Security UPDATE--Third-Party Patches, Back Doors, and Alleged Rootkits--January 18, 2006

This email newsletter comes to you free and is supported by the following advertisers, which offer products and services in which you might be interested. Please take a moment to visit these advertisers' Web sites and show your support for Security UPDATE.

St.Bernard Software



1. In Focus: Third-Party Patches, Back Doors, and Alleged Rootkits

2. Security News and Features

- Recent Security Vulnerabilities

- Microsoft Changes Product Support Lifecycles

- Microsoft Updates Now Available as CD-ROM Images

- Reining in Your Mobile Computing Devices

3. Security Toolkit

- Security Matters Blog


- Security Forum Featured Thread

4. New and Improved

- Keep Tabs on AD


==== Sponsor: St. Bernard Software ====

ePolicy Best Practices Guide

Download an info-packed, no-nonsense look at the business risks and legal liabilities associated with employee misuse of the Internet, e-mail, IM and P2P. This paper, sponsored by St. Bernard Software, details the "Three-Es" approach to safeguarding your business:

1. Establish policies and procedures

2. Educate employees

3. Enforce policies

The paper is a must-read for any business or IT executive who wants to mitigate the risks associated with their employees' online activities. Download the ePolicy Guide Now:


==== 1. In Focus: Third-Party Patches, Back Doors, and Alleged Rootkits ====

by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

Third-Party Patches

After the discovery of the Windows Metafile Format (WMF) vulnerability, two third-party patches were made available while Microsoft worked to create its own official patch. A reader asked what I think about patches being released by third parties.

As a general rule, I think third-party patches should be approached with a huge amount of caution. A variety of factors come into play, such as who released the patch, who has inspected the patch, what methods were used for inspection, and the perceived level of severity the related vulnerability represents. There's also the important issue of compatibility with your particular environment. When you consider whether to use a third-party patch, you should treat it like any other patch--that is, test it thoroughly on all platforms in as many different situations as reasonably possible; otherwise, there could be unwanted consequences.

The first third-party patch for the WMF problem was inspected by people at The SANS Institute, whom I trust to some extent. So I made a decision to load the patch on the systems I manage. For the record, this is the first time that I've used a third-party patch. The second third-party WMF patch was released by a well-known antivirus-software maker. I don't know anyone who had a chance to look at the source code of this patch, but I mentioned it in an article on our Web site because it comes from a known vendor and because people using older versions of Windows didn't have a Microsoft patch they could apply to correct the problems.

Back Doors

Last week, Cisco Systems announced that its Cisco Security Monitoring, Analysis and Response System (CS-MARS) software contains an undocumented administrative account along with a default password that is the same in all installations of the product. This account is unquestionably a back door, and revelations of this sort have come up a number of times in the past involving various vendors.

Such revelations are embarrassing, and these sorts of back doors are dangerous for users of such products and for people who rely on businesses that use such products. Why vendors insert back doors into their products, I don't know. Any purpose they could assert for doing so could be served by an alternative approach. It would be in the best interest of everyone for all vendors to thoroughly audit their products and remove any such back doors. There are enough vulnerabilities without vendors inserting one intentionally.

Alleged Rootkits

Sometimes features that vendors create in their products become vulnerabilities to some extent or other years later. We've all seen many cases of this. Another one appeared over the last couple of weeks.

Norton SystemWorks has always contained a directory called NProtect within a feature called Norton Protected Recycle Bin. NProtect is essentially a backup for the Windows Recycle Bin. According to Symantec, hiding NProtect was to prevent people from accidentally deleting the files in it. Then, if they happened to empty the Windows Recycle Bin, they had another way of recovering the deleted files. The hidden NProtect directory recently became public knowledge, and Symantec released an update to make NProtect visible. News outlets and other entities erroneously termed the hidden directory a "Symantec rootkit" and claimed that the product had "rootkit-like features." Although NProtect was hidden, that doesn't make it a rootkit.

Kaspersky Lab's antivirus software uses alternative data streams to store cyclical redundancy check (CRC) checksums of files. This in no way makes this software a rootkit or even "rootkit-like." A rootkit is a malicious tool used to grant unauthorized persons access to a system while hiding the software that grants such access. The keywords there are "malicious" and "unauthorized." In my opinion, something can't be "like a rootkit." It either is a rootkit or it isn't.

There's a lot of buzz around the term "rootkit" right now, just as there was a lot of buzz years ago around the often misused term "hacker." I think we're dangerously close to creating more confusion among the public about what rootkits are, which will make the job of all types of systems administrators and consultants much more difficult. There's little benefit in referring to a "rootkit" unless the referenced item truly is a rootkit.


==== Sponsor: Klocwork ====


New White Paper from Klocwork: Improve software quality and reduce life-cycle costs by incorporating Static Analysis tools into your routine development processes. Results: More maintainable code, more secure, reliable software and a more predictable development process. Download White Paper:


==== 2. Security News and Features ====

Recent Security Vulnerabilities

If you subscribe to this newsletter, you also receive Security Alerts, which inform you about recently discovered security vulnerabilities. You can also find information about these discoveries at

Microsoft Changes Product Support Lifecycles

Microsoft announced that beginning this month, support lifecycle end dates will be synchronized with the company's regularly scheduled security patch release dates. Thus, instead of a support lifecycle ending on December 31, 2005, for example, it might instead end on the second Tuesday of January 2006.

Microsoft Updates Now Available as CD-ROM Images

Beginning this month, Microsoft will release its monthly security updates and high-priority nonsecurity updates as ISO-9660 CD-ROM images. Learn more about how this new offering might assist your business in this news story on our Web site.

Reining in Your Mobile Computing Devices

Mobile devices continue to proliferate and evolve as computers, cell phones, MP3 players, PDAs, and other productivity devices converge. Many such devices can connect to your network. What should you do to control the use of these devices in your environment? Find out in this article by Tony Howlett.


==== Resources and Events ====

SQL Server 2005 Up & Running Roadshows Coming to Europe!

SQL Server experts will present real-world information about administration, development, and business intelligence to help you put SQL Server 2005 into practice and learn how to use its new capabilities. Includes one-year PASS membership and subscription to SQL Server Magazine. Register now for London, UK, and Stockholm, Sweden.

ESSENTIAL GUIDE: Industry expert Paul Robichaux discusses how availability is a function of unplanned downtime only, helping you achieve a system available 99.9% of the time.

WEB SEMINAR: Find out what policies help or hurt in protecting your company's assets and data. View the on-demand seminar today!

WHITE PAPER: Optimize your existing Windows Server infrastructure with the addition of server and storage consolidation software and techniques.

WHITE PAPER: Streamline and automate the compliance life cycle and reduce your IT compliance costs.


==== Featured White Paper ====

WHITE PAPER: Learn to centralize administration for multiple OSs through AD and policy management.


==== Hot Spot ====

The Starter PKI Program

Do you need to secure multiple domains or host names? In this free white paper you'll learn how the Starter PKI Program will benefit your company with timesaving convenience. Plus--you'll get the chance to actually test the program!


==== 3. Security Toolkit ====

Security Matters Blog: Arudius: Live Linux CD for Security Admins

by Mark Joseph Edwards,

You've probably heard of Network Security Toolkit (NST), but have you heard of Arudius? Similar to NST, Arudius is a live Linux CD-ROM, which means you can pop it into a CD-ROM drive and boot it up.


by John Savill,

Q: How do I enable Secure Sockets Layer (SSL) connections to my Microsoft Virtual Server 2005 system?

Find the answer at

Security Forum Featured Thread: Changing HTTP Server Headers

A forum reader writes that he's running Microsoft IIS 5.0 and has gone through the standard IIS security checklists, but he wants to go a bit further. He knows that many intruders use HTTP header analyzers to determine what server software is in use, which makes it easier to learn what vulnerabilities exist. He wants to know if there's any way to change the server headers. Join the discussion at


==== Announcements ====

(from Windows IT Pro and its partners)

Become a VIP Monthly Pass Subscriber

Sign up now and get a VIP Monthly Online Pass that includes online access to ALL the articles, tools, and helpful resources published in SQL Server Magazine, Windows IT Pro, and the Exchange and Outlook Administrator, Windows Scripting Solutions, and Windows IT Security newsletters. You'll also have 24/7 access to a database of more than 25,000 online articles that will give you all the answers you need, when you need them. BONUS--Includes the latest issue of Windows IT Pro each month. Sign up now for just $29.95 per month.

Exchange & Outlook Administrator Newsletter--2006 Special

Order now and SAVE up to $30 off the regular price. You'll discover tools and solutions you won't find anywhere else to help you migrate, optimize, administer, back up, recover, and secure Exchange and Outlook. Paid subscribers also get searchable access to the full online Exchange article database (more than 1000 articles). Order now for just $99:


==== 4. New and Improved ====

by Renee Munshi, [email protected]

Keep Tabs on AD

NetPro Computing announced the general availability of DirectoryLockdown 4.0, which protects Active Directory (AD) from unauthorized infrastructure changes. Administrators can use DirectoryLockdown to prevent AD changes and send detailed alerts when such changes are attempted. Improved antitampering technology is designed to stop Configuration and Schema naming context (NC) changes before they replicate forestwide. DirectoryLockdown 4.0 also features enhancements to the UI and an improved deployment wizard. For more information, go to

Tell Us About a Hot Product and Get a T-Shirt!

Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a T-shirt if we write about the product in a future Windows IT Pro What's Hot column. Send your product suggestions with information about how the product has helped you to

[email protected]

Editor's note: Share Your Security Discoveries and Get $100

Share your security-related discoveries, comments, or problems and solutions in the Windows IT Security print newsletter's Reader to Reader column. Email your contributions (500 words or less) to [email protected] If we print your submission, you'll get $100. We edit submissions for style, grammar, and length.


==== Contact Us ====

About the newsletter -- [email protected]

About technical questions --

About product news -- [email protected]

About your subscription -- [email protected]

About sponsoring Security UPDATE -- [email protected]


This email newsletter is brought to you by Windows IT Security, the leading publication for IT professionals securing the Windows enterprise from external intruders and controlling access for internal users. Subscribe today.

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.

221 East 29th Street, Loveland, CO 80538

Attention: Customer Service Department

Copyright 2006, Penton Media, Inc. All rights reserved.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.