Windows & .NET Magazine Security UPDATE—brought to you by Security Administrator, a print newsletter bringing you practical, how-to articles about securing your Windows .NET Server, Windows 2000, and Windows NT systems.
http://www.secadministrator.com
THIS ISSUE SPONSORED BY
Real-World Strategies for Infrastructure Success
http://www.ibm.com/e-business/playtowin/n92
St. Bernard, maker of the iPrism Web Filtering Appliance
http://www.stbernard.com/products/targetpages/win2kN2-ip.asp
(below COMMENTARY)
SPONSOR: REAL-WORLD STRATEGIES FOR INFRASTRUCTURE SUCCESS
How do you make certain that only authorized people are able to gain access to your vital business systems? Learn how to make security and privacy a seamless part of your infrastructure strategy with our white paper, "Linking Security Needs to e-business Evolution." You'll find out how, as your e-business evolves, centrally managing your security and privacy issues becomes essential to maintaining trusted, long-standing business relationships. IBM has the knowledge, experience and global resources to help you and your partners work with peace of mind while remaining focused on your core business issues. Let us help you get started building a tailored security solution for your organization by signing up to receive your complimentary copy at
http://www.ibm.com/e-business/playtowin/n92
June 26, 2002—In this issue:
1. IN FOCUS
- Is Open Source Software Patently Insecure?
- Editor's Note
2. SECURITY RISKS
- Apache Web Server Chunk-Handling Vulnerability
- Multiple Vulnerabilities in Microsoft Word and Microsoft Excel
- Buffer-Overrun Vulnerability in Microsoft SQL Server 2000
3. ANNOUNCEMENTS
- Windows Scripting Solutions for the Systems Administrator
- Attend Black Hat Briefings & Training, July 29 through August 1, Las Vegas
4. SECURITY ROUNDUP
- News: Microsoft Inadvertently Ships Nimda Virus in Korean Visual Studio .NET
- Feature: Patience Is Key
- Feature: Secure Your System
5. INSTANT POLL
- Results of Previous Poll: IM Add-Ons
- New Instant Poll: Is Open Source Software Less Secure?
6. SECURITY TOOLKIT
- Virus Center
- FAQ: How Can I Force Windows XP to Reapply a Custom Policy Every Time a User Logs On?
7. NEW AND IMPROVED
- Enhanced Virus Scanner
- PnP Policy Enforcer
- Submit Top Product Ideas
8. HOT THREADS
- Windows & .NET Magazine Online Forums
- Featured Thread: Accessing a VPN Through an ISA Server
- HowTo Mailing List
- Featured Thread: Strange URL
9. CONTACT US
- See this section for a list of ways to contact us.
1. IN FOCUS
(contributed by Mark Joseph Edwards, News Editor, [email protected])
Do you use open source software (OSS) such as Linux or Apache? If you do, you might be interested in what some industry insiders say about open-source code and security. On May 30, the Alexis de Tocqueville Institution (AdTI) released a white paper, "Opening the Open Source Debate," that discusses how OSS could present a serious national-security problem. According to a press release on the institution's Web site, the issue of using OSS becomes complex "particularly if federal agencies such as the Department of Defense or the Federal Aviation Administration use software that inherently requires that its blueprints, source code and architecture is made widely available to any person interested—without discretion." You can read about the matter at the press release link below. However, if you want to read the white paper, you'll have to fork over $5.95.
http://www.adti.net/html_files/defense/opensource_pressrelease_05_30_2002.html
According to AdTI, the white paper "outlines how open source might facilitate efforts to disrupt or sabotage electronic commerce, air traffic control or even sensitive surveillance systems. Unlike proprietary software, open source software does not make the underlying code of a software confidential." Interestingly enough, AdTI reportedly receives funding from companies, such as Microsoft, who compete with OSS. The white paper's release comes not too long after military officials threatened to stop using Windows unless Microsoft does more to address the number of bugs in its code and changes the way it handles patches. The AdTI press release further states that computer systems form the backbone of US national security and that before "the Pentagon and other federal agencies make uninformed decision to alter the very foundation of computer security, they should study the potential consequences carefully."
What consequences? If OSS really is less secure than closed source software such as Windows, why can attackers discover new security problems in Windows and other Microsoft products almost weekly? I fail to understand the arguments AdTI outlines in the press release, but I do understand that obscurity gains very little computer security. It's never been proven that openly offering source code makes using that code more of a risk. In fact, statistics reflect about as many reported security vulnerabilities in the various Linux distributions as are reported in Windows. So the debate AdTI presents is beside the point because the question of security regarding open-source code has been playing out for years. Whether source code is open or closed isn't the issue. If anyone's software contains a security bug, attackers will eventually find it.
http://online.securityfocus.com/sfonline/vulns/stats.shtml
Sure, having source code makes finding security problems a bit easier, and attackers do pore over open-source code looking for problems—that's part of what open-source projects are about. Microsoft could probably improve the security of its code by making the source open to the public. But to date, the company isn't inclined to do that. Add to that situation the fact that Microsoft has angered loads of people through its aggressive marketing practices. Attackers have responded by working hard to discover and exploit security problems in Microsoft software—and, of course, they do that routinely without access to the source code.
Some of the most dangerous and expensive exploits ever launched (e.g., Melissa, Nimda, Code Red) have been propagated through the closed source Windows OS and through other Microsoft software. In fact, so many viruses and worms target Microsoft Outlook clients that I sometimes think that a company could reduce its overall security budget (and aspirin budget) by simply not using Outlook software. In USA TODAY, John Gilligan, Air Force chief information officer (CIO), argued that installing patches and fixes on Microsoft products actually costs the Air Force more than the products themselves.
http://www.usatoday.com/life/cyber/tech/2002/06/17/microsoft-security.htm
A given software package's security level often depends on obtainable knowledge: Who can find out about an unpatched vulnerability? Debates about open source won't change that situation. Right now, government officials are considering exempting security vulnerability information—if it's reported to the government—from the Freedom of Information Act (FOIA). That's interesting, but by itself, that change in the law won't support better computer security unless people are required to report all vulnerabilities to the government first. Obviously, making that happen would require still other laws that would lead to significant changes in the way people use software in general. (For more information about the FOIA proposal, read the interview with presidential cybersecurity adviser Richard Clarke in CIO Magazine at the URL below.)
http://www.cio.com/archive/061502/safer.html
Microsoft's .NET model could help facilitate better security through automation, but that requires that people actually use Microsoft products. With the government balking at Microsoft's practices, the company has to do something before major customers (such as the US military) jump ship in favor of non-obscure open-source products for which public teamwork drives quality. The AdTI white paper might do more to hurt than help Microsoft's situation.
We need your help to make this and other email newsletters from Windows & .NET Magazine as useful to you as they can be. To help us with our editorial planning, please answer the Windows & .NET Magazine Network Email Newsletter & Web Site Survey, available at the following URL. If you provide your email address at the end of the survey, we'll put your name in a drawing for a Windows & .NET Magazine T-shirt. Thank you! We appreciate your help.
http://www.zoomerang.com/survey.zgi?QN1V072PTHGA5PGS9R9LGR5R
SPONSOR: IPRISM, PC MAG EDITORS' CHOICE FOR WEB FILTERING
PC Magazine tested 12 leading Web filtering solutions and selected the iPrism Filtering Appliance best for business use. They concluded, "iPrism's the best return on a busy network administrator's time and money." See if it might be best for you plus download FREE tools like a Web filtering ROI Calculator and white papers such as 'Creating an Internet Acceptable Use Policy' and 'Special Report: The 7 Approaches to Web Filtering' at:
http://www.stbernard.com/products/targetpages/win2kN2-ip.asp
2. SECURITY RISKS
(contributed by Ken Pfeil, [email protected])
Mark Litchfield of Next Generation Security Software discovered a vulnerability in Apache Web servers that can lead to arbitrary code execution on the vulnerable system. This vulnerability stems from a flaw in the handling of certain chunk-encoded HTTP requests that lets a remote attacker execute arbitrary code or cause a Denial of Service (DoS) attack. The vendor, Apache, has released a detailed advisory about this vulnerability and recommends that affected users either apply an OEM-supplied patch or upgrade immediately to a newer version of Apache software available from Apache's Web site.
http://www.secadministrator.com/articles/index.cfm?articleid=25655
Darryl Higa of dH team discovered multiple vulnerabilities in Microsoft Excel, Office XP, and Word for Windows, all of which let an attacker execute macro code on the vulnerable system. The vulnerabilities relate to macros, HTML scripts, and mail merge. Microsoft has released Microsoft Security Bulletin MS02-031 (Cumulative Patches for Excel and Word for Windows) to address this vulnerability and recommends that affected users download and apply the appropriate patch described in the bulletin. These patches are cumulative and address all previously discovered vulnerabilities in the affected products.
http://www.secadministrator.com/articles/index.cfm?articleid=25674
Mark Litchfield of Next Generation Security Software discovered a vulnerability in Microsoft SQL Server 2000 when used in conjunction with the Microsoft Jet 4.0 database engine that can lead to an attacker executing arbitrary code on the vulnerable system. This vulnerability stems from a remotely exploitable buffer overrun in the OpenDataSource function. Microsoft recommends that affected users apply the patch mentioned in the Microsoft article "ACC2002: Updated Version of Microsoft Jet 4.0 Available in Download Center."
http://www.secadministrator.com/articles/index.cfm?articleid=25673
http://support.microsoft.com/default.aspx?scid=kb;en-us;q282010
3. ANNOUNCEMENTS
(brought to you by Windows & .NET Magazine and its partners)
So, you're not a programmer, but that doesn't mean you can't learn to create and deploy timesaving, problem-solving scripts. Discover Windows Scripting Solutions online, the Web site that can help you tackle common problems and automate everyday tasks with simple tools, tricks, and scripts. While you're there, check out this article ( http://www.winscriptingsolutions.com/articles/index.cfm?articleid=20376 ) on WMI scripting for beginners!
http://www.winscriptingsolutions.com
This is the world's premier technical security event! Includes 8 tracks, 12 training sessions, a Richard Clarke keynote, 1500 delegates from 30 nations, and lots of new sessions and sponsors just added. Some classes are near sellouts. See what the buzz is about for yourself. Visit:
http://www.blackhat.com
4. SECURITY ROUNDUP
Microsoft inadvertently shipped the Nimda virus in its Korean version of Visual Studio .NET. The virus was embedded in a compiled Help file, which a Korean subcontractor supplied. Microsoft said it hadn't scanned the Help file thoroughly, and the virus remained undetected until the product had already shipped. A Microsoft employee subsequently detected the virus.
http://www.secadministrator.com/articles/index.cfm?articleid=25672
From the description of how to create a password reset disk, you might think that requiring the user's current password implies that administrators can't access a user's encrypted files. Such isn't the case, however. Remember that Encrypting File System (EFS) lets you define a data-recovery agent. The data-recovery agent can decrypt any file on the computer.
http://www.secadministrator.com/articles/index.cfm?articleid=25484
Unless you work for the government, the military, or an incredibly security-conscious organization, you probably don't maintain an "air gap" (i.e., a total disconnection) between your computer and the outside world. If you're connected to the Internet, you're vulnerable. Read what Gregory W. Smith has to say about securing your computer.
http://www.secadministrator.com/articles/index.cfm?articleid=25388
5. INSTANT POLL
The voting has closed in Windows & .NET Magazine's Security Administrator Channel nonscientific Instant Poll for the question, "If your organization permits Instant Messaging (IM) software use, do you use security add-ons?" Here are the results (+/- 2 percent) from the 89 votes:
- 17% Yes—We use IM software plus an antivirus add-on
- 3% Yes—We use IM software plus an encrypted-transport add-on
- 4% Yes—We use IM software plus antivirus and encrypted-transport add-ons
- 75% No—We use IM software without security add-ons
The next Instant Poll question is, "Do you think that open source software (OSS) is less secure than closed source software, such as Windows?" Go to the Security Administrator Channel home page and submit your vote for a) Yes, b) No, or c) Not sure.
http://www.secadministrator.com
6. SECURITY TOOLKIT
Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security.
http://www.secadministrator.com/panda
( contributed by John Savill, http://www.windows2000faq.com )
A. Custom policies (also known as preferences) consist of custom .adm files. You typically apply these custom policies when you first create them and when you modify them. As a result of modification, the cached list of Group Policy Objects (GPOs) eventually doesn't match the current list. Therefore, if a user succeeds in changing the settings that the custom policy invokes (e.g., using Desktop settings, Control Panel), XP won't reapply that custom policy the next time the user logs on. However, you can configure the OS to reapply the custom policy every time a user logs on or a machine starts by performing the following steps:
- Start a registry editor (e.g., regedit.exe).
- Navigate to the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\GPExtensions\<GUID of the policy> subkey.
- Double-click the NoGPOListChanges value (or create this value of type DWORD if it's missing), set the value to 0, and click OK.
- Close the registry editor.
Setting the value back to 1 tells the OS that it doesn't need to call the callback function to reload the policy when no change occurs (the default behavior).
This registry change has the same effect as setting the "Process even if the Group Policy objects have not changed" option in the Microsoft Management Console (MMC) Computer Configuration snap-in under the Administrative Templates, System, Group Policy section.
7. NEW AND IMPROVED
(contributed by Judy Drennen, [email protected])
Have you used a product that changed your IT experience by saving you time or easing your daily burden? Do you know of a terrific product that others should know about? Tell us! We want to write about the product in a future What's Hot column. Send your product suggestions to [email protected].
Rockliffe released MailSite SE 5.0 for Small Enterprises, featuring integrated virus scanning, security improvements, and personal calendaring. With the new antivirus support in MailSite SE, customers no longer need to worry about viruses sneaking into their system through email. MailSite SE automatically eliminates viruses without any administrator intervention. Prices for MailSite SE start at $595 for 50 mailboxes. For more information, contact Rockliffe at 408-879-5600. To purchase online, visit Rockliffe's Web site.
http://www.rockliffe.com
InfoExpress released CyberGatekeeper Server, a Plug and Play (PnP) appliance that proactively enforces remote and mobile desktop configurations and applications. CyberGatekeeper Server is vendor neutral and can enforce desktop configurations connected through VPNs, extranets, dial-up connections, wireless LANs (WLANs), and wired LANs. The appliance audits systems before permitting access to the network. CyberGatekeeper Server costs $6500 per appliance. For more information, contact InfoExpress at 650-623-0260, or [email protected].
http://www.infoexpress.com
8. HOT THREADS
http://www.winnetmag.com/forums
(Nine messages in this thread)
When I access a VPN through a dial-up connection to an Internet Security and Acceleration (ISA) Server 2000, I can map drives to internal network machines through the IP address. However, when I go through Network Neighborhood and double-click a machine, I get an "Access denied" error. Do you know why? Read the response:
http://www.secadministrator.com/forums/thread.cfm?thread_id=83830
http://www.secadministrator.com/listserv/page_listserv.asp?s=howto
(Seventeen messages in this thread)
Dave said he's been noticing strange URL requests in Web server logs recently. He wonders whether they signal an attack and could involve a virus? A sample URL is listed below.
80 GET /default.idaNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNNN NNNNNNNNNNNNNNNNNNN%u9090%u6858%ucbd3%u7801%u9090%u6858%ucbd3%u7801 %u9090%u6858%ucbd3%u7801%u9090%u9090%u8190%u00c3%u0003%u8b00%u531b%u 53ff%u0078%u0000%u00=a 403
Read the responses or lend a hand at the following URL:
http://63.88.172.96/listserv/page_listserv.asp?a2=ind0206c&l=howto&p=279
9. CONTACT US
Here's how to reach us with your comments and questions:
- ABOUT IN FOCUS — [email protected]
- ABOUT THE NEWSLETTER IN GENERAL — [email protected]
(please mention the newsletter name in the subject line)
- TECHNICAL QUESTIONS — http://www.winnetmag.net/forums
- PRODUCT NEWS — [email protected]
- QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION?
Customer Support — [email protected]
- WANT TO SPONSOR SECURITY UPDATE?
[email protected]
This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing a Windows 2000/Windows NT enterprise. Subscribe today!
http://www.secadministrator.com/sub.cfm?code=saei25xxup
Receive the latest information about the Windows and .NET topics of your choice. Subscribe to our other FREE email newsletters.
http://www.winnetmag.net/email
Thank you for reading Security UPDATE.
