Skip navigation

Security UPDATE, April 2, 2003

Subject: Security UPDATE, April 2, 2003


Windows & .NET Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows Server 2003, Windows 2000, and Windows NT systems.



FREE Security Compliance Audit for Windows

Windows & .NET Magazine Connections (below IN FOCUS)


~~~~ SPONSOR: FREE SECURITY COMPLIANCE AUDIT FOR WINDOWS ~~~~ Are your critical Windows machines protected from the next Nimbda, Code Red or SQL Slammer attacks? Why not find out? Take advantage of our FREE Security Compliance Audit available through our 15-day product evaluation for your 5 most critical Windows machines. In just minutes PatchWorks will analyze your systems and generate a policy conformance report! Click here to eliminate vulnerabilities today: ~~~~~~~~~~~~~~~~~~~~

April 2, 2003--In this issue:

1. IN FOCUS - Jumping the Gun on Vulnerability Disclosure

2. SECURITY RISKS - DoS in Microsoft RPC Endpoint Mapper - DoS in Check Point VPN-1/FireWall-1 Client Component

3. ANNOUNCEMENT - Sample Our Security Administrator Newsletter!

4. SECURITY ROUNDUP - News: RPC Vulnerability Threatens Windows with DoS Attacks - News: Code Execution Vulnerability in Windows Script Engine - News: Secunia Launches New Security Advisories Service

5. INSTANT POLL - Results of Previous Poll: WebDAV and IIS - New Instant Poll: WEP and WPA

6. SECURITY TOOLKIT - Virus Center - FAQ: Why Am I Receiving Event ID Errors 5737 and 7023 on My Windows 2000 Server Service Pack 2 (SP2) System?

7. NEW AND IMPROVED - Event Management in an Appliance - Spam Filtering as a Service - Submit Top Product Ideas

8. HOT THREAD - Windows & .NET Magazine Online Forums - Featured Thread: How Do You Print the GPO?

9. CONTACT US See this section for a list of ways to contact us.




(contributed by Mark Joseph Edwards, News Editor, [email protected])


Last week, in my Security UPDATE commentary "Security Research: A Double-Edged Sword," I discussed how researchers discover security problems and work with vendors to coordinate information and patch release--to minimize networks' exposure to a given discovery. A recent case in point illustrates how jumping the gun on information disclosure can occur when well-intentioned researchers become impatient.

This past Saturday, while most working people on the planet were enjoying their weekends, a researcher posted a message to the BugTraq mailing list about a vulnerability in Sendmail. As you know, Sendmail is one of the most widely used SMTP mail systems, and although Sendmail was written to run primarily on UNIX systems, various vendors port the code to Windows platforms. The researcher had discovered a problem in Sendmail stemming from insufficient bounds checking during character-to-integer conversions that might lead to a buffer overflow and subsequent compromise of a given Sendmail system.

The researcher had contacted on March 18 about his discovery, and the group replied the following day acknowledging the problem and stating that it would release an updated version of the product. However, if I understand the situation correctly, the updated release was not posted immediately for reasons internal to, which I assume involve coordinating efforts with third-party vendors and Sendmail software users. When after 11 days (March 29) the new version wasn't posted, the researcher decided to post a notice about the problem to BugTraq, basically stating that he was "forced" to release details of the problem. Again, I assume the researcher's intent was to put pressure on the Sendmail vendor.

With the bug now exposed to the public, Sendmail immediately--on March 29--released its updated product version (8.12.9) and posted a brief comment: "We apologize for releasing this information today (2003-03-29) but we were forced to do so by an e-mail on a public mailing list which contains information about the security flaw." Sendmail wasn't entirely ready to release its updated version, but apparently Sendmail had corrected the problem in the code and had a new version it could release. I don't know the exact reasons for the 11-day delay, but again, I suspect Sendmail needed the time for testing and coordination--because Sendmail is bundled with various OSs.

Jumping the gun in this way is unfortunate. This instance seems to have been the result of a communication breakdown. Could the researcher have exercised more responsibility, patience, and restraint before forcing the vendor's release of updated code by posting information about the bug to the public? Did the researcher consider the potential ramifications of the disclosure--how many others it might affect? Could Sendmail have kept in better touch as time passed, letting the researcher know a projected date of release?

Although this set of events might seem minor to some people, it could lead to severe problems across the Internet for millions of people. What if attackers used the bug to crash mail systems or to take over servers? Such events cost time, money, and frustration, and a discloser might face legal ramifications. Right now, given the state of world affairs, one act--tossing a particular pebble of information into the sea of technology--could potentially cause a tsunami.

On another note, 2 weeks ago in the Security UPDATE commentary "Audit Your Windows Shares" (see the URL below) I mentioned CERT's notice about several Denial of Service (DoS) programs plaguing Windows systems. What I didn't tell you is that many such DoS programs have incorporated a perfectly legitimate network administration tool, PsExec, which Sysinternals created.

According to the Sysinternals Web site, "PsExec is a light-weight telnet-replacement that lets you execute processes on other systems, complete with full interactivity for console applications, without having to manually install client software. PsExec's most powerful uses include launching interactive command-prompts on remote systems and remote-enabling tools like IpConfig that otherwise do not have the ability to show information about remote systems." Essentially, you can use PsExec instead of tools such as Telnet or Symantec's pcAnywhere.

Mark Russinovich, cofounder of Sysinternals and author for Windows & .NET Magazine, wrote to remind me about another Sysinternals tool. Although system attackers use PsExec to exploit Windows systems, Sysinternals' ShareEnum program can help users audit their shared resources and tighten security. Doing so can help administrators ensure that intruders will have a hard time inserting DoS programs into users' systems. Be sure to check out ShareEnum, which is available for free (the complete source code is also available).


~~~~ SPONSOR: WINDOWS & .NET MAGAZINE CONNECTIONS ~~~~ WINDOWS & .NET MAGAZINE CONNECTIONS: WIN A FLORIDA VACATION Simply the best lineup of technical training for today's Windows IT professional. Register now for this exclusive opportunity to learn in-person from the Windows & .NET Magazine writers you trust. Attendees will have a chance to win a free Florida vacation for two. Register today and you'll also save $300. ~~~~~~~~~~~~~~~~~~~~



(contributed by Ken Pfeil, [email protected])

* DoS IN MICROSOFT RPC ENDPOINT MAPPER Jussi Jaakonaho discovered a new vulnerability in the part of remote procedure call (RPC) that handles message exchange over TCP/IP. This vulnerability, a result of incorrect handling of malformed messages, could result in a Denial of Service (DoS) condition. An attacker could exploit this vulnerability by establishing a TCP/IP connection to the Endpoint Mapper process on a remote machine and transmitting a malformed message. At this point, the process on the remote machine would fail. Microsoft has released Security Bulletin MS03-010 (Flaw in RPC Endpoint Mapper Could Allow Denial of Service Attacks) to address this vulnerability and recommends that affected users immediately apply the patch mentioned in the bulletin.

* DoS IN CHECK POINT VPN-1/FIREWALL-1 CLIENT COMPONENT Dr. Peter Bieringer of AERAsec Network Services and Security discovered a vulnerability in Check Point VPN-1/FireWall-1 Client component versions earlier than Feature Pack 3 (FP3) Hotfix-2 that could result in a Denial of Service (DoS) condition. By sending excessive amounts of data through a syslog connection, an attacker can cause the SmartView Tracker logging mechanism on the target firewall to experience high CPU utilization rates. According to AERAsec, these rates can cause SmartView Tracker to crash without notice, and the service must be manually restarted. The vendor, Check Point Software Technologies, has released Hotfix-2 to address this vulnerability and recommends that affected users immediately apply the patch mentioned in the bulletin.



(brought to you by Windows & .NET Magazine and its partners)

* SAMPLE OUR SECURITY ADMINISTRATOR NEWSLETTER! If you spend the better part of your day dealing with security concerns such as controlling user access, viruses, and tightening your network's permeability, then you can benefit from the type of information we publish each month in Security Administrator. Every issue shows you how to protect your enterprise with informative, in-depth articles, timely tips, and practical advice. Sample our most recent issue today!



* NEWS: RPC VULNERABILITY THREATENS WINDOWS WITH DoS ATTACKS A recently discovered vulnerability in the remote procedure call (RPC) subsystem in Windows XP, Windows 2000, and Windows NT can make those OSs susceptible to Denial of Service (DoS) attacks, according to Microsoft. The company has already created a patch for XP and Win2K users. However, it says that major changes in the way RPC works since the release of NT 4.0 prevent it from creating a patch for that OS. NT 4.0 users can use the workaround described on the Microsoft site.

* NEWS: CODE EXECUTION VULNERABILITY IN WINDOWS SCRIPT ENGINE If you run Microsoft SQL Server on Windows, you need to know that a new vulnerability in Windows Script Engine can result in the execution of arbitrary code on the vulnerable system. The vulnerability stems from the way Windows Script Engine for JScript processes information. Use the URL below to find more information about the vulnerability and to reach download sites.

* NEWS: SECUNIA LAUNCHES NEW SECURITY ADVISORIES SERVICE Secunia has launched a new mailing list, called Secunia Security Advisories, which consolidates security vulnerability information from a variety of sources. The company is making its advisories available through email, its Web site, and an affiliate network.



* RESULTS OF PREVIOUS POLL: WEBDAV AND IIS The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Does your company use WWW Distributed Authoring and Versioning (WebDAV) with Microsoft IIS?" Here are the results from the 151 votes. (Deviations from 100 percent are due to rounding errors.) - 11% Yes - 81% No - 7% I'm not sure (Deviations from 100 percent are due to rounding.) * NEW INSTANT POLL: WEP and WPA The next Instant Poll question is, "Will your company replace Wired Equivalent Privacy (WEP) with Wi-Fi Protected Access (WPA)?" Go to the Security Administrator Channel home page and submit your vote for a) Yes, b) No, c) No--We're waiting for 802.11i, or d) Undecided.



* VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.

* FAQ: Why Am I Receiving Event ID Errors 5737 and 7023 on My Windows 2000 Server Service Pack 2 (SP2) System? ( contributed by John Savill, )

A. Event ID 5737 is an unspecified Netlogon service error, and event ID 7023 is a Kerberos Key Distribution service error. Both errors result from a corrupt or missing rsaenh.dll file, which is the Microsoft Enhanced Cryptographic Provider, and they prevent the services from starting. Win2K SP2 automatically upgrades the system to 128-bit encryption. In so doing, the service pack attempts to install the rsaenh.dll file. To resolve the problem, copy the rsaenh.dll file from another server or from the extracted service pack.



(contributed by Sue Cooper, [email protected])

* EVENT MANAGEMENT IN AN APPLIANCE Network Intelligence is shipping enVision-LS, a Windows 2000 Server-based appliance that provides security event and network event management with guaranteed levels of performance. Features include a Web-based UI; realtime analysis for cross-device event correlation and alerting; the ability to perform ad hoc queries and automatic scheduling of included reports; realtime data encryption and compression; granular, role-based multiuser support; and integration with other network operations solutions. enVision-LS supports leading security and networking devices and most host OSs out of the box. Contact Network Intelligence at 508-668-2460 and [email protected]

* SPAM FILTERING AS A SERVICE Trend Micro announced the Trend Micro Spam Prevention Service (SPS), designed to block spam at the gateway and to interoperate with the company's antivirus and content security products. SPS is based on Postini's proven heuristic technology antispam filtering rules, in an exclusive agreement with the email security service provider. After SPS defines a message as spam, you can take predefined actions, such as tagging, delivering, or rerouting the message. You can configure spam prevention in the following categories: hate mail, get rich quick solicitations, sexual content, bulk mail, and commercial. Trend Micro Spam Prevention Service for Sun Solaris is now available. Support for Windows and Linux platforms is planned for second quarter 2003. Pricing begins at $30 per user per year, for 25 users. Contact Trend Micro at 888-588-7363.

* SUBMIT TOP PRODUCT IDEAS Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected]




Featured Thread: How Do You Print the GPO? (Four messages in this thread)

A user wants to print out the entire Group Policy Object (GPO) of each container and compare those GPOs to the other GPOs in the tree. Having a printout of enabled options would be helpful to eliminate duplication. He tried to use the "Microsoft Windows 2000 Resource Kit" utilities GPRESULT and GPTOOL, but neither tool gives him the same settings that he sees in the GPO editor. He also tried to use the EXPORT option in the GPO editor, but that listed only the options for each category. Does anyone know of a Microsoft utility or a third-party utility that will help? Lend a hand or read the responses:



Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- [email protected]

* ABOUT THE NEWSLETTER IN GENERAL -- [email protected] (please mention the newsletter name in the subject line)


* PRODUCT NEWS -- [email protected]



******************** This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!

Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.


Thank you for reading Security UPDATE.

Thank you! __________________________________________________________ Copyright 2003, Penton Media, Inc.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.