit our Web site and answer the question, please do--the poll results will undoubtedly be read by Microsoft and could make a difference in how the company handles its security update alerting process in the future.

That said, I hope you all had pleasant holidays. Best wishes to all of you for the new year, and until next time, have a great week!


==== Sponsor: Exchange & Outlook Administrator ====

Try a Sample Issue of Exchange & Outlook Administrator!

If you haven't seen Exchange & Outlook Administrator, you're missing out on key information that will go a long way towards preventing serious messaging problems and downtime. Request a sample issue today, and discover tools you won't find anywhere else to help you migrate, optimize, administer, backup, recover, and secure Exchange and Outlook. Order now!


==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

Exploits on the Loose Against Unpatched Bugs in Windows

Researchers have posted proof-of-concept code that can take advantage of vulnerabilities in Windows platforms. The concept code works against vulnerabilities in the Windows Help subsystem and in code used to load desktop icons and the Windows Help subsystem.

Netcraft Joins the Anti-Phishing Brigades

Netcraft, a company known for its statistical analysis of a vast number of Web sites, has joined those groups who attempt to prevent phishing scams by releasing a new toolbar for Microsoft Internet Explorer (IE). The toolbar performs checks on URLs and enforces behavior changes in the Web browser.


==== Announcements ====

(from Windows IT Pro and its partners)

Are You a Hacker Target?

You are if you have an Internet connection faster than 384Kbps. In this free on-demand Web seminar, Alan Sugano will examine two attacks (an SMTP Auth Attack and a SQL Attack) that let spammers get into the network and relay spam. Find out how to keep the hackers out of your network and what to do if your mail server is blacklisted as an open relay. Register now!

Get David Chernicoff's Essential Guide to Blade Servers

The cost of setting up new servers, provisioning them, and managing their operation is a significant one, and reducing those costs results in quicker ROI and more easily justifiable initial expenses. Find out why blade server technology is an attractive methodology for addressing these concerns and implementing improvements in your server infrastructure.

Is Your Messaging Infrastructure Ready for Tomorrow's Risks?

In this free Web seminar on February 17, 2005, Randy Franklin Smith reveals the new security threats as SPIM, spyware, phishing, and malware evolve and become tools for industrial espionage. You'll learn which kinds of attacks companies are reporting in increased numbers and the commonly held misconceptions about Microsoft security patches. Find out what threats deserve your attention. Register now!

New eBook! Keeping Your Business Safe from Attack: Passwords and Permissions

Master password and permissions basics with our latest free eBook and discover how to prevent most vulnerabilities and exploits with Microsoft's new tools. Firewalls, antivirus software, Intrusion Detection Systems (IDS), and Intrusion Prevention Systems (IPS) can all fail, but a strong permissions and authentication defense is priceless. Get the first chapter now!


==== 3. Security Matters Blog ====

by Mark Joseph Edwards,

Check out these recent entries in the Security Matters blog:

Update Your Netcat Software for Windows

An unchecked buffer in the popular Netcat tool for Windows could allow remote code execution. The vulnerability, discovered by Hat Squad, can be exploited when using the netcat -e option.

==== 4. Security Toolkit ====

FAQ: How can I quickly search for shared folders that are published in Active Directory (AD)?

by John Savill,

Find the answer at

Security Forum Featured Thread: Fending Off DDoS Attacks

A forum participant writes that he helps run a major Internet-based retail operation and wonders if he can make any advance preparations to mitigate or alleviate the threat of Distributed Denial of Service (DDoS) attacks. Join the discussion at:


==== Events Central ====

(A complete Web and live events directory brought to you by Windows IT Pro at )

True High-Availability for Microsoft Exchange Web Seminar--February 3

Discover solutions that minimize the likelihood of downtime in your Exchange implementation and help to ensure continuous Exchange application availability. In this free Web seminar, learn how you can ensure high-availability through the use of tools that analyze and proactively monitor the health of your entire Exchange environment. Register now!


==== 5. New and Improved ====

by Renee Munshi, [email protected]

Remotely Change Network Passwords

Keroon Software offers Reset Local Password Pro 3.0, a Windows program that lets administrators change local passwords on one or more computers from a remote location. New features in this version include improved IP enumeration, the ability to change passwords on systems running Windows NT 4.0 without the need for Active Directory (AD) Client Extensions to be loaded, and a No Enumeration option that lets you turn off autopopulation of your list of computers. Reset Local Password Pro runs under Windows XP, Windows 2000, and Windows NT 4.0. It requires 10MB of RAM and 10MB of free hard disk space. Reset Local Password Pro costs $99.99, and a 14-day trial version is available. For more information, go to

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected]

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Security Administrator print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.


==== Sponsored Links ====

Data Protection from NSI and Microsoft

Instant recovery and data protection solutions for Exchange and SQL servers;12746138;8214395;l?


==== Contact Us ====

About the newsletter -- [email protected]

About technical questions --

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]


This email newsletter is brought to you by Security Administrator, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2005, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.