Security UPDATE-- Disabling the ADODB.Stream Object--July 7, 2004

To make sure that your copy of Security UPDATE isn't mistakenly blocked by antispam software, add [email protected] to your list of allowed senders and contacts.

==== This Issue Sponsored By ====

Free Security White Paper from Postini

http://www.winnetmag.com/whitepapers/postini/emailthreats/index.cfm?code=0707securityprimary

Security Administrator

http://www.secadministrator.com/rd.cfm?code=fsep254xup

1. In Focus: Disabling the ADODB.Stream Object

2. Security News and Features

- Recent Security Vulnerabilities

- News: Firewall Permissions Code for XP SP2

- Feature: On the Net, Awareness = Safety

- Feature: Performing Forensic Analyses, Part 2

3. Security Toolkit

- FAQ

- Featured Thread

4. New and Improved

- New Security Administration Book

- Intrusion Scanner Eliminates Trojan Horses

==== Sponsor: Free Security White Paper from Postini ====

How to Preemptively Eliminate the Top 5 Email Security Threats

Are worries about spam and virus attacks to your enterprise email system keeping you up at night? See why spam and viruses are only the "tip of the iceberg" when it comes to email security threats. Learn how you can eliminate the top 5 security threats to your email system, including the silent killer -- directory harvest attacks. The good news is there's an easy and effective way to arm your organization against all threats, even the latest spam and email attacks. Find out how to completely and preemptively protect against major threats including spam, viruses, directory harvest attacks (DHA), denial-of-service (DoS) attacks, as well as internal policy violations. Download this free white paper today!

http://www.winnetmag.com/whitepapers/postini/emailthreats/index.cfm?code=0707securityprimary

==== 1. In Focus: Disabling the ADODB.Stream Object ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net

Last week, I wrote about two ways to quickly and easily work around problems with Microsoft ADO databases (ADODB). One solution is a registry script from eEye Digital Security and the other is PivX Solutions' Qwik-Fix. As far as I know, both of these solutions can disable parts of ADODB. If you missed last week's newsletter, you can read about the solutions at

http://www.winnetmag.com/article/articleid/43131/43131.html

The combined attack method that I wrote about last week involves the use of the ADODB.Stream object, which Microsoft says is essentially a memory-based file. Now Microsoft has released an official fix to disable ADODB.Stream for Windows Server 2003, Windows XP, and Windows 2000. You can download the "Critical Update for Microsoft Data Access Components - Disable ADODB.Stream object from Internet Explorer" fix at:

http://www.microsoft.com/downloads/details.aspx?familyid=4d056748-c538-46f6-b7c8-2fbfd0d237e3&displaylang=en

According to the related Microsoft article "How to disable the ADODB.Stream object from Internet Explorer," the fix makes changes to the registry that prevent the ADODB.Stream object from accessing the local disk drives via Microsoft Internet Explorer (IE). However, other applications that use the object can still access the disk if necessary.

http://support.microsoft.com/?kbid=870669

In addition to installing the Microsoft fix, which I think most security professionals would recommend, you might want to consider other configuration changes to your IE installations. Another Microsoft article, "How to strengthen the security settings for the Local Machine zone in Internet Explorer," describes how to disable ActiveX controls and Java applets, prompt the user before running scripts, prompt the user before accessing a database in another zone, control how zone security is applied (e.g., per user or the same settings for all users, whether users can change those settings), and use Group Policy to control IE security zone settings. Be aware that you might experience unwanted effects (as noted in the article) when you make some of the recommended changes.

http://support.microsoft.com/?kbid=833633

Two other articles--"How to Stop an ActiveX Control from Running in Internet Explorer" and "How to Remove an ActiveX Control in Windows"--describe how to prevent IE from using particular ActiveX controls and how to remove ActiveX controls if you need to do that for whatever reason. By using some or all of the recommended IE security settings, you can significantly increase browser security

http://support.microsoft.com/?kbid=240797

http://support.microsoft.com/?kbid=154850

Microsoft said that in the coming weeks it will release a series of security updates for IE that will provide additional protection; however, the company hasn't said what those updates might actually entail. The company also said that it's working on a "comprehensive update for all supported versions of Internet Explorer \[which\] will be released once it has been thoroughly tested and found to be effective across a wide variety of supported versions and configurations of Internet Explorer."

The company also said that the upcoming XP Service Pack 2 (SP2) will better protect users against attacks and unwanted content, including downloads. So in addition to the already-mentioned fixes and configuration changes, more help is on the way.

==== Sponsor: Security Administrator ====

Try a Sample Issue of Security Administrator!

Security Administrator is the monthly newsletter from Windows & .NET Magazine that shows you how to protect your network from external intruders and control access for internal users. Sign up now to get a 1-month trial issue--you'll feel more secure just knowing you did. Click here!

http://www.secadministrator.com/rd.cfm?code=fsep254xup

==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

http://www.winnetmag.com/departments/departmentid/752/752.html

News: Firewall Permissions Code for XP SP2

Mitch Denny has written some sample code that lets developers more easily interact with the new firewall design that's part of Windows XP Service Pack 2 (SP2). Denny says that his code, FirewallPermission, "is a custom permission and associated declarative security attribute which uses the Windows Firewall COM interfaces to check whether a program has inbound access on a port enabled."

http://www.winnetmag.com/article/articleid/43096/43096.html

Feature: On the Net, Awareness = Safety

Given "phishing" (email messages that appear to be from reputable companies and that ask customers to confirm personal information such as credit card and bank account numbers), Web-site redirection, and outright browser hijack attempts, reading email and browsing the Web is fraught with dangers that passive protections such as firewalls can't really stop. David Chernicoff explains ways to help your users protect themselves.

http://www.winnetmag.com/article/articleid/43067/43067.html

Feature: Performing Forensic Analyses, Part 2

In "Performing Forensic Analyses, Part 1," http://www.winnetmag.com/article/articleid/42445/42445.html , Matt Lesko shows how to create a bootable CD-ROM that contains the Penguin Sleuth Kit and how to use that CD-ROM to create a digital copy, or image, of a compromised hard disk. In this second article, Lesko looks at how to perform a forensic analysis on that image by using the Penguin Sleuth Kit on your CD-ROM.

http://www.winnetmag.com/article/articleid/42810/42810.html

==== Announcements ====

(from Windows & .NET Magazine and its partners)

Online Resource for SQL Server DBAs and Developers

Visit the SQL Server Magazine Web site and experience a helpful resource offering the easy-to-find SQL Server solutions, news, guidance, and how-to information you're looking for. Reference lists of active forums, hot topic discussions, keyword searches, free Web seminars, FAQs, and much more. The site also features Web-exclusive columns by Itzik Ben-Gan. Check it out:

http://www.sqlmag.com

New Free Web Seminar--Securing Your Windows and Exchange Environments

Everyone has a network-configured firewall and an up-to-date antivirus scanner, yet malware attacks still happen. In this free Web seminar, Roger Grimes and Steve Bryant will address Windows Server 2003 and Exchange Server 2003 security challenges and help secure your systems the right way. Register now!

http://www.winnetmag.com/seminars/securingwindowsexchange/index.cfm?code=0705emailannc

Did You Miss the Live Microsoft Security Strategies Roadshow?

Microsoft has teamed with Avanade and Network Associates to bring you the on-demand Webcast from the Microsoft Security Strategies Roadshow tour. Join industry guru Mark Minasi and learn more about tips to secure your Windows Server 2003 and Windows 2000 network, plus more! Register now.

http://www.winnetmag.com/roadshows/computersecurity2004

==== Hot Release ====

SSL123 - New from thawte

The full 128-bit capable digital certificate issued within minutes for US$159.00. Free reissues and experienced 24/5 multi-lingual support included for the life of the certificate. Click here to read more:

http://ad.doubleclick.net/clk;9179275;9642916;c

==== 3. Security Toolkit ====

FAQ: How Can I Start the Microsoft Management Console (MMC) Active Directory Users and Computers Snap-In so That It Points to a Specific Domain Controller (DC)?

by John Savill, http://www.winnetmag.com/windowsnt20002003faq

A. When you start the Active Directory Users and Computers snap-in, it tries to connect to the nearest DC in the current domain. To connect to a specific DC, run the command:

dsa.msc /server=

You can also use this command syntax to create a shortcut to a specific DC on your desktop or on the Start menu.

Featured Thread: Removing a Backdoor IRC Bot

(Two messages in this thread)

Mike writes that one of his systems is infected with a Trojan horse program and he can't remove the Trojan horse's msrll.exe file from the infected system's %systemroot%\system32\mfm folder. He can delete the jtram.comf file from the folder, but the file is recreated soon after he deletes it. Norton AntiVirus corporate edition found the msrll.exe file but couldn't quarantine or remove it. Mike also tried removing the msr11.exe file by booting to Safe Mode but wasn't successful. He wonders if anyone can help him remove the Trojan horse.

http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=123027

==== Events Central ====

(A complete Web and live events directory brought to you by Windows & .NET Magazine: http://www.winnetmag.com/events )

Free Roadshow in Your City Soon--HP Wireless & Mobility Roadshow 2004

In this free Roadshow, you'll discover trends in the wireless and mobility industry and come away with a better understanding of wireless and mobility solutions. And, talk first hand about your wireless projects with leaders in the industry. See proven wireless and mobile solutions in action. Register now!

http://www.winnetmag.com/roadshows/mobilewireless/index.cfm?code=0705emailannc

==== 5. New and Improved ====

by Jason Bovberg, [email protected]

New Security Administration Book

Syngress Publishing published "Check Point Next Generation with Application Intelligence Security Administration" by Chris Tobkin and Daniel Kligerman. The 600-page book covers Check Point Software Technologies' Check Point Next Generation product, from simple firewall setup to advanced VPN and firewall scenarios. The book also serves as a study tool for the Check Point Certified Security Administrator (CCSA) exam. This third volume in Syngress's series about Check Point products costs $59.95. For more information, contact Syngress on the Web.

http://www.syngress.com

Intrusion Scanner Eliminates Trojan Horses

ATShield released Anti-Trojan Shield 1.2, a virus/intrusion scanner that identifies and eliminates Trojan horses running in memory, as well as infected system files and registry entries. Anti-Trojan Shield's resident monitor checks your PC each time you start up and each time you launch a program. It also checks all new files downloaded from Microsoft Internet Explorer (IE) 5.0 and 6.0, Microsoft Outlook Express, and ICQ, ensuring that no malicious code enters your computer. The software's reports and log files keep track of all the activities the program performs. Anti-Trojan Shield 1.2 runs on Windows 2003/XP/2000/Me/9x and costs $29.95. For more information, contact ATShield on the Web.

http://www.atshield.com

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected].

==== Sponsored Links ====

Argent

Comparison Paper: The Argent Guardian Easily Beats Out MOM

http://ad.doubleclick.net/clk;6480843;8214395;q?http://www.argent.com/products/download_whitepaper.cgi?product=mom&&Source=WNTTextLink

==== Contact Us ====

About the newsletter -- [email protected]

About technical questions -- http://www.winnetmag.com/forums

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]

==== Contact Our Sponsors ====

Primary Sponsor:

Postini -- http://www.postini.com -- 1-888-584-3150

Hot Release Sponsor:

thawte -- http://www.thawte.com -- 1-650-426-7400