Security UPDATE, January 29, 2003

[InfoSec News <isn () c4i org>]

********************
Windows & .NET Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows Server 2003, Windows 2000, and
Windows NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

Experience How Real Time Monitoring Will Benefit YOU
   http://list.winnetmag.com/cgi-bin3/flo?y=ePO50CJgSH0CBw07Xg0Au

PacWest Security Road Show
   http://list.winnetmag.com/cgi-bin3/flo?y=ePO50CJgSH0CBw07Kz0A1
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: EXPERIENCE HOW REAL TIME MONITORING WILL BENEFIT YOU ~~~~
   A proactive Security Administrator installed TNT Software's ELM
Enterprise Manager 3.0 on his critical servers to assess the benefits
of real time monitoring. During the first week, EEM 3.0 paged him as a
disgruntled employee attempted to access confidential files, alerted
him when the QoS of his Exchange Server began to drop, and
automatically restarted a failed anti-virus service. As a result, ELM
Enterprise Manager was purchased and fully deployed during the second
week. Download your FREE 30 day full feature evaluation copy today and
experience how real time monitoring will benefit YOU.
   http://list.winnetmag.com/cgi-bin3/flo?y=ePO50CJgSH0CBw07Xg0Au
~~~~~~~~~~~~~~~~~~~~

January 29, 2003--In this issue:

1. IN FOCUS
     - Slammer/Sapphire Worm and Shades of Code Red

2. SECURITY RISKS
     - Information Disclosure Vulnerability in Microsoft Outlook 2002
     - Cross-Site Scripting Vulnerability in Microsoft Content
       Management Server 2001
     - Unchecked Buffer in Microsoft Locator Service

3. ANNOUNCEMENT
     - InfoSec World Conference and Expo/2003

4. SECURITY ROUNDUP
     - News: SQL Slammer Worm Hits Microsoft Too
     - News: ISS and PowerTech Team to Improve IBM iSeries Server
       Security
     - News: SonicWALL Announces equinux VPN Tracker Support
     - News: Russia First Country to View Windows Source Code
     - News: ABIT and VIA Announce Chip-based Security for
       Motherboards

5. SECURITY TOOLKIT
     - Virus Center
     - FAQ: How Can I Prevent Regedit from Remembering the Last
       Registry Key Location I Accessed Under Windows XP?

6. NEW AND IMPROVED
     - Assess Enterprise Vulnerability
     - Keep Offensive Emails out of Your Mailbox
     - Submit Top Product Ideas

7. HOT THREADS
     - Windows & .NET Magazine Online Forums
         - Featured Thread: User Can't Change Password at Logon
     - HowTo Mailing List
         - Featured Thread: Default Master Browser

8. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== IN FOCUS ====
   (contributed by Mark Joseph Edwards, News Editor, mark () ntsecurity net)

* SLAMMER/SAPPHIRE WORM AND SHADES OF CODE RED

As you probably know by now, a tiny worm began traveling the Internet
over the past weekend. Known as either Slammer or Sapphire, the worm
affects unpatched Microsoft SQL Server machines. Patches to prevent
the vulnerability the worm exploits have been available since July
2002.

The worm doesn't damage an infected machine, nor does it compromise
any data on an infected machine. However, it does prove a simple
concept: A tiny worm (376 bytes) with only the essential amount of
code can spread rapidly and consume large amounts of bandwidth in the
process.

Some people compare this worm with the Code Red worm that affected
Microsoft IIS systems last year. However, far more IIS systems than
SQL Server machines are online, and the Slammer/Sapphire worm's impact
is proving to be relatively short-lived. As Chris Rouland, director of
Internet Security Systems' (ISS's) X-Force said in an "InfoWorld"
interview, the worm's impact has already lessened significantly. As of
Sunday, its impact was more comparable to that of the Nimda virus,
which affects Microsoft Outlook clients. According to ISS monitoring,
Nimda and Slammer/Sapphire both propagated at about 10,000 attacks per
hour on Sunday.

By now, I'm sure Slammer/Sapphire's activity has lessened even further
(although it's possible for it to flare up again), whereas the most
serious affects of Code Red were probably felt for a longer period.
Overall, Nimda is probably more expensive to clean up than
Slammer/Sapphire. Even so, the thing Slammer/Sapphire did that Nimda
didn't do was severely affect network communications. In some cases,
networks went down entirely for brief periods of time.

The reason that some networks went offline was probably twofold.
First, the worm consumed a lot of bandwidth, sometimes saturating a
given network's total capacity. Second, the worm affected Cisco
Systems routers, which countless networks across the Internet use. The
worm affected some Cisco routers because of the way those routers were
configured to log packets. In some cases, routers were configured to
block all traffic to port 1434 and to log all denied packets, such as
those destined for blocked port 1434, which SQL Server typically uses.
So the worm traffic in conjunction with the logging overwhelmed some
routers. To read Cisco's recommendations regarding configuration
adjustments, view the related Web page at the first URL below. To see
a graph of how the worm affected traffic at a few of the larger
networks, visit the second URL below.
   http://www.cisco.com/en/US/products/hw/iad/ps497/products_security_advisory09186a0080133399.shtml
   http://www.research.att.com/~griffin/bgp_monitor/sql_worm.html
 
Another problem with this worm is that it also affects Microsoft SQL
Server Desktop Engine (MSDE), which ships inside a lot of products,
some from Microsoft and many others from third parties. These products
include Visual Studio .NET (Architect, Developer, and Professional
Editions), ASP.NET Web Matrix Tool, Microsoft Office XP Developer
Edition, Microsoft Developer Network (MSDN) Universal and Enterprise
subscriptions, and Microsoft Access. But those products represent just
the tip of the iceberg. To see the huge list of products that use
MSDE--many of which are probably installed on your systems--visit the
SQL Security Web site at the URL below. The list is updated as those
who maintain the list become aware of more products that use MSDE.
   http://www.sqlsecurity.com/desktopdefault.aspx?tabindex=10&tabid=13

A Microsoft Web page offers information about the Slammer/Sapphire
worm, including patch information (see the first URL below). As
always, be sure to read the fine print associated with patches and
related articles before you load any patches. Also, consider loading
the recently released SQL Server Service Pack 3 (SP3). And if you want
a tool that will scan your SQL Server systems to determine whether
they're vulnerable, then you can download such a tool courtesy of eEye
Digital Security (see the second URL below).
   http://www.microsoft.com/technet/security/virus/alerts/slammer.asp
   http://www.eeye.com/html/research/tools/sapphiresql.html

To help prevent such attacks from being successful, administrators
must patch systems as quickly as possible. They need to maintain
firewalls in a deny-all-traffic-until-otherwise-authorized
configuration. Also, they must conduct any remote administration that
requires opening nonessential ports through a VPN and some kind of
remote terminal software. When all the hype around this new worm has
finally fizzled out, I hope that businesses will have learned how
important it is to take defensive actions sooner rather than later.

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: PACWEST SECURITY ROAD SHOW ~~~~
   BACK BY POPULAR DEMAND - DON'T MISS OUR SECURITY ROAD SHOW EVENT!
   If you missed last year's popular security Road Show event, now's
your chance to catch it again in Portland and Redmond. Learn from
experts Mark Minasi and Paul Thurrott about how to shore up your
system's security and what desktop security features are planned for
Microsoft .NET and beyond. Registration is free so sign up now!
   http://list.winnetmag.com/cgi-bin3/flo?y=ePO50CJgSH0CBw07Kz0A1
~~~~~~~~~~~~~~~~~~~~

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, ken () winnetmag com)

* INFORMATION DISCLOSURE VULNERABILITY IN MICROSOFT OUTLOOK 2002
   A vulnerability in Microsoft Outlook 2002 can result in information
disclosure. This vulnerability stems from a flaw in the way Outlook
2002 uses a V1 Exchange Server Security certificate to encrypt email.
As a result of this flaw, Outlook fails to correctly encrypt the mail
and sends the message in plain text. Information in the message is
therefore exposed. Microsoft has released Security Bulletin MS03-003
(Flaw in how Outlook 2002 handles V1 Exchange Server Security
Certificates could lead to Information Disclosure) to address this
vulnerability.
   http://www.secadministrator.com/articles/index.cfm?articleid=37819

* CROSS-SITE SCRIPTING VULNERABILITY IN MICROSOFT CONTENT MANAGEMENT
SERVER 2001
   A vulnerability in Microsoft Content Management Server (MCMS) 2001
lets an attacker insert script code into data that a user sends to an
MCMS server. The vulnerability stems from a Cross-Site Scripting flaw
and could result in the ability to access information that the user
shared with the legitimate site. Microsoft has released Security
Bulletin MS03-002 (Cumulative Patch for Microsoft Content Management
Server) to address this vulnerability.
   http://www.secadministrator.com/articles/index.cfm?articleid=37818

 * UNCHECKED BUFFER IN MICROSOFT LOCATOR SERVICE
   The Microsoft Locator service contains a vulnerability that stems
from an unchecked buffer. By sending a specially malformed request to
the Locator service, an attacker can cause the Locator service to fail
or to run code of the attacker's choice on the system. To address this
vulnerability, Microsoft has released Security Bulletin MS03-001
(Unchecked Buffer in Locater Service Could Lead to Code Execution),
and recommends that affected users immediately apply the appropriate
patch mentioned in the bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=37780
 
3. ==== ANNOUNCEMENT ====
   (brought to you by Windows & .NET Magazine and its partners)

* INFOSEC WORLD CONFERENCE AND EXPO/2003
   MIS Training Institute's InfoSec World Conference and Expo/2003
will be held in Orlando, FL, March 10-12, 2003, with optional
workshops on March 8, 9, 12, 13, and 14. InfoSec World will cover
today's need-to-know topics and deliver proven strategies for
protecting your systems. For details and to register, visit:
   http://list.winnetmag.com/cgi-bin3/flo?y=ePO50CJgSH0CBw07Lo0Aq

4. ==== SECURITY ROUNDUP ====

* NEWS: SQL SLAMMER WORM HITS MICROSOFT TOO
   Just a week after Microsoft celebrated the 1-year anniversary of
its Trustworthy Computing initiative, the milestone was marred by one
of the most virulent computer worms of all time, the so-called Slammer
worm, which targets Microsoft SQL Server 2000 machines.
   http://www.secadministrator.com/articles/index.cfm?articleid=37817

* NEWS: ISS AND POWERTECH TEAM TO IMPROVE IBM iSERIES SERVER SECURITY
   Internet Security Systems (ISS) and PowerTech Group have announced
an alliance to improve security for IBM's iSeries servers. ISS
President and CEO Tom Noonan said that PowerTech's PowerLock iSeries
line of security tools would pass security information over to the ISS
RealSecure platform, which the RealSecure SiteProtector 2.0 security
management platform could then correlate.
   http://www.secadministrator.com/articles/index.cfm?articleid=37755

* NEWS: SONICWALL ANNOUNCES EQUINUX VPN TRACKER SUPPORT
   SonicWALL announced a new relationship with equinux USA in which
equinux will provide interoperability for its VPN Tracker software for
network access through SonicWALL's firewall and VPN appliance
technology.
   http://www.secadministrator.com/articles/index.cfm?articleid=37756

* NEWS: RUSSIA FIRST COUNTRY TO VIEW WINDOWS SOURCE CODE
   Microsoft has announced that Russia will be the first country to
view the source code for Windows under the Government Security Program
(GSP), a plan the company revealed earlier this month.
   http://www.secadministrator.com/articles/index.cfm?articleid=37732

* NEWS: ABIT AND VIA ANNOUNCE CHIP-BASED SECURITY FOR MOTHERBOARDS
   ABIT Computer and VIA Technologies announced new chipset features
that will include security technologies. ABIT will include
functionality for IP Security (IPSec), and VIA will include a
chip-based random-number generator.
   http://www.wininformant.com/articles/index.cfm?articleid=37734
 
5. ==== SECURITY TOOLKIT ====

* VIRUS CENTER
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: HOW CAN I PREVENT REGEDIT FROM REMEMBERING THE LAST REGISTRY
KEY LOCATION I ACCESSED UNDER WINDOWS XP?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. In a previous FAQ, I explained how to write a script to
automatically reset the last key location every time you log on to the
OS. Another option for clearing the last registry key accessed is to
use registry permissions to disable Write access to the key. To do so,
perform the following steps:
   1. Start the registry editor.
   2. Navigate to the
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Applets\Regedit
registry subkey.
   3. Select LastKey.
   4. If you're working in XP, open the Edit menu and select
Permissions; if you're working in Windows 2000, open the Security menu
and select Permissions.
   5. Remove Full Control access and grant Read-only access.
   6. Click OK.

You'll need to repeat this process for all users who don't want
regedit to remember the last key location they accessed.

6. ==== NEW AND IMPROVED ====
   (contributed by Sue Cooper, products () winnetmag com)

* ASSESS ENTERPRISE VULNERABILITY
   eSecurityOnline, an Ernst & Young security software company,
released eSO Advisor, a hardware and software appliance designed to
automatically assess and manage your environment's security risks. eSO
Advisor correlates automated discovery, inventory, and assessment
processes with a continuously updated database of verified threats and
proven fixes, gleaned from eSecurityOnline's customers and from more
than 2400 Ernst & Young security specialists worldwide. eSO Advisor's
reporting features illustrate trends and overall progress in your
company's security risk management. eSO Advisor supports most
enterprise platforms. Contact eSecurityOnline at 603-634-4527 or
sales () esecurityonline com.
   http://www.esecurityonline.com

* KEEP OFFENSIVE EMAILS OUT OF YOUR MAILBOX
   PJ Walczak released Mailbox Guard 1.6, a utility that eliminates
spam, viruses, and obscenity before it reaches your mailbox. Mailbox
Guard prescreens mail on your email server and ranks each message
according to a four-level risk scale, with each level color-tagged.
Mailbox Guard 1.6 notifies you that new email messages are waiting and
also provides the messages' risk level. Features new to Mailbox Guard
1.6 include user-definable lists, remote preview, and deletion of
emails from multiple accounts. Supports all Windows desktop OSs at
$29.50 per installation. Contact PJ Walczak at info () pjwalczak com.
   http://www.pjwalczak.com/mbguard/

* SUBMIT TOP PRODUCT IDEAS
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to whatshot () winnetmag com.

7. ==== HOT THREADS ====

* WINDOWS & .NET MAGAZINE ONLINE FORUMS
   http://www.winnetmag.com/forums

Featured Thread: User Can't Change Password at Logon
   (Two messages in this thread)

A reader writes that on his network when users' passwords are about to
expire, users receive a message during logon that says "Your password
will expire in [X] days, would you like to change it now?" But even if
users answer "Yes," they can't change the password. After clicking
"Yes," they receive the message "You're not allowed to change your
password at this time" (or a message with similar wording). However,
if the users log on with their old (still valid) credentials, they can
change the password in a usual way, such as by using Ctrl+Alt+Del and
selecting Change Password. Do you have any ideas about why this
situation exists? Lend a hand or read the responses:
   http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=53206

* HOWTO MAILING LIST
   http://63.88.172.96/listserv/page_listserv.asp?a0=howto

Featured Thread: Default Master Browser
   (One message in this thread)

A user wants to know whether he can make a particular Windows XP or
Windows 2000 system a Master Browser if another Master Browser  is
already present because that system booted first. Read the responses
or lend a hand at the following URL:
   http://63.88.172.96/listserv/page_listserv.asp?A2=IND0301D&L=HOWTO&P=976

8. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- letters () winnetmag com (please
mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums

* PRODUCT NEWS -- products () winnetmag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdate () winnetmag com

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com

********************

   This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing a Windows 2000/Windows NT enterprise.
Subscribe today!
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

   Receive the latest information about the Windows and .NET topics of
your choice. Subscribe to our other FREE email newsletters.
   http://www.winnetmag.com/email

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE.

MANAGE YOUR ACCOUNT
   You can manage your entire Windows & .NET Magazine Network email
newsletter account on our Web site. Simply log on and you can change
your email address, update your profile information, and subscribe or
unsubscribe to any of our email newsletters all in one place.
   http://www.winnetmag.com/email

Thank you!
__________________________________________________________
Copyright 2003, Penton Media, Inc.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.