Windows & .NET Magazine Security UPDATE--September 10, 2003

[InfoSec News <isn () c4i org>]

====================

==== This Issue Sponsored By ====

TNT Software
   http://list.winnetmag.com/cgi-bin3/DM/y/echA0CJgSH0CBw0BCSO0Af

Ecora Software
   http://list.winnetmag.com/cgi-bin3/DM/y/echA0CJgSH0CBw0BCSP0Ag

====================

1. In Focus: A Suite Spot for Better Office Security?

2. Security Risks
     - Information Disclosure Vulnerability in Microsoft NetBIOS
     - Automatic Macro Execution Vulnerability in Microsoft Word
     - Arbitrary Code Execution Vulnerability in Microsoft WordPerfect
       Converter
     - Arbitrary Code Execution Vulnerability in Microsoft VBA
     - Arbitrary Code Execution Vulnerability in Microsoft Access
       Snapshot Viewer

3. Announcements
     - Find Your Next Job at Our IT Career Center
     - Attend Black Hat Briefings & Training Federal!

4. Security Roundup
      - Feature: Windows Server 2003: Secure By Default
      - Feature: Is True Recovery Always Possible?

5. Security Toolkit
     - Virus Center
     - FAQ: How Do I Restrict Access to Some or All of the Control
       Panel Applets on NT Systems?

6. Event
     - New--Mobile & Wireless Road Show!

7. New and Improved
     - Stop Suspicious Downloads
     - Ease Sign-On Pain
     - Tell Us About a Hot Product and Get a T-Shirt!

8. Hot Thread
     - Windows & .NET Magazine Online Forums
         - Featured Thread: Can't Log On

9. Contact Us
   See this section for a list of ways to contact us.

====================

==== Sponsor: TNT Software ====

   FREE Download: Automate Event Log Monitoring
   Automate event log monitoring, provide real-time intrusion
detection, and satisfy mandated auditing requirements all with TNT
Software's ELM Log Manager. Preferred by small businesses because of
its ease of use and Fortune 500 companies because of its reliability,
ELM 3.1 is the affordable solution with the scalability to consolidate
MILLIONs of events and Syslog messages a day, display them in custom
views, launch critical alerts, and schedule reports. Download your
FREE 30 day fully functional evaluation software NOW and start
experiencing the benefits of automated log monitoring.
   http://list.winnetmag.com/cgi-bin3/DM/y/echA0CJgSH0CBw0BCSO0Af

====================

==== 1. In Focus: A Suite Spot for Better Office Security? ====
   by Mark Joseph Edwards, News Editor, mark () ntsecurity net

I think all of you know that Microsoft Office is a powerful suite of
tools that offers tremendous productivity in any environment. If you
haven't heard about the latest security patches for Microsoft Office,
which affect Office 2000 through Office 2003, be sure to read about
them in this edition of Security UPDATE.

The problems are related to Microsoft Word macros, conversion of Corel
WordPerfect files, Visual Basic for Applications (VBA), and the
Microsoft Access Snapshot viewer. You should definitely consider
loading the associated patches because the problems could present
unwanted security risks in your environment if left unpatched. In
addition to other means, you can check for new Office updates, whether
related to security or otherwise, at the Microsoft Web sites listed
below.
   http://www.officeupdate.com/downloads/default.aspx
   http://www.microsoft.com/office/ork/2003/admin/xp/default.htm

Office is the default suite of choice for many companies whose systems
run on Windows platforms. You probably also know about alternatives to
Office, but have you heard about the OpenOffice.org alternative?

OpenOffice.org is an open-source suite of tools similar to Office. As
you might expect of an office productivity suite, OpenOffice.org
includes a word processor (Writer), a spreadsheet (Calc), a multimedia
presentation creator (Impress), a graphics illustration platform
(Draw), and database tools.
   http://www.openoffice.org
   http://www.openoffice.org/product

To learn about the notable differences between OpenOffice.org and
Office, study the literature at the associated Web site and download
and test a copy on your network. One major difference is that
OpenOffice.org uses Java and JavaScript instead of Visual Basic (VB),
which could be a security benefit in your environment--because
malicious VB scripts embedded in documents won't work against your
systems. Another major difference is cross-platform support:
OpenOffice.org runs on Windows, Linux variants, Sun Microsystems' Sun
Solaris, and Mac OS X. For mixed platform environments, that's quite
an attraction. And, of course, a huge difference is in the cost of
licensing: OpenOffice.org has no licensing fee. As open source, it's
free. You can read about the associated licensing at the URL below.
But keep in mind, free doesn't mean poor quality. OpenOffice.org is
definitely a quality product.
   http://www.openoffice.org/license.html

When I first heard about OpenOffice.org, I was skeptical. I've used
Microsoft Office components for years, and I wondered whether I'd lose
any functionality or find OpenOffice.org documents to be incompatible
in some way. For example, I create or read a lot of text documents,
spreadsheets, and presentation files that Microsoft Office users must
be able to open, so compatibility was a cause for concern. My concerns
were unwarranted.

I downloaded OpenOffice.org (in .iso file format), created an
installation CD-ROM by using the .iso file, and "test drove"
OpenOffice.org for several months. The ease of use is considerable--it
took very little time for me to adjust to the platform. So far, I've
encountered only one document with which I had noticeable formatting
problems with the onscreen display. (I'm not sure what caused the
problem, but the onscreen layout wasn't quite right.) I suspect the
Word document I was viewing had been created with a very old version
of Word; however, I could be wrong. But other than that, I've found no
compatibility concerns to speak of.

Aside from the idea that intruders don't target OpenOffice.org
platforms nearly as frequently as Microsoft Office, other security
considerations could make the software either beneficial or
detrimental. On September 25 at the VB2003 conference in Toronto, Sami
Rautiainen of F-Secure will give a presentation about OpenOffice.org
security (Virus Bulletin hosts the session).

Rautiainen will discuss the OpenOffice.org security model, its
environment, restrictions for executable content, the native macro
language, and XML file format OpenOffice.org uses. In his
presentation, he'll discuss whether "OpenOffice developers [have]
taken into account the pitfalls shown by the history of the Microsoft
Office or is OpenOffice the next victim of the abuse of macro
viruses?" You can learn more about the conference, its tracks, and
Rautiainen's presentation at the URLs below.
   https://www.virusbtn.com/conference/vb2003/index.xml
   https://www.virusbtn.com/conference/vb2003/abstracts/srautiainen03.xml

OpenOffice.org might be a good alternative to Microsoft Office for
your environment. Because so many intruders target Microsoft software,
that alone might be strong motivator for taking a closer look at this
alternative office suite. If you've used OpenOffice.org and have
comments to share, please send me an email messages with your
observations and opinion.

Correction: Last week's commentary, "Service Pack Maintenance with
Scripts," referred to a second script as part of the service pack
rollout process. However, the single script discussed performs
multiple functions.

====================

==== Sponsor: Ecora Software ====

   Perform patch audits in minutes with Ecora Patch Manager
How confident are you that all critical security patches are deployed
and up-to-date on every single system in your infrastructure? Need
some help figuring it all out before the next big worm attack? Try a
free copy of Ecora Patch Manager. Designed for IT professionals short
on time, Patch Manager completely automates and simplifies the entire
patch management cycle in just minutes. See for yourself how
automation can save time, reduce costs, and keep your IT
infrastructure stable and secure. Download a free, fully-functional
trial of Ecora Patch Manager now!
   http://list.winnetmag.com/cgi-bin3/DM/y/echA0CJgSH0CBw0BCSP0Ag

====================

==== 2. Security Risks ====
   contributed by Ken Pfeil, ken () winnetmag com

Information-Disclosure Vulnerability in Microsoft NetBIOS
   Mike Price of Foundstone Labs discovered a vulnerability in
Microsoft NetBIOS that can result in information disclosure. This
vulnerability stems from a flaw in the NetBIOS Name Service (NBNS). An
attacker can exploit this vulnerability by sending a NetBIOS over
TCP/IP (NetBT) Name Service query to the target system, then examining
the response to see whether it includes random data from that system's
memory. Microsoft has released Security Bulletin MS03-034 (Flaw in
NetBIOS Could Lead to Information Disclosure) to address this
vulnerability and recommends that affected users apply the appropriate
patch mentioned in the bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=40089

Automatic Macro Execution Vulnerability in Microsoft Word
   Jim Bassett of Practitioners Publishing discovered that a
vulnerability in Microsoft Word can result in the automatic execution
of a macro. As a result of this vulnerability, an attacker can craft a
malicious document that bypasses the macro security model. When a user
opens the document, a malicious embedded macro will execute
automatically, regardless of the level at which you've set macro
security. The malicious macro can take actions that the user has
permissions to carry out, such as adding, changing, or deleting data
or files; communicating with a Web site; and formatting the hard disk.
Microsoft has released Security Bulletin MS03-035 (Flaw in Microsoft
Word Could Enable Macros to Run Automatically) to address this
vulnerability and recommends that affected users apply the appropriate
patch mentioned in the bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=40090

Arbitrary Code Execution Vulnerability in Microsoft WordPerfect
Converter
   eEye Digital Security discovered a vulnerability in Microsoft
WordPerfect Converter that can result in the execution of arbitrary
code on the vulnerable system. This vulnerability stems from a flaw in
the way Microsoft's WordPerfect converter handles Corel WordPerfect
documents. Because the converter doesn't correctly validate certain
parameters when it opens a WordPerfect document, an unchecked buffer
occurs. An attacker can therefore craft a malicious WordPerfect
document to allow code of his or her choice to execute if an
application that used the WordPerfect converter opened the document.
Microsoft has released Security Bulletin MS03-036 (Buffer Overrun in
WordPerfect Converter Could Allow Code Execution) to address this
vulnerability and recommends that affected users apply the appropriate
patch mentioned in the bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=40091

Arbitrary Code Execution Vulnerability in Microsoft VBA
   eEye Digital Security discovered that a vulnerability in Visual
Basic for Applications (VBA) can result in the execution of arbitrary
code on the vulnerable system. This vulnerability stems from a flaw in
the way Microsoft checks document properties passed to it when the
host application opens a document. The resulting buffer overrun can
let an attacker execute code of his or her choice under the logged-on
user's security context. Microsoft has released Security Bulletin
MS03-037 (Flaw in Visual Basic for Applications Could Allow Arbitrary
Code Execution) to address this vulnerability and recommends that
affected users apply the appropriate patch mentioned in the bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=40092

Arbitrary Code Execution Vulnerability in Microsoft Access Snapshot
Viewer
   Oliver Lavery discovered that a Microsoft Access vulnerability can
result in the execution of arbitrary code on the vulnerable system.
Because the Snapshot Viewer doesn't correctly validate parameters, a
buffer overrun can let an attacker execute code of his or her choice
under the logged-on user's security context. Microsoft has released
Security Bulletin MS03-038 (Unchecked buffer in Microsoft Access
Snapshot Viewer Could Allow Code Execution) to address this
vulnerability and recommends that affected users apply the appropriate
patch mentioned in the bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=40093

==== Sponsor: Virus Update from Panda Software ====

   Check for the latest anti-virus information and tools, including
weekly virus reports, virus forecasts, and virus prevention tips, at
Panda Software's Center for Virus Control.
   http://list.winnetmag.com/cgi-bin3/DM/y/echA0CJgSH0CBw0BBlT0AA

   Viruses routinely infect "fully protected" networks. Is total
protection possible? Find answers in the free guide HOW TO KEEP YOUR
COMPANY 100% VIRUS FREE from Panda Software. Learn how viruses enter
networks, what they do, and the most effective weapons to combat them.
Protect your network effectively and permanently - download today!
   http://list.winnetmag.com/cgi-bin3/DM/y/echA0CJgSH0CBw0BBDp0Aw

====================

==== 3. Announcements ====
   (from Windows & .NET Magazine and its partners)

Find Your Next Job at Our IT Career Center
   Check out our new online career center in which you can browse
current job openings, post your resume, and create automated
notifications to notify you when a job is posted that meets your
specifications. It's effective, it's private, and there's no charge.
Visit today!
   http://list.winnetmag.com/cgi-bin3/DM/y/echA0CJgSH0CBw0BBGS0AW

Attend Black Hat Briefings & Training Federal!
  Running September 29-30, 2003 (Training) and October 1-2, 2003
(Briefings) in Tysons Corner, VA, this is the world's premier
technical IT security event. Modeled after the famous Black Hat event
in Las Vegas! Includes 6 tracks, 12 training sessions, top speakers,
and sponsors. Lots of Windows stuff. Register today!
   http://list.winnetmag.com/cgi-bin3/DM/y/echA0CJgSH0CBw0pHV0AG

==== 4. Security Roundup ====

Feature: Windows Server 2003: Secure By Default
   Microsoft has made security the focal point of its Windows Server
2003 publicity, especially the publicity that targets IT
professionals. Windows 2003 marketing materials tout Bill Gates's
challenge to Microsoft employees in January 2002 to develop a
Trustworthy Computing initiative, and product managers and developers
from the Windows 2003 security team are taking center stage to
convince IT audiences that Microsoft has radically changed the
security philosophy of its Windows OSs. Joe Rudich discusses 10
default changes every administrator should know about.
   http://www.secadministrator.com/articles/index.cfm?articleid=39808

Feature: Is True Recovery Always Possible?
   Despite what some advertisements lead you to believe, when a
disaster strikes, you need more than just a large insurance policy to
get things back to "business as usual." And in some cases, you simply
can't bring a business back to where it was before the disaster. Kalen
Delaney discusses this situation further in her article on our Web
site.
   http://www.secadministrator.com/articles/index.cfm?articleid=39648

==== Hot Release ====

Thawte

   Get Thawte's New Step-by-Step SSL Guide for MSIIS
   In this guide you will find out how to test, purchase, install and
use a Thawte Digital Certificate on your MSIIS web server. Throughout,
best practices for set-up are highlighted to help you ensure efficient
ongoing management of your encryption keys and digital certificates.
Get your copy of this new guide now:
   http://list.winnetmag.com/cgi-bin3/DM/y/echA0CJgSH0CBw0BCSQ0Ah

==== 5. Security Toolkit ====

Virus Center
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

FAQ: How Do I Restrict Access to Some or All of the Control Panel
Applets on NT Systems?
   contributed by Jan De Clercq, jan.declercq () hp com

The Windows NT System Policy Editor (SPE) contains two Control
Panel-related settings that appear in the properties of user and group
system-policy objects. The first setting--Restrict display--lets you
restrict user access to the tabs of the Control Panel Display applet.
The other setting--Remove folders from Settings on Start menu--lets
you hide the Control Panel folder from a user's Start menu. Selecting
this check box also hides the Printers folder on the Start menu.

If you want to restrict access to specific Control Panel applets, you
can change the access control entries (ACEs) on the corresponding
Control Panel extension file. All such files reside in the
\%systemroot%\system32 folder and have a .cpl extension. To get a
clear overview of these files, sort the content of the system32 folder
by file type, then locate the files of type Control Panel extension.
To change the ACEs, right-click the .cpl file and select Properties.
Select the Security tab and adjust the permissions as needed. Make
sure that the System account keeps Full Control access. To automate
this process, you can run cacls.exe from a logon or .bat script. For
an overview of which .cpl file corresponds to which Control Panel
applet, see the Microsoft article "HOWTO: Start a Control Panel Applet
in Windows 95 or Later."
   http://support.microsoft.com/?kbid=135068

==== 6. Event ====

New--Mobile & Wireless Road Show!
   Learn more about the wireless and mobility solutions that are
available today! Register now for this free event!
   http://www.winnetmag.com/roadshows/wireless

==== 7. New and Improved ====
   by Sue Cooper, products () winnetmag com

Stop Suspicious Downloads
   GFI Software released GFI DownloadSecurity for ISA Server 6, which
provides content security for file downloads. Its new Trojan horse and
executable scanner analyzes what an executable does--and quarantines
those that perform suspicious activities. If an attempted file
download triggers a rule you set according to file type or user, the
file download is quarantined for approval. GFI DownloadSecurity
includes multiple antivirus engines, networkwide blocking of Java
applets and ActiveX controls, and seamless integration with Microsoft
Internet Security and Acceleration (ISA) Server 2000. New features
include support for Windows Server 2003, a decompression engine, and
downloading of updates through HTTP. Prices start at $295 for 25
users. You can find more information and a trial version at
http://www.gfi.com/dsec.
   http://www.gfi.com

Ease Sign-On Pain
   Passlogix announced v-GO Single Sign-On (SSO) 4.0, a client-based
security application that enables SSO by taking any form of
authentication and seamlessly connecting to any mainframe, Windows,
Web, or homegrown application. Even if computers are connected to a
network, users need only one password to connect to all their
applications. v-GO SSO 4.0 offers Federal Information Processing
Standard (FIPS) 140-2-compliant, on-the-fly encryption and constant
resource protection to meet stringent security regulations for
vertical applications. Its directorycentric architecture and
wizard-based administrative console let you quickly set up thousands
of users. Contact Passlogix at 866-727-7564, 212-825-9100, or
sales () passlogix com.
   http://www.passlogix.com

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a Windows & .NET Magazine T-shirt if we write about the
product in a future Windows & .NET Magazine What's Hot column. Send
your product suggestions with information about how the product has
helped you to whatshot () winnetmag com.

==== 8. Hot Thread ====

Windows & .NET Magazine Online Forums
   http://www.winnetmag.com/forums

Featured Thread: Can't Log On
   (Two messages in this thread)

A user has two Windows 2000 Advanced Server domain controllers (DCs)
on his network. When he tries to log on to one of them (even with the
Network Administrator account), he receives the message "The Local
policy of this system does not permit you to log on interactively." He
doesn't know what causes this condition. He has moved the server to a
new organizational unit (OU) and created a group policy to permit
everyone local logons, but he still can't log on locally to the
particular DC. Does anyone have a solution? Lend a hand or read the
responses:
   http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=62788

==== Sponsored Links ====

Aelita Software
   Free message-level Exchange recovery web seminar October 9th
   http://list.winnetmag.com/cgi-bin3/DM/y/echA0CJgSH0CBw0BCKG0AP

CrossTec
   Free Download - NEW NetOp 7.6 - faster, more secure, remote support
   http://list.winnetmag.com/cgi-bin3/DM/y/echA0CJgSH0CBw0BBnb0AQ

MailFrontier
   Eliminate spam once and for all. MailFrontier Anti-Spam Gateway.
   http://list.winnetmag.com/cgi-bin3/DM/y/echA0CJgSH0CBw0BCEC0AF

===================

==== 9. Contact Us ====

About the newsletter -- letters () winnetmag com
About technical questions -- http://www.winnetmag.com/forums
About product news -- products () winnetmag com
About your subscription -- securityupdate () winnetmag com
About sponsoring Security UPDATE -- emedia_opps () winnetmag com

====================
   This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing Windows and related technologies. Subscribe
 today.
   http://www.secadministrator.com/sub.cfm?code=saei25xxup


To make other changes to your email account such as change your email
address, update your profile, and subscribe or unsubscribe to any of
our email newsletters, simply log on to our Email Preference Center.
   http://www.winnetmag.com/email

Thank you!
__________________________________________________________
Copyright 2003, Penton Media, Inc.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.