Security UPDATE, April 9, 2003

Subject: Security UPDATE, April 9, 2003


Windows & .NET Magazine Security UPDATE--brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows Server 2003, Windows 2000, and Windows NT systems.



HFNetChkLT-FREE Patch Mgmt on 50 CPUs. No Timeouts!

Experience the Benefits of Real Time Monitoring (below IN FOCUS)


~~~~ SPONSOR: HFNetChkLT-FREE PATCH MGMT ON 50 CPUs. NO TIMEOUTS! ~~~~ Introducing NEW Shavlik HFNetChkLT -- the FREE version of the new HFNetChkPro 4.0, an automated scanning and remediation solution from Shavlik, the developers of HFNetChk and MBSA for Microsoft. It includes loads of new features that save time for busy security professionals while offering greater enterprise security. HFNetChkPro 4.0 automates patch remediation for Microsoft Office, Windows Server 2003, Exchange, SQL, Outlook, Java Virtual Machine and more. Its intuitive Drag-n-Drop Patch Management interface allows you to precisely control which groups will be scanned, by what criteria and when and how patches are deployed. Visit for details! ~~~~~~~~~~~~~~~~~~~~

April 9, 2003--In this issue:

1. IN FOCUS - Test Your Forensic-Analysis Skills

2. SECURITY RISKS - DoS in Opera 7 and Netscape 7.02 Browsers - Man-in-the-Middle Attack on Microsoft Terminal Services

3. ANNOUNCEMENTS - Join the HP & Microsoft Network Storage Solutions Road Show! - Windows & .Net Magazine Connections: Learn from the Writers You Know and Trust

4. SECURITY ROUNDUP - News: Report: Most Users Do Not Trust Microsoft - News: Microsoft Releases WPA for XP to Strengthen Wireless Security

5. SECURITY TOOLKIT - Virus Center - FAQ: How Can I Enable or Disable the User's Ability to Change File Associations?

6. NEW AND IMPROVED - Lock Down Systems with USB Key - Secure Access Through Web Browser - Submit Top Product Ideas

7. HOT THREADS - Windows & .NET Magazine Online Forums - Featured Thread: Export Certificates to VPN Appliances

8. CONTACT US See this section for a list of ways to contact us.




(contributed by Mark Joseph Edwards, News Editor, [email protected])


I've discussed the Honeynet Project in previous Security UPDATE commentaries. Last week, the project posted another "Scan of the Month," which makes information gathered from an attacked honeypot available to the public.

The Honeynet Project posts the scans to let people use their forensic-analysis skills to analyze the log files the honeypot gathered. The Azusa Pacific University (APU) Honeynet Project provided this month's scan challenge. APU deployed a honeypot on an unpatched Windows 2000 system that had a blank administrator password. Attackers and worms compromised the system numerous times, and the honeypot became part of a large "botnet."

The Honeynet Project tailored the current challenge to beginner and intermediate skill levels. After analyzing the logs, you can answer several questions and submit your answers for review. You can use several tools to help you arrive at answers. The tools the Honeynet Project recommends include Snort (an Intrusion Detection System--IDS) and Ethereal, which are packet-capture and analysis tools. You'll find links to those tools on the Scan of the Month page, and you can read more about the rules of the challenge at the URL below.

Taking part in such challenges can help hone your forensic-analysis skills. If you're already proficient, further practice can help you keep abreast of current trends--the sorts of activities currently compromising systems. Because this month's challenge addresses a compromised Win2K system, many of you might want to consider meeting the challenge. Submissions to the challenge are due no later than April 25.

Patching the Patch System In last week's Security UPDATE, I discussed a mishap in the disclosure of a vulnerability in Sendmail. A researcher posted various details of the vulnerability to the BugTraq mailing list, and released a patched version of its application before its planned release date. I speculated and raised questions about what might have happened, and--as it turns out--I was wrong. I was missing a key fact about the situation. Reader Claus Assmann wrote to inform me about some of the missing details. At his suggestion, I also contacted Eric Allman at to obtain a clearer perspective about what had transpired.

Allman took the time to offer what he knows about events--how and when they occurred. The following paragraphs present what he told me in detail.

"What we know is this: Late in the day on Tuesday, 18 March, Michal Zalewski reported a possible vulnerability to us. He included a sample case that demonstrated that there was a buffer overflow of some sort, but he had not created a 'proof of concept' exploit, nor did he speculate on the nature of the bug.

"We verified the bug that night and shortly thereafter had a first pass at a fix, which had not yet undergone code review. Code review was completed later that week.

"We then wanted to send the information to vendors so they could have a patch available. However, this was delayed due to the problems CERT was having with someone going by \[the name\] Hack4Life who seemed to have pretty direct access to security information going to vendors. It wasn't (and to the best of my knowledge, still isn't) clear where the leak actually was, but we had to consider at least the possibility that it was inside one of the vendors themselves. For this reason, we delayed release of the information to vendors in the hope that CERT could find and fix the problem. Our plan had been to go to vendors on Monday, 31 March ... whether or not they had succeeded.

"However, some time on the night of Friday, 28 March, someone by the name of 'nag' posted a message to vulndiscuss \[a mailing list\] and full-disclosure asking about a 'rumor spreading about new Sendmail vulnerability.' That message included a patch to the problem we had been working on. However, the patch that was given was quite different from the one we had come up with, so we don't believe that the patch was a leak from ourselves. At this point we have no idea where it did come from--it could even have been independently found by someone who never reported it to us.

"We decided to delay for a few hours so we could get some sleep, and we released on Saturday, 29 March. We knew that this was almost the worst possible time to release, but we felt that with the patch being distributed, it was only a matter of time before an exploit was created, and we had no idea if that would be hours, days, or even longer. As it turns out, I haven't seen an exploit in the wild today, almost a week later. Another security group \[Internet Security Systems--ISS\] has produced a proof-of-concept exploit, which we have not seen, but they did tell us that it was substantially harder to create than it would at first appear. Had we realized that an exploit was unlikely to have been released over the weekend, we might have delayed release until Monday, but we didn't know that at the time, and we felt that going out Saturday was as prudent as we could be. And that's what we know ..."

So there you have it, another case of an unknown source somehow gaining access to private communications and leaking details to the public prematurely. Two weeks ago, I discussed this problem as it pertains to CERT in my Security UPDATE commentary, "Security Research: A Double-Edged Sword" (see the URL below). I think most people aren't sure why someone is intercepting communications and leaking details about security vulnerabilities. But we can easily see that it places a lot of networks at risk unnecessarily. Sooner or later, if we can't plug the information leaks, one could cause serious repercussions. The situation is both ironic and challenging: The process of finding security vulnerabilities and patching them before they're compromised has itself become compromised--and must now be patched.


~~~~ SPONSOR: EXPERIENCE THE BENEFITS OF REAL TIME MONITORING ~~~~ A proactive Security Administrator installed TNT Software's ELM Enterprise Manager 3.1 on his servers to assess the benefits of real time monitoring. Within days, EEM paged him when access to a confidential file was denied, sent him an instant message when the QoS of this Exchange Server began to drop, and automatically restarted a failed service. EEM was promptly purchased. Download your FREE evaluation copy today and experience how real time monitoring will benefit YOU. ~~~~~~~~~~~~~~~~~~~~



(contributed by Ken Pfeil, [email protected])

* DoS IN OPERA 7 AND NETSCAPE 7.02 BROWSERS Marc Schonefeld discovered a vulnerability in Opera 7 and Netscape 7.02 Web browsers that can result in a Denial of Service (DoS) condition. The vulnerability stems from problems with JavaScript. Opera and Netscape haven't yet responded publicly to the problem.

* MAN-IN-THE-MIDDLE ATTACK ON MICROSOFT TERMINAL SERVICES Erik Forsberg discovered that Microsoft's RDP implementation of Terminal Services doesn't verify the server's identity when it sets up the encryption keys for the RDP session. This vulnerability can result in a potential man-in-the-middle (MITM) attack. Although Forsberg notified the company about this vulnerability on March 13, 2003, Microsoft hasn't yet responded publicly.



(brought to you by Windows & .NET Magazine and its partners)

* JOIN THE HP & MICROSOFT NETWORK STORAGE SOLUTIONS ROAD SHOW! Now is the time to start thinking of storage as a strategic weapon in your IT arsenal. Come to our 10-city Network Storage Solutions Road Show, and learn how existing and future storage solutions can save your company money--and make your job easier! There is no fee for this event, but space is limited. Register today!

* WINDOWS & .NET MAGAZINE CONNECTIONS: LEARN FROM THE WRITERS YOU KNOW AND TRUST Our event includes in-depth coverage by the world's top gurus on Windows security. Eye-opening sessions include Keeping Up with Service Packs and Security Patches, Implementing Security with Group Policy, Defending Your Networks by Planning Your Own "Hack Attack," Using Event Logs to Identify Intruder Activity, Securing Wireless LANs, Managing AD Security with ADSI and WSH, Making IIS a Secure Web Server, and more. Register today!



* NEWS: REPORT: MOST USERS DO NOT TRUST MICROSOFT A recent Forrester Research survey brings an ugly truth to the forefront: The majority of IT administrators currently working with Microsoft products don't trust the company or believe it can produce secure software. According to the survey, 77 percent of respondents don't trust Microsoft but 90 percent still deploy Microsoft software in mission-critical applications.

* NEWS: MICROSOFT RELEASES WPA FOR XP TO STRENGTHEN WIRELESS SECURITY Microsoft announced the release of an update for Windows XP that introduces the Wi-Fi Protected Access (WPA) for stronger security over wireless LAN (WLAN) connections.



* VIRUS CENTER Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.

* FAQ: How Can I Enable or Disable the User's Ability to Change File Associations? ( contributed by John Savill, )

A. You can configure the user's computer to enable or disable the ability to change file associations by performing the following steps: 1. Start a registry editor (e.g., regedit.exe). 2. Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer registry subkey to configure the computer for all users or navigate to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies registry subkey to configure the computer for the current user. If neither subkey exists, open the Edit menu and select New, Key to create it. 3. From the Edit menu, select New, DWORD Value. 4. Enter the name NoFileAssociate. 5. Set the value to 1 to disable the user's ability to change file associations (this setting doesn't affect Power Users and Administrators); a value of 0 or a missing value lets the user change file associations. 6. Click OK. 7. Close the registry editor. 8. Restart the computer for the changes to take effect.



(contributed by Sue Cooper, [email protected])

* LOCK DOWN SYSTEMS WITH USB KEY imagine LAN announced LockDown Key, software that turns any standard USB flash drive into a security key, protecting the system from illegal access and theft. You first establish an administrator logon ID and password on the target system, then prepare the key with the LockDown Key security preparation utility, which enables security parameters and generates the key. All other users and administrators are then locked out of the system. Creating new keys automatically invalidates old keys. LockDown Key supports Windows XP/2000, and it's expected to cost about $29 per device license when it ships this quarter. Contact imagine LAN at 800-372-9776 or 603-889-3883.

* SECURE ACCESS THROUGH WEB BROWSER Whale Communications released the e-Gap Remote Access Appliance Advanced Edition (AE), an integrated hardware/software appliance to protect corporate data that users access from Web browsers at untrusted locations such as airport kiosks and Internet cafes. The appliance uses Secure Sockets Layer (SSL) VPN technology, which doesn't require the client software that an IP Security (IPSec) VPN requires. Features include an attachment wiper to remove all information recorded by a browser during a session; nonintrusive user timeouts; a secure logoff to ensure that credentials aren't cached at the client machine; and forced periodic reauthentication to ensure that users reauthenticate regularly. Pricing for the e-Gap Remote Access Appliance AE starts at $23,000. Contact Whale Communications at 877-659-4253 or 201-947-9177.

* SUBMIT TOP PRODUCT IDEAS Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected]




Featured Thread: Export Certificates to VPN Appliances (Three messages in this thread)

A user wants to know whether anyone has used Microsoft Certificate Server to generate certificates for third-party VPN appliances. The user says he keeps stumbling over the problem that the private keys can't be exported, so he can't generate Public-Key Cryptography Standard #12 (PKCS#12) containers. Lend a hand or read the responses:



Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- [email protected]

* ABOUT THE NEWSLETTER IN GENERAL -- [email protected] (please mention the newsletter name in the subject line)


* PRODUCT NEWS -- [email protected]



******************** This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!

Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.


Thank you for reading Security UPDATE.

Thank you! __________________________________________________________ Copyright 2003, Penton Media, Inc.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.