Security UPDATE, April 2, 2003

[InfoSec News <isn () c4i org>]

********************
Windows & .NET Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows Server 2003, Windows 2000, and
Windows NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

FREE Security Compliance Audit for Windows
   http://list.winnetmag.com/cgi-bin3/flo/y/eQJt0CJgSH0CBw076f0AK

Windows & .NET Magazine Connections
   http://list.winnetmag.com/cgi-bin3/flo/y/eQJt0CJgSH0CBw0KXQ0Ar
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: FREE SECURITY COMPLIANCE AUDIT FOR WINDOWS ~~~~
   Are your critical Windows machines protected from the next Nimbda,
Code Red or SQL Slammer attacks? Why not find out? Take advantage of
our FREE Security Compliance Audit available through our 15-day
product evaluation for your 5 most critical Windows machines. In just
minutes PatchWorks will analyze your systems and generate a policy
conformance report! Click here to eliminate vulnerabilities today:
   http://list.winnetmag.com/cgi-bin3/flo/y/eQJt0CJgSH0CBw076f0AK
~~~~~~~~~~~~~~~~~~~~

April 2, 2003--In this issue:

1. IN FOCUS
     - Jumping the Gun on Vulnerability Disclosure

2. SECURITY RISKS
     - DoS in Microsoft RPC Endpoint Mapper
     - DoS in Check Point VPN-1/FireWall-1 Client Component

3. ANNOUNCEMENT
     - Sample Our Security Administrator Newsletter!

4. SECURITY ROUNDUP
     - News: RPC Vulnerability Threatens Windows with DoS Attacks
     - News: Code Execution Vulnerability in Windows Script Engine
     - News: Secunia Launches New Security Advisories Service

5. INSTANT POLL
     - Results of Previous Poll: WebDAV and IIS
     - New Instant Poll: WEP and WPA

6. SECURITY TOOLKIT
     - Virus Center
     - FAQ: Why Am I Receiving Event ID Errors 5737 and 7023 on My
       Windows 2000 Server Service Pack 2 (SP2) System?

7. NEW AND IMPROVED
     - Event Management in an Appliance
     - Spam Filtering as a Service
     - Submit Top Product Ideas

8. HOT THREAD
     - Windows & .NET Magazine Online Forums
         - Featured Thread: How Do You Print the GPO?

9. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== IN FOCUS ====
   (contributed by Mark Joseph Edwards, News Editor,
mark () ntsecurity net)

* JUMPING THE GUN ON VULNERABILITY DISCLOSURE

Last week, in my Security UPDATE commentary "Security Research: A
Double-Edged Sword," I discussed how researchers discover security
problems and work with vendors to coordinate information and patch
release--to minimize networks' exposure to a given discovery. A recent
case in point illustrates how jumping the gun on information
disclosure can occur when well-intentioned researchers become
impatient.
   http://www.secadministrator.com/articles/index.cfm?articleid=38448

This past Saturday, while most working people on the planet were
enjoying their weekends, a researcher posted a message to the BugTraq
mailing list about a vulnerability in Sendmail. As you know, Sendmail
is one of the most widely used SMTP mail systems, and although
Sendmail was written to run primarily on UNIX systems, various vendors
port the code to Windows platforms. The researcher had discovered a
problem in Sendmail stemming from insufficient bounds checking during
character-to-integer conversions that might lead to a buffer overflow
and subsequent compromise of a given Sendmail system.

The researcher had contacted Sendmail.org on March 18 about his
discovery, and the group replied the following day acknowledging the
problem and stating that it would release an updated version of the
product. However, if I understand the situation correctly, the updated
release was not posted immediately for reasons internal to
Sendmail.org, which I assume involve coordinating efforts with
third-party vendors and Sendmail software users. When after 11 days
(March 29) the new version wasn't posted, the researcher decided to
post a notice about the problem to BugTraq, basically stating that he
was "forced" to release details of the problem. Again, I assume the
researcher's intent was to put pressure on the Sendmail vendor.

With the bug now exposed to the public, Sendmail immediately--on March
29--released its updated product version (8.12.9) and posted a brief
comment: "We apologize for releasing this information today
(2003-03-29) but we were forced to do so by an e-mail on a public
mailing list which contains information about the security flaw."
Sendmail wasn't entirely ready to release its updated version, but
apparently Sendmail had corrected the problem in the code and had a
new version it could release. I don't know the exact reasons for the
11-day delay, but again, I suspect Sendmail needed the time for
testing and coordination--because Sendmail is bundled with various
OSs.
   http://www.sendmail.org/8.12.9.html

Jumping the gun in this way is unfortunate. This instance seems to
have been the result of a communication breakdown. Could the
researcher have exercised more responsibility, patience, and restraint
before forcing the vendor's release of updated code by posting
information about the bug to the public? Did the researcher consider
the potential ramifications of the disclosure--how many others it
might affect? Could Sendmail have kept in better touch as time passed,
letting the researcher know a projected date of release?

Although this set of events might seem minor to some people, it could
lead to severe problems across the Internet for millions of people.
What if attackers used the bug to crash mail systems or to take over
servers? Such events cost time, money, and frustration, and a
discloser might face legal ramifications. Right now, given the state
of world affairs, one act--tossing a particular pebble of information
into the sea of technology--could potentially cause a tsunami.

On another note, 2 weeks ago in the Security UPDATE commentary "Audit
Your Windows Shares" (see the URL below) I mentioned CERT's notice
about several Denial of Service (DoS) programs plaguing Windows
systems. What I didn't tell you is that many such DoS programs have
incorporated a perfectly legitimate network administration tool,
PsExec, which Sysinternals created.
   http://www.secadministrator.com/articles/index.cfm?articleid=38387

According to the Sysinternals Web site, "PsExec is a light-weight
telnet-replacement that lets you execute processes on other systems,
complete with full interactivity for console applications, without
having to manually install client software. PsExec's most powerful
uses include launching interactive command-prompts on remote systems
and remote-enabling tools like IpConfig that otherwise do not have the
ability to show information about remote systems." Essentially, you
can use PsExec instead of tools such as Telnet or Symantec's
pcAnywhere.
   http://www.sysinternals.com/ntw2k/freeware/psexec.shtml

Mark Russinovich, cofounder of Sysinternals and author for Windows &
.NET Magazine, wrote to remind me about another Sysinternals tool.
Although system attackers use PsExec to exploit Windows systems,
Sysinternals' ShareEnum program can help users audit their shared
resources and tighten security. Doing so can help administrators
ensure that intruders will have a hard time inserting DoS programs
into users' systems. Be sure to check out ShareEnum, which is
available for free (the complete source code is also available).
   http://www.sysinternals.com/ntw2k/source/shareenum.shtml

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: WINDOWS & .NET MAGAZINE CONNECTIONS ~~~~
    WINDOWS & .NET MAGAZINE CONNECTIONS: WIN A FLORIDA VACATION
    Simply the best lineup of technical training for today's Windows
IT professional. Register now for this exclusive opportunity to learn
in-person from the Windows & .NET Magazine writers you trust.
Attendees will have a chance to win a free Florida vacation for two.
Register today and you'll also save $300.
   http://list.winnetmag.com/cgi-bin3/flo/y/eQJt0CJgSH0CBw0KXQ0Ar
~~~~~~~~~~~~~~~~~~~~

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, ken () winnetmag com)

* DoS IN MICROSOFT RPC ENDPOINT MAPPER
   Jussi Jaakonaho discovered a new vulnerability in the part of
remote procedure call (RPC) that handles message exchange over TCP/IP.
This vulnerability, a result of incorrect handling of malformed
messages, could result in a Denial of Service (DoS) condition. An
attacker could exploit this vulnerability by establishing a TCP/IP
connection to the Endpoint Mapper process on a remote machine and
transmitting a malformed message. At this point, the process on the
remote machine would fail. Microsoft has released Security Bulletin
MS03-010 (Flaw in RPC Endpoint Mapper Could Allow Denial of Service
Attacks) to address this vulnerability and recommends that affected
users immediately apply the patch mentioned in the bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=38456

* DoS IN CHECK POINT VPN-1/FIREWALL-1 CLIENT COMPONENT
   Dr. Peter Bieringer of AERAsec Network Services and Security
discovered a vulnerability in Check Point VPN-1/FireWall-1 Client
component versions earlier than Feature Pack 3 (FP3) Hotfix-2 that
could result in a Denial of Service (DoS) condition. By sending
excessive amounts of data through a syslog connection, an attacker can
cause the SmartView Tracker logging mechanism on the target firewall
to experience high CPU utilization rates. According to AERAsec, these
rates can cause SmartView Tracker to crash without notice, and the
service must be manually restarted. The vendor, Check Point Software
Technologies, has released Hotfix-2 to address this vulnerability and
recommends that affected users immediately apply the patch mentioned
in the bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=38428

3. ==== ANNOUNCEMENT ====
   (brought to you by Windows & .NET Magazine and its partners)

* SAMPLE OUR SECURITY ADMINISTRATOR NEWSLETTER!
   If you spend the better part of your day dealing with security
concerns such as controlling user access, viruses, and tightening your
network's permeability, then you can benefit from the type of
information we publish each month in Security Administrator. Every
issue shows you how to protect your enterprise with informative,
in-depth articles, timely tips, and practical advice. Sample our most
recent issue today!
   http://list.winnetmag.com/cgi-bin3/flo/y/eQJt0CJgSH0CBw08XJ0AR

4. ==== SECURITY ROUNDUP ====

* NEWS: RPC VULNERABILITY THREATENS WINDOWS WITH DoS ATTACKS
   A recently discovered vulnerability in the remote procedure call
(RPC) subsystem in Windows XP, Windows 2000, and Windows NT can make
those OSs susceptible to Denial of Service (DoS) attacks, according to
Microsoft. The company has already created a patch for XP and Win2K
users. However, it says that major changes in the way RPC works since
the release of NT 4.0 prevent it from creating a patch for that OS. NT
4.0 users can use the workaround described on the Microsoft site.
   http://www.secadministrator.com/articles/index.cfm?articleid=38452

* NEWS: CODE EXECUTION VULNERABILITY IN WINDOWS SCRIPT ENGINE
   If you run Microsoft SQL Server on Windows, you need to know that a
new vulnerability in Windows Script Engine can result in the execution
of arbitrary code on the vulnerable system. The vulnerability stems
from the way Windows Script Engine for JScript processes information.
Use the URL below to find more information about the vulnerability and
to reach download sites.
   http://www.secadministrator.com/articles/index.cfm?articleid=38459

* NEWS: SECUNIA LAUNCHES NEW SECURITY ADVISORIES SERVICE
   Secunia has launched a new mailing list, called Secunia Security
Advisories, which consolidates security vulnerability information from
a variety of sources. The company is making its advisories available
through email, its Web site, and an affiliate network.
   http://www.secadministrator.com/articles/index.cfm?articleid=38450

5. ==== INSTANT POLL ====
 
* RESULTS OF PREVIOUS POLL: WEBDAV AND IIS
   The voting has closed in Windows & .NET Magazine's Security
Administrator Channel nonscientific Instant Poll for the question,
"Does your company use WWW Distributed Authoring and Versioning
(WebDAV) with Microsoft IIS?" Here are the results from the 151 votes.

   - 11% Yes
   - 81% No
   -  7% I'm not sure
(Deviations from 100 percent are due to rounding.)
 
* NEW INSTANT POLL: WEP and WPA
   The next Instant Poll question is, "Will your company replace Wired
Equivalent Privacy (WEP) with Wi-Fi Protected Access (WPA)?" Go to the
Security Administrator Channel home page and submit your vote for a)
Yes, b) No, c) No--We're waiting for 802.11i, or d) Undecided.
   http://www.secadministrator.com

6. ==== SECURITY TOOLKIT ====

* VIRUS CENTER
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: Why Am I Receiving Event ID Errors 5737 and 7023 on My Windows
2000 Server Service Pack 2 (SP2) System?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. Event ID 5737 is an unspecified Netlogon service error, and event
ID 7023 is a Kerberos Key Distribution service error. Both errors
result from a corrupt or missing rsaenh.dll file, which is the
Microsoft Enhanced Cryptographic Provider, and they prevent the
services from starting. Win2K SP2 automatically upgrades the system to
128-bit encryption. In so doing, the service pack attempts to install
the rsaenh.dll file. To resolve the problem, copy the rsaenh.dll file
from another server or from the extracted service pack.

7. ==== NEW AND IMPROVED ====
   (contributed by Sue Cooper, products () winnetmag com)

* EVENT MANAGEMENT IN AN APPLIANCE
   Network Intelligence is shipping enVision-LS, a Windows 2000
Server-based appliance that provides security event and network event
management with guaranteed levels of performance. Features include a
Web-based UI; realtime analysis for cross-device event correlation and
alerting; the ability to perform ad hoc queries and automatic
scheduling of included reports; realtime data encryption and
compression; granular, role-based multiuser support; and integration
with other network operations solutions. enVision-LS supports leading
security and networking devices and most host OSs out of the box.
Contact Network Intelligence at 508-668-2460 and
sales () network-intelligence com.
   http://www.network-intelligence.com

* SPAM FILTERING AS A SERVICE
   Trend Micro announced the Trend Micro Spam Prevention Service
(SPS), designed to block spam at the gateway and to interoperate with
the company's antivirus and content security products. SPS is based on
Postini's proven heuristic technology antispam filtering rules, in an
exclusive agreement with the email security service provider. After
SPS defines a message as spam, you can take predefined actions, such
as tagging, delivering, or rerouting the message. You can configure
spam prevention in the following categories: hate mail, get rich quick
solicitations, sexual content, bulk mail, and commercial. Trend Micro
Spam Prevention Service for Sun Solaris is now available. Support for
Windows and Linux platforms is planned for second quarter 2003.
Pricing begins at $30 per user per year, for 25 users. Contact Trend
Micro at 888-588-7363.
   http://www.trendmicro.com

* SUBMIT TOP PRODUCT IDEAS
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to whatshot () winnetmag com.

8. ==== HOT THREAD ====

* WINDOWS & .NET MAGAZINE ONLINE FORUMS
   http://www.winnetmag.com/forums

Featured Thread: How Do You Print the GPO?
   (Four messages in this thread)

A user wants to print out the entire Group Policy Object (GPO) of each
container and compare those GPOs to the other GPOs in the tree. Having
a printout of enabled options would be helpful to eliminate
duplication. He tried to use the "Microsoft Windows 2000 Resource Kit"
utilities GPRESULT and GPTOOL, but neither tool gives him the same
settings that he sees in the GPO editor. He also tried to use the
EXPORT option in the GPO editor, but that listed only the options for
each category. Does anyone know of a Microsoft utility or a
third-party utility that will help? Lend a hand or read the responses:
   http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=46780

9. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- letters () winnetmag com (please
mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums

* PRODUCT NEWS -- products () winnetmag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdate () winnetmag com

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com

********************
   This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing a Windows 2000/Windows NT enterprise.
Subscribe today!
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

   Receive the latest information about the Windows and .NET topics of
your choice. Subscribe to our other FREE email newsletters.
   http://www.winnetmag.com/email

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE.

MANAGE YOUR ACCOUNT
   You can manage your entire Windows & .NET Magazine Network email
newsletter account on our Web site. Simply log on and you can change
your email address, update your profile information, and subscribe or
unsubscribe to any of our email newsletters all in one place.
   http://www.winnetmag.com/email

Thank you!
__________________________________________________________
Copyright 2003, Penton Media, Inc.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.