Security UPDATE, July 23, 2003
Windows & .NET Magazine Security UPDATE--July 23, 2003
==== This Issue Sponsored By ====
UltraBac Software http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BBUM0AY
1. In Focus: Critical Patches; and a Different Kind of Full Disclosure
2. Security Risks - DoS in Cisco IOS - Buffer Overrun in RPC Interface Could Allow Code Execution - Unchecked Buffer in Windows Shell Could Enable System Compromise - Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting
3. Announcements - Windows Scripting Solutions for the Systems Administrator - Take Our Brief Active Directory Survey!
4. Security Roundup - News: Microsoft Releases Three New Patches: One Critical, Two Important - News: Microsoft Loses Key DRM Battle - News: OASIS to Help Describe Web Vulnerabilities - News: Honeynet Affiliates Help Dampen Credit Card Fraud - News: Sophos Warns Users About Invasive Software - News: Homeland Security Picks Microsoft, Dell 5. Instant Poll - Results of Previous Poll: Handling Spam - New Instant Poll: Cisco IOS Software Vulnerability
6. Security Toolkit - Virus Center - Virus Alert: Gruel.B - FAQ: How Can I Make Sure That No One Logs On by Using the Windows NT Service Accounts That My Company's Critical Applications Use?
7. Event - New--Mobile & Wireless Road Show! 8. New and Improved - Destroy Viruses - Enforce Password Policies - Submit Top Product Ideas
9. Hot Thread - Windows & .NET Magazine Online Forums - Featured Thread: Hacktool: Rootkit
10. Contact Us See this section for a list of ways to contact us.
==== Sponsor: UltraBac Software ====
UltraBac Software Introduces Affordable DR UBDR Pro is designed to serve as an organization's first line of defense in disaster recovery using the latest in 32-bit backup and recovery technologies. It uses a "lights out" scheduler to backup snapshot images of selected partitions to tape, disk, or any UNC path. A built-in locked file backup agent ensures all files are backed up so they can be restored safely when required. To recover a failed machine, users simply insert and boot from a universal UBDR Pro CD, then initiate a restore of the image from either tape or network UNC path. After the restore, a reboot recovers the machine 100% to its last pre-backup state. Users may also invoke the built-in encryption feature for added security. http://list.winnetmag.com/cgi-bin3/DM/y/eA0D74Eh0CCB0BBUM0AY
==== 1. In Focus: Critical Patches; and a Different Kind of Full Disclosure ==== by Mark Joseph Edwards, News Editor, [email protected]
You probably know by now about two serious vulnerabilities in Windows and Cisco Systems IOS software that could lead to significant problems for a vast majority of networks. The Windows problem relates to remote procedure calls (RPCs); an unchecked buffer could lead to a system or network compromise. Microsoft issued a patch for the problem, which affects Windows Server 2003, Windows XP, Windows 2000, and Windows NT (including NT Server 4.0, Terminal Server Edition--WTS). Because the problem affects four OS platforms, the potential for mass disruption is fairly significant. You can learn more about it in the related article, "Buffer Overrun in RPC Interface Could Allow Code Execution," in this edition of Security UPDATE.
Even more threatening is the problem with Cisco IOS software, which runs on a large number of devices including many of the routers that serve as gateways across the Internet. Cisco reported that a Denial of Service (DoS) condition exists whereby all Ethernet interfaces could become unresponsive and stop processing inbound traffic. The problem could also lead to an inability to remotely access a device. If your Cisco devices use IOS software, you should read Cisco's bulletin regarding this matter and upgrade your IOS software accordingly. The bulletin is linked in our article, "DoS in Cisco IOS," in this edition of Security UPDATE.
The Polish group that discovered the RPC problem, The Last Stage of Delirium Research Group, chose not to divulge technical details about the discovery at this time. Because so many systems could be compromised if exploit details were easy to come by, that's probably a wise choice. However, the group routinely publishes technical details and code that others can use to verify or demonstrate a given security problem, so the group is likely to release information about its latest discovery eventually. Windows users have a window of opportunity to patch their systems before the group releases details or some other entity figures out how to exploit the RPC problem and publishes details. Full disclosure is almost inevitable, so be sure to either patch your systems or find a way to work around the problem.
The media recently brought to light a twist on the matter of full disclosure. This twist deals with the security of underlying network technologies, not the top-level systems themselves. The "Washington Post" reports that George Mason University graduate student Sean Gorman's dissertation has drawn attention from those involved with national security. http://www.washingtonpost.com/wp-dyn/articles/A23689-2003Jul7.html
Gorman's dissertation involves a detailed map of networks across the country. One can use the map to drill down and gain an array of details about a given network. For example, according to the "Washington Post" report, Gorman can click on a bank in Manhattan and see who has communication lines connected to that bank, or he can click on a trucking warehouse in Baltimore and determine its choke points.
The implications of his map are staggering. According to Richard Clarke, former US special advisor for cyberspace security, "He \[Gorman\] should turn it in to his professor, get his grade, and then they both should burn it." However, if Gorman can create such a map, others can as well. More importantly, others might have done so already.
Many consider full disclosure a problem, and sometimes it is. However, often (perhaps in most cases), it serves a worthwhile purpose. In Gorman's case, he's now involved in a dilemma: Will his PhD dissertation become "classified information"? If it does, can he still obtain his degree?
Some argue that in Gorman's case, security through obscurity isn't much security at all. In the information security world, people make the same argument. After all, if people don't know about vulnerabilities, they might well be overly exposed without knowledge about that exposure. Knowing about problems lets people address them and defend themselves. On the other hand, full disclosure also gives intruders knowledge they might not have been able to obtain otherwise. Clearly, timing and coordination of information release is a concern.
According to an article in the "Dallas Morning News," Bruce Schneier, founder and CTO of Counterpane Internet Security, said (about information security vulnerability disclosure), "What we've learned during the past eight or so years is that full disclosure helps much more than it hurts. Since full disclosure has become the norm, the computer industry has transformed itself from a group of companies that ignores security and belittles vulnerabilities into one that fixes vulnerabilities as quickly as possible."
I think you'll agree that Schneier is right. But consider the vulnerability information Gorman has collected. Protecting physical communication infrastructure isn't nearly as simple as correcting program code. Quite a dilemma indeed.
==== 2. Security Risks ==== contributed by Ken Pfeil, [email protected]
DoS in Cisco IOS Cisco Systems reported a Denial of Service (DoS) condition in its IOS software that occurs when the software is configured to use IP version 4 (IPv4). A sequence of specially crafted IPv4 packets can cause the input interface to stop processing traffic when the input queue is full, thereby causing the router to stop processing inbound traffic. Cisco has made new IOS software code available. For links to the software and bulletin as well as additional information, visit the URL below. http://www.secadministrator.com/articles/index.cfm?articleid=39610
Buffer Overrun in RPC Interface Could Allow Code Execution The Last Stage of Delirium Research Group discovered that a buffer-overrun condition in the remote procedure call (RPC) interface can result in the execution of arbitrary code on the vulnerable computer. This condition stems from a flaw in the way malformed messages are handled. By exploiting this flaw, an attacker would be able to run code with Local System privileges on the vulnerable system. Microsoft has released security bulletin MS03-026 (Buffer Overrun In RPC Interface Could Allow Code Execution), which addresses this vulnerability, and recommends that affected users apply the appropriate patch listed in the bulletin. http://www.winnetmag.com/windowsserver2003/index.cfm?articleid=39617
Unchecked Buffer in Windows Shell Could Enable System Compromise An unchecked buffer exists in one of the functions that the Windows shell uses to extract custom attribute information from certain folders. This problem could result in the execution of arbitrary code on the vulnerable computer. The vendor, Microsoft, has released security bulletin MS03-027 (Unchecked Buffer in Windows Shell Could Enable System Compromise), which addresses this vulnerability, and recommends that affected users apply the appropriate patch listed in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=39616
Flaw in ISA Server Error Pages Could Allow Cross-Site Scripting A cross-site scripting vulnerability in some of Microsoft Internet Security and Acceleration (ISA) Server 2000's custom error pages could result in the execution of arbitrary code on the vulnerable computer. The vendor, Microsoft, has released security bulletin MS03-028 (Flaw in ISA Server Error Page Could Allow Cross-Site Scripting Attack), which addresses this vulnerability, and recommends that affected users apply the appropriate patch listed in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=39615
==== 3. Announcements ==== (from Windows & .NET Magazine and its partners)
Windows Scripting Solutions for the Systems Administrator You might not be a programmer, but that doesn't mean you can't learn to create and deploy timesaving, problem-solving scripts. Discover Windows Scripting Solutions, the monthly print publication that helps you tackle common problems and automate everyday tasks with simple tools, tricks, and scripts. Try a sample issue today at http://www.winscriptingsolutions.com/rd.cfm?code=fsei263xup
Take Our Brief Active Directory Survey! Windows & .NET Magazine would like to know how your organization uses Active Directory. Your feedback will be kept absolutely confidential, so take our brief survey today! http://www.zoomerang.com/survey.zgi?SR9V871GEDPDXA8232G9XG8S
==== 4. Security Roundup ====
Microsoft Releases Three New Patches: One Critical, Two Important Microsoft released three security bulletins regarding three problems in Windows platforms. Microsoft considers one patch "critical" and the other two "important." http://www.secadministrator.com/articles/index.cfm?articleid=39594
Microsoft Loses Key DRM Battle In a strangely unpublicized case, Microsoft found itself last week on the losing end of a ruling in a critical Digital Rights Management (DRM) battle with InterTrust, a DRM company that's suing the software giant for almost 150 counts of patent infringement. http://www.secadministrator.com/articles/index.cfm?articleid=39596
OASIS to Help Describe Web Vulnerabilities OASIS, a nonprofit standards body, is creating an open data format to help describe Web security vulnerabilities. OASIS designed the specification to be used for assessment and protection tools. http://www.secadministrator.com/articles/index.cfm?articleid=39586
Honeynet Affiliates Help Dampen Credit Card Fraud The Honeynet Project recently released a new "Know Your Enemy" paper that describes how project affiliates gained new insight into credit card fraud. http://www.secadministrator.com/articles/index.cfm?articleid=39585
Sophos Warns Users About Invasive Software Antivirus maker Sophos is warning users about an email message spreading around the Internet that invites users to view video files. To do so, they must first install an Internet Optimizer whose end user license agreement (EULA) gives the originating software company extensive rights. http://www.secadministrator.com/articles/index.cfm?articleid=39579
Homeland Security Picks Microsoft, Dell The US Department of Homeland Security has agreed to a 6-year enterprise contract for Microsoft software that Dell will support. According to the PC maker, Dell will support 144,000 department employees using Microsoft server, OS, and application software. http://www.secadministrator.com/articles/index.cfm?articleid=39583
==== 5. Instant Poll ====
Results of Previous Poll: Handling Spam The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "Which is the best approach to handling spam?" Here are the results from the 205 votes. - 22% Networks should operate their own filtering technology - 64% Users should have to "opt-in" to receive spam from a given source - 7% Users should have to "opt-out" to not receive spam from a given source - 6% Other (email your idea to [email protected]) (Deviations from 100 percent are due to rounding.)
New Instant Poll: Cisco IOS Software Vulnerability The next Instant Poll question is, "Did your network experience problems as a result of the recently reported Cisco IOS software vulnerability?" Go to the Security Administrator Channel home page and submit your vote for a) Yes--We experienced a Denial of Service (DoS) because of the attack, b) We experienced downtime but only because of an IOS upgrade, c) No, or d) Not sure. http://www.secadministrator.com
==== 6. Security Toolkit ====
Virus Center Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda
Virus Alert: Gruel.B W32/Gruel.B is a highly damaging worm with actions that include removing numerous key files from infected computers. Gruel.B reaches computers in an email message that's easily recognized because the subject includes the phrase: "Symantec: New Serious Virus Found," and the message text reads "Norton Security Response: has detected a new virus in the Internet. For this reason we made this tool attachement \[sic\] to protect your computer from this serious virus. Due to the number of submissions received from customers, Symantec Security Response has upgraded this threat to a Category 5 (Maximum)." To learn more about Gruel.B, read about it on Panda's Web site. http://www.pandasoftware.com/about/press/viewnews.aspx?noticia=3922
FAQ: How Can I Make Sure That No One Logs On by Using the Windows NT Service Accounts That My Company's Critical Applications Use? contributed by John Savill, http://www.windows2000faq.com
A. An easy way you can restrict use of the service accounts is by linking a logon script that calls logoff.exe with the /F and /N parameters specified to the accounts. (Logoff.exe comes bundled with the "Microsoft Windows NT Server 4.0 Resource Kit.") The /F parameter forces processes to close when logoff.exe is executed. The /N parameter forces processes to close without confirmation when logoff.exe is executed. When you protect an account with logoff.exe and the two parameters, anyone who attempts to log on interactively with the account will immediately be logged off. For this solution to work, you obviously must make sure that the tool is available on all machines in your domain.
==== 7. Event ====
New--Mobile & Wireless Road Show! Learn more about the wireless and mobility solutions that are available today! Register now for this free event! http://www.winnetmag.com/roadshows/wireless
==== 8. New and Improved ==== by Sue Cooper, [email protected]
Destroy Viruses Global Hauri announced ViRobot Expert 4.5, desktop and server software to protect your systems against viruses, spam, and spyware. Its antivirus feature detects unknown computer viruses and moves them into a virtual directory in Windows to prevent infection. Known viruses are destroyed rather than quarantined. The antispam feature uses three filters to examine the subject line, mail content, and attachments. ViRobot Expert 4.5 runs in Windows Explorer and supports Logs, Backup Bin, Inbox, and Configuration functions. The application supports Windows XP/2000 Professional/NT Workstation/Me/98/95. Contact Global Hauri at 408-232-5463 or [email protected] http://www.globalhauri.com
Enforce Password Policies Little cat Z released Password Defender 2.2c, password policy enforcement for Windows NT and Active Directory (AD) networks. The software's creators first wrote their own password cracker, then systematically worked out password policy rules to prevent it from working. The software combines password cracking (to find existing weak passwords) and password filtering (to prevent creation of additional weak passwords). Its policy-based system lets you apply different password-strength rules to different Windows 2000/NT groups. New features include support for high-speed custom dictionaries and support for Terminal Services. Contact London-based Little cat Z at [email protected] http://www.littlecatz.com
Submit Top Product Ideas Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected]
==== 9. Hot Thread ====
Windows & .NET Magazine Online Forums http://www.winnetmag.com/forums
Featured Thread: Hacktool.Rootkit (Three messages in this thread)
A user writes that he has a Windows 2000 Server running a particular Web application. The server has Symantec antivirus software installed, and the server is behind a Cisco Systems PIX firewall. Someone has planted the hacktool.rootkit Trojan horse on the server. When an administrator logs on to the console, Symantec antivirus real-time protection quarantines the iexplore.dll file. When someone logs on to the local console, the iexplore.dll is created and planted into WINNT\System32 directory. Can he remove the Trojan horse without having to rebuild the server? Lend a hand or read the responses: http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=61176
==== Sponsored Links ====
AutoProf Jerry Honeycutt Desktop Deployment Whitepaper http://ad.doubleclick.net/clk;5790077;8214395;s?http://www.AutoProf.com/Update_TextLinks_2003_06_23.html
Sybari Learn about the new security features of Exchange 2003 -- FREE! http://ad.doubleclick.net/clk;5856606;8214395;t?http://www.winnetmag.com/seminars/securityrisks
=============== This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing Windows and related technologies. Subscribe today. http://www.secadministrator.com/sub.cfm?code=saei25xxup
==== 10. Contact Us ====
About the newsletter -- [email protected] About technical questions -- http://www.winnetmag.com/forums About product news -- [email protected] About your subscription -- [email protected] About sponsoring Security UPDATE -- [email protected]
Thank you! __________________________________________________________ Copyright 2003, Penton Media, Inc.