Security UPDATE, May 15, 2002

[InfoSec News <isn () c4i org>]

******************** 
Windows & .NET Magazine Security UPDATE--brought to you by Security 
Administrator, a print newsletter bringing you practical, how-to 
articles about securing your Windows .NET Server, Windows 2000, and 
Windows NT systems. 
   http://www.secadministrator.com 
******************** 

~~~~ THIS ISSUE SPONSORED BY ~~~~

FREE Security eBook from NetIQ--HOT off the Press!
   http://list.winnetmag.com/cgi-bin3/flo?y=eLxo0CJgSH0CBw01ux0AB

Windows & .NET Magazine Webinar: Understanding PKI
   http://list.winnetmag.com/cgi-bin3/flo?y=eLxo0CJgSH0CBw0rcc0Ab 
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~ 

~~~~ SPONSOR: FREE SECURITY EBOOK FROM NETIQ--HOT OFF THE PRESS! ~~~~
   Need real-world, in-the-trenches advice on securing your Microsoft 
Windows .NET servers? Register now for "The Tips and Tricks Guide to 
Securing .NET Server." You'll gain best practices and technical advice 
that will open your eyes to Microsoft Windows .NET security. Get the 
inside scoop on legacy systems, .NET group policy, resource management, 
secure remote access and emerging .NET enhancements. Don't take chances 
with your .NET security. Register for the FREE eBook now!
   http://list.winnetmag.com/cgi-bin3/flo?y=eLxo0CJgSH0CBw01ux0AB

~~~~~~~~~~~~~~~~~~~~ 

May 15, 2002--In this issue: 

1. IN FOCUS
     - IM Security Considerations in the Enterprise
2. SECURITY RISKS
     - Unchecked Buffer in MSN Messenger Chat ActiveX Control
     - Buffer Overflow in Macromedia's Flash Player ActiveX Control

3. ANNOUNCEMENTS
     - Get Valuable Info for Free with IT Consultant Newsletter
     - Immediate Access to T-SQL Solutions!

4. SECURITY ROUNDUP
     - News: Microsoft Remedy Hearings: Allchin Explains Genesis, Scope 
       of Trustworthy Computing
     - Feature: Guarding Your CAs
     - Feature: Using the MBSA

5. INSTANT POLL
     - Results of Previous Poll: Security Information Notification
     - New Instant Poll: IM Use

6. SECURITY TOOLKIT
     - Virus Center
     - FAQ: How Can I Modify the Installation Credential Settings in 
       Win2K?

7. NEW AND IMPROVED
     - Integrated Security Appliance
     - Universal Antivirus Rescue System

8. HOT THREADS 
     - Windows & .NET Magazine Online Forums
         - Featured Thread: Blocking IM
     - HowTo Mailing List
         - Featured Thread: Not Recovering from a Missing SAM Database

9. CONTACT US 
   See this section for a list of ways to contact us. 

~~~~~~~~~~~~~~~~~~~~ 

1. ==== IN FOCUS ====
   (contributed by Mark Joseph Edwards, News Editor, 
mark () ntsecurity net) 

* IM SECURITY CONSIDERATIONS IN THE ENTERPRISE

Does your organization use Instant Messaging (IM) software? IM has 
become an incredibly popular tool in the corporate world. Several 
companies that offer IM networks, including AOL, ICQ ("I Seek You"), 
Microsoft, and Yahoo!, have IM client packages with various features 
and capabilities. However, some administrators virtually ignore IM 
security considerations. For example, IM communications often traverse 
a network in plain text format, which means someone could eavesdrop 
easily on private business communications.
 
If you don't have IM software on your network, don't install it without 
planning. IM use carries considerable risk and requires not only the 
implementation of company policies, but also diligent ongoing attention 
to IM's vulnerabilities. For example, last week Microsoft reported that 
its MSN Chat Control software contains a buffer-overflow condition that 
could let intruders run the code of their choice on a user's machine. 
The problem affects MSN Chat Control, MSN Messenger, and Microsoft 
Exchange IM and is the third MSN chat security problem that Microsoft 
has reported this year. (See the related Security UPDATE story at the 
URL below.) But Microsoft isn't alone in having IM software security 
problems. So far this year, reports have documented eight security 
problems with AOL Instant Messenger (AIM), four with Yahoo! Messenger, 
and five with ICQ (which AOL owns). 
   http://www.secadministrator.com/articles/index.cfm?articleid=25168

You can address one IM security risk, for example, by using security 
software that protects IM's plain text transport. Cerulean Studios has 
an IM security solution that's definitely worth a look: Trillian (see 
the URL below). Among many security-related IM software packages, this 
solution stands out for two reasons: Trillian permits messaging between 
several popular IM networks--including AOL, ICQ, Internet Relay Chat 
(IRC), MSN, and Yahoo!--and it encrypts communications by using 
continually regenerated encryption keys. Trillian's encryption feature, 
SecureIM, uses the Blowfish encryption algorithm to generate a new 
encryption key each time the user begins a new secure chat session. 
After the software generates a key, it stores the key only in memory 
and never to disk, making it harder for an attacker to compromise the 
key.
   http://www.ceruleanstudios.com
 
AOL recently announced its encrypted messaging client, Enterprise AIM. 
According to a Washington Post Newsbytes story, AOL has partnered with 
VeriSign to create the new IM client, which AOL intends to sell to 
enterprise users. In addition to encrypted communications, Enterprise 
AIM will use VeriSign's certificate technology to authenticate users, 
which will help prevent user impersonation. 
   http://www.newsbytes.com/news/02/176517.html

If you subscribe to the Security Administrator monthly print 
newsletter, you might have read Roger A. Grimes' article in the May 
issue, "IM Security Primer," InstantDoc ID 24665, which offers a detailed 
overview of the major IM networks and information about the security 
concerns they raise for the enterprise. (To learn more about the print 
newsletter, visit the Security Administrator Channel home page at the URL 
below.)
   http://www.secadministrator.com

We're conducting a new Instant Poll this week: If your organization 
uses IM, we want to know which IM software you've standardized on. Stop 
by our home page and give us your answer.
   http://www.secadministrator.com
 
~~~~~~~~~~~~~~~~~~~~ 

~~~~ SPONSOR: WINDOWS & .NET MAGAZINE WEBINAR: UNDERSTANDING PKI ~~~~
   ATTEND OUR FREE WEBINAR: UNDERSTANDING PKI
   Implementing PKI successfully requires an understanding of the 
technology with all its implications. Attend the latest Webinar from 
Windows & .NET Magazine and develop the knowledge you need to address 
this challenging technology and make informed purchasing decisions. 
We'll also look closely at three possible content encryption solutions, 
including PKI. Register for FREE today!
   http://list.winnetmag.com/cgi-bin3/flo?y=eLxo0CJgSH0CBw0rcc0Ab
  
~~~~~~~~~~~~~~~~~~~~ 

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, ken () winnetmag com)

* UNCHECKED BUFFER IN MSN MESSENGER CHAT ACTIVEX CONTROL
   eEye Digital Security discovered that a buffer-overflow condition 
exists in  MSN Messenger Chat control that can result in unauthorized 
code execution. Even if users haven't installed MSN Messenger, an 
attacker can call the control from the codebase tag, which would prompt 
users to install the control with Microsoft's credentials because 
Microsoft signs the OLE custom control (OCX). eEye's advisory gives a 
detailed explanation of this vulnerability. Microsoft has released 
Security Bulletin MS02-022 (Unchecked Buffer in MSN Chat Control Can 
Lead to Code Execution) to address this vulnerability and recommends 
that affected users apply the appropriate patch listed in the bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=25168

* BUFFER OVERFLOW IN MACROMEDIA'S FLASH PLAYER ACTIVEX CONTROL
   A buffer-overflow condition exists in Macromedia's Flash Player 6.0 
ActiveX Control. An attacker can use this vulnerability to execute code 
through email, a Web site, or any other way that Microsoft Internet 
Explorer (IE) displays HTML. eEye Digital Security's advisory gives a 
detailed explanation of this vulnerability. Macromedia has released an 
updated version of Flash Player that addresses this vulnerability.
   http://www.secadministrator.com/articles/index.cfm?articleid=25152

3. ==== ANNOUNCEMENTS ====

* GET VALUABLE INFO FOR FREE WITH IT CONSULTANT NEWSLETTER
   Sign up today for IT ConsultantWire, a FREE email newsletter from 
Penton Media. This newsletter is specifically designed for IT 
consultants, bringing you news, product analysis, project management 
and business logic trends, industry events, and more. Find out more 
about this solution-packed resource and sign up for FREE at
   http://list.winnetmag.com/cgi-bin3/flo?y=eLxo0CJgSH0CBw0rfb0Ad

* IMMEDIATE ACCESS TO T-SQL SOLUTIONS!
   Exclusive in-depth articles, tips, tricks, and code samples all at 
your fingertips. Content you can't get anywhere else--brought to you by 
the SQL Server experts you trust such as Kalen Delaney, Itzik Ben-Gan, 
and others. Increase your productivity today! Go to the following URL.
   http://list.winnetmag.com/cgi-bin3/flo?y=eLxo0CJgSH0CBw0Kqz0AZ

4. ==== SECURITY ROUNDUP ====

* NEWS: MICROSOFT REMEDY HEARINGS: ALLCHIN EXPLAINS GENESIS, SCOPE OF 
TRUSTWORTHY COMPUTING
   Microsoft Group Vice President Jim Allchin admitted something 
yesterday that I've suspected ever since I first read the "Trustworthy 
Computing" email, a missive that Chairman and Chief Software Architect 
Bill Gates sent to Microsoft employees and that the company 
purposefully leaked to the press. Under questioning during cross-
examination at the Microsoft remedy hearings, Allchin said that it was 
he, not Gates, who originally came up with the Trustworthy Computing 
idea. Allchin also described the Windows products that the initiative 
covers. 
   http://www.secadministrator.com/articles/index.cfm?articleid=25159

* FEATURE: GUARDING YOUR CAs
   With the growing emphasis on information security, many companies 
turn to digital certificates to help increase the level of security on 
their networks. If your network relies on digital certificates, 
however, you need to implement some disaster-prevention and -recovery 
techniques to protect your digital certificates and the Certificate 
Authorities (CAs) that issue them. A brief review of public key 
infrastructure (PKI) and an introduction to digital certificates and 
their CAs will get you started. Then, let's examine some methods 
designed to help you better guard your certificates, your CAs, and the 
certificate databases that contain your CAs.
   http://www.secadministrator.com/articles/index.cfm?articleid=25156

* FEATURE: USING THE MBSA
   If you follow the news about Microsoft security tools, you probably 
know that 6 weeks ago Microsoft released Microsoft Baseline Security 
Analyzer (MBSA), which has received a fair amount of negative press 
coverage. 
   The complaints echo what David Chernicoff wrote last year about the 
Microsoft Personal Security Advisor (MPSA) tool: The information the 
tool provides isn't as useful as it could be, and you need to 
understand what each reported entry means before you'll find the tool 
useful. The MBSA tool that replaced the MPSA has similar problems, 
which isn't surprising because it uses the same design philosophy.
   http://www.secadministrator.com/articles/index.cfm?articleid=25161

5. ==== INSTANT POLL ====

* RESULTS OF PREVIOUS POLL: SECURITY INFORMATION NOTIFICATION
   The voting has closed in Windows & .NET Magazine's Security 
Administrator Channel nonscientific Instant Poll for the question, "How 
should Microsoft notify its customers about new service packs and new or 
updated security-related rollup packages, tools, and TechNet articles?" 
Here are the results (+/-2 percent) from the 378 votes:
   - 63% Microsoft should issue security bulletins for all security-
related matters
   - 34% Microsoft should add a mailing list for non-bulletin security 
matters 
   -  3% Microsoft needn't notify customers in any additional ways

* NEW INSTANT POLL: IM USE
   The next Instant Poll question is, "If your organization uses 
Instant Messaging (IM), which IM choice have you standardized on?" Go 
to the Security Administrator Channel home page and submit your vote 
for a) AOL Instant Messenger (AIM), b) ICQ, c) MSN Messenger, d) Yahoo! 
Messenger, or e) Other.
   http://www.secadministrator.com

6. ==== SECURITY TOOLKIT ==== 

* VIRUS CENTER
   Panda Software and the Windows & .NET Magazine Network have teamed to 
bring you the Center for Virus Control. Visit the site often to remain 
informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: HOW CAN I MODIFY THE INSTALLATION CREDENTIAL SETTINGS IN WIN2K?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. An administrator can lock down a system to prevent a user from 
installing new software, or the administrator can configure the system 
so that the user can provide credentials and continue the installation. 
To modify the installation credential settings for one machine, perform 
the following steps: 

   1. Start a registry editor (e.g., regedit.exe). 
   2. Navigate to the following subkey: 
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer. 
   3. Double-click the NoRunasInstallPrompt value; set it to 1 to 
disable credentials or 0 to allow credentials. 
   4. Click OK. 

To modify the installation credential settings for network 
installations, perform the following steps: 

   1. Start a registry editor (e.g., regedit.exe). 
   2. Navigate to the following subkey: 
HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\Explorer. 
   3. Double-click the PromptRunasInstallNetPath value; set it to 1 to 
disable credentials or 0 to allow credentials. 
   4. Click OK. 

7. ==== NEW AND IMPROVED ==== 
   (contributed by Judy Drennen, products () winnetmag com)

* INTEGRATED SECURITY APPLIANCE
   Symantec announced Symantec Gateway Security, a security appliance 
that integrates firewall, gateway-level antivirus, intrusion-detection, 
content-filtering, and VPN capabilities in a single solution. Although 
designed for small and midsized offices, administrators can also manage 
local and remote appliances over the Internet including advanced 
configurations, rule sets, and cluster parameters, which reduces total 
cost of ownership (TCO). Symantec Gateway Security Model 5110 offers 
throughput of up to 40Mbps with a 50-node license for $11,790; Model 
5200 offers a throughput of up to 80Mbps with a 250-node license for 
$23,590; Model 5300 provides a throughput of up to 80Mbps with an 
unlimited node license for $51,990. Contact Symantec at 408-517-8000.
   http://www.symantec.com

* UNIVERSAL ANTIVIRUS RESCUE SYSTEM
   Central Command released Vexira Antivirus Rescue Disk System, a free 
virus scanner that can scan Windows, Linux, UNIX, DOS, and OS/2 from a 
single CD-ROM or disk set. Vexira can remove more than 64,463 viruses, 
Trojan horses, and other malicious applications, thereby providing 
users with a safety net when they ca''t start a computer because of 
file corruption, alterations to the registry, or damaged partition 
tables. Contact Central Command at 330-723-2062.
   http://www.centralcommand.com
  
8. ==== HOT THREADS ==== 

* WINDOWS & .NET MAGAZINE ONLINE FORUMS 
   http://www.winnetmag.com/forums

Featured Thread: Blocking IM
   (Five messages in this thread)

John wants to know whether he can prevent his network users from 
loading Yahoo! Messenger and similar Instant Messaging (IM) programs 
onto their systems for use through the company Internet connection. 
   http://www.secadministrator.com/forums/thread.cfm?thread_id=81118

* HOWTO MAILING LIST
   http://www.secadministrator.com/listserv/page_listserv.asp?s=howto

Featured Thread: Not Recovering from a Missing SAM Database
   (Two messages in this thread)

Kit writes that with Windows 2000, if the SAM database is corrupted, 
the OS politely makes its own blank copy of the SAM and starts up--so 
you can immediately restore from backup. On some machines, he d'''''t 
want that to happen. Is there a registry setting he can change to 
prevent this behavior? Can you help? Read the responses or lend a hand 
at the following URL:
   http://63.88.172.96/listserv/page_listserv.asp?a2=ind0205a&l=howto&p=503

9. ==== CONTACT US ==== 
   '''''s how to reach us with your comments and questions: 

* ABOUT IN FOCUS -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- vpatterson () winnetmag com (please 
mention the newsletter name in the subject line) 

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums 

* PRODUCT NEWS -- products () winnetmag com 

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer 
Support -- securityupdate () winnetmag com 

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com 

******************** 

   This email newsletter is brought to you by Security Administrator, 
the print newsletter with independent, impartial advice for IT 
administrators securing a Windows 2000/Windows NT enterprise. Subscribe 
today!
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

   Receive the latest information about the Windows and .NET topics of 
your choice. Subscribe to our other FREE email newsletters. 
   http://www.winnetmag.com/email 

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE. 

You are subscribed as isn () c4i org.

MANAGE YOUR ACCOUNT
You can manage your entire Windows & .NET Magazine Network email 
newsletter account on our Web site. Simply log on and you can change 
your email address, update your profile information, and subscribe or 
unsubscribe to any of our email newsletters all in one place.
   http://www.winnetmag.com/email

SUBSCRIBE
To quickly subscribe, send a blank email to mailto:Security-UPDATE_Sub () list winnetmag com.

UNSUBSCRIBE
To quickly unsubscribe, send a blank email to 
mailto:Security-UPDATE_Unsub () list winnetmag com.

Thank you!
__________________________________________________________
Copyright 2002, Penton Media, Inc.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.