Windows & .NET Magazine Security UPDATE--August 6, 2003

[InfoSec News <isn () c4i org>]

====================

==== This Issue Sponsored By ====

Ecora Software
   http://list.winnetmag.com/cgi-bin3/DM/y/ecHw0CJgSH0CBw0BBlS0AV

HP & Microsoft Network Storage Solutions Road Show
   http://list.winnetmag.com/cgi-bin3/DM/y/ecHw0CJgSH0CBw07cD0Ao

====================

1. In Focus: The RPC/DCOM Bugs: How Bad Are They?

2. Security Risks
     - Information-Disclosure Vulnerability in Cisco AP1100
     - DoS Vulnerability in Cisco WAP

3. Announcements
     - Need Help Managing Your Storage Investment?
     - Learn More About the Security Risks in Exchange 2003

4. Security Roundup
     - News: Microsoft Patches Leave Systems Insecure and Break RAS
     - News: Is RIAA Targeting You?
     - News: Bono Introduces Spyware Bill
     - News: Are You Vulnerable to RPC Exploitation?

5. Instant Poll
     - Results of Previous Poll: Cisco IOS Software Vulnerability
     - New Instant Poll: RPC/DCOM Probing

6. Security Toolkit
     - Virus Center
     - FAQ: What Command-Prompt Tool Reports System Uptime?

7. Event
     - New--Mobile & Wireless Road Show!

8. New and Improved
     - Monitor Web Content from Both Directions
     - Submit Top Product Ideas

9. Hot Thread
     - Windows & .NET Magazine Online Forums
         - Featured Thread: Auditing Software for Win2K?
     - HowTo Mailing List
         - Featured Thread: Batch Files in AD GPO

10. Contact Us
   See this section for a list of ways to contact us.

====================

==== Sponsor: Ecora Software ====

   Perform patch audits in minutes with Ecora Patch Manager
   How confident are you that all critical security patches are
deployed and up-to-date on every single system in your infrastructure?
Need some help figuring it all out before the next big worm attack? 
Try a free copy of Ecora Patch Manager.  Designed for IT professionals
short on time, Patch Manager completely automates and simplifies the
entire patch management cycle in just minutes.  See for yourself how
automation can save time, reduce costs, and keep your IT
infrastructure stable and secure. Download a free, fully-functional
trial of Ecora Patch Manager now!  Patch Manager supports
mission-critical OS platforms and applications, including Windows
NT/2000/XP, Microsoft Exchange, IIS, SQL, MSDE, Windows Media Player,
Microsoft Office, and IE.
   http://list.winnetmag.com/cgi-bin3/DM/y/ecHw0CJgSH0CBw0BBlS0AV

====================

==== 1. In Focus: The RPC/DCOM Bugs: How Bad Are They? ====
   by Mark Joseph Edwards, News Editor, mark () ntsecurity net

You've undoubtedly learned about the remote procedure call
(RPC)-Distributed COM (DCOM) bug in Windows by now. If not, you were
probably on vacation and returned to what might seem like a crisis.
Microsoft released its patch for the problem, which you can read about
in "Microsoft Patches Leave Systems Insecure and Break RAS" and "Are
You Vulnerable to RPC Exploitation?" in this issue of Security UPDATE.
However, users have discovered that the Microsoft patch doesn't
exactly fix all the problems.

Users who obtained the "demonstration code" (I use that term loosely)
to test their patched systems quickly learned that systems are still
vulnerable to a Denial of Service (DoS) attack that crashes the
svchost.exe process. One reader informed me that Microsoft has
acknowledged that problem and said that it will release a fix.

Microsoft originally reported that disabling DCOM (by using
dcomcnfg.exe) and blocking port 135 would mitigate attacks, which is
true. However, the company later modified its bulletin to indicate
that you must also block port 137 and port 445 because someone can
launch an attack against those ports as well. Another reader pointed
out that CERT's bulletin about the matter adds port 139 to the list of
vulnerable ports. You should block access to all of these ports (UDP
and TCP) wherever and whenever possible. Ports can be open on many
machines, and it's always best to block everything that you don't need
to leave exposed.
   http://www.cert.org/advisories/CA-2003-19.html

Defending against attacks by disabling DCOM might not be a practical
workaround either, depending on your network environment. Members of
various mailing lists (e.g., Full-Disclosure, Focus-MS) report that
you might encounter critical problems with such attempted workarounds.

For example, even if you perform the blocking actions described, you
might still be at risk if your Microsoft IIS servers have COM Internet
Services enabled. In that case, attacks might be possible against port
80 and port 443. Also, disabling DCOM on your system eliminates the
ability of different systems' COM objects to communicate with each
other, which has wide-reaching effects.

Microsoft Systems Management Server (SMS) servers won't be able to
perform their tasks correctly. Also, after you disable DCOM on a
machine, your remote management tools won't be able to access that
machine. For example, if you need to reenable DCOM to regain
functionality, someone will have to physically visit that machine to
turn it back on.

Obviously, patches that correct these matters would provide the best
solution. By the time you read this, Microsoft might have released
another patch that corrects all the problems. I hope so, because many
people are concerned that someone will unleash a worm or virus that
could lead to massive DoS episodes--or release Trojan horses that open
back doors. Unfortunately, both possibilities are likely and at least
one worm, Autorooter, has already been discovered. (You can read about
the worm at the Kaspersky Lab Web site--see the URL below.) Other
exploits might already have occurred by the time you read this
newsletter. If such exploits occur, who will be responsible: the
intruders, the people who fail to patch their systems, or the people
who release proof-of-concept code? Perhaps all of those groups will
have played a part.
   http://www.viruslist.com/eng/viruslist.html?id=61506

In the meantime, you can monitor attack trends at Internet Storm
Center. The site provides useful information about security risk
trends by gathering that information from numerous network sensors
around the world. Be sure to check it out.
   http://www.incidents.org

====================

==== Sponsor: HP & Microsoft Network Storage Solutions Road Show ====
 
   Missed the Network Storage Solutions Road Show?
   If you couldn't make the HP & Microsoft Network Storage Solutions
Road Show, you missed Mark Smith talking about Windows-Powered NAS,
file server consolidation, and more.  The good news is that you can
now view the Webcast event in its entirety at:
   http://list.winnetmag.com/cgi-bin3/DM/y/ecHw0CJgSH0CBw07cD0Ao

====================

==== 2. Security Risks ====
   contributed by Ken Pfeil, ken () winnetmag com

Information-Disclosure Vulnerability in Cisco AP1100
   VIGILANTe discovered that a vulnerability in Cisco Systems' Aironet
AP1100 Wireless Access Point (WAP) can lead to information disclosure.
The device is subject to a brute-force attack. Cisco has issued a
notice about this vulnerability and recommends that affected users
work through their usual support channels to obtain a software
 upgrade.
   http://www.secadministrator.com/articles/index.cfm?articleid=39710

DoS Vulnerability in Cisco WAP
   VIGILANTe discovered that a vulnerability in Cisco Systems' Aironet
AP1200 and Aironet AP1100 Wireless Access Point (WAP) can lead to a
Denial of Service (DoS) condition. By sending a malformed URL to the
Cisco Aironet AP1200 or Aironet AP1100, an attacker can cause the
device to reload. Repeating this action results in the DoS condition.
Cisco has issued a notice about this vulnerability and recommends that
affected users work through their usual support channels to obtain a
software upgrade.
   http://www.secadministrator.com/articles/index.cfm?articleid=39711

==== Sponsor: Virus Update from Panda Software ====

   Check for the latest anti-virus information and tools, including
weekly virus reports, virus forecasts, and virus prevention tips, at
Panda Software's Center for Virus Control.
   http://list.winnetmag.com/cgi-bin3/DM/y/ecHw0CJgSH0CBw0BBlT0AW

   Viruses routinely infect "fully protected" networks. Is total
protection possible? Find answers in the free guide HOW TO KEEP YOUR
COMPANY 100% VIRUS FREE from Panda Software. Learn how viruses enter
networks, what they do, and the most effective weapons to combat them.
Protect your network effectively and permanently - download today!
   http://list.winnetmag.com/cgi-bin3/DM/y/ecHw0CJgSH0CBw0BBDp0AK

====================

==== 3. Announcements ====
   (from Windows & .NET Magazine and its partners)

Need Help Managing Your Storage Investment?
   Planning and managing your storage deployment can be costly and
complex. Check out Windows & .NET Magazine's Storage Administration
Web site for the latest advice, news, and tips to help you make the
most of your storage investment. You'll find problem-solving articles,
eye-opening white papers, a technical forum, and much more!
   http://list.winnetmag.com/cgi-bin3/DM/y/ecHw0CJgSH0CBw0rvk0Al

Learn More About the Security Risks in Exchange 2003
   Videotaped live at Microsoft TechEd 2003, this free archived Web
seminar delivers an introduction to the new security features and
enhancements of Exchange Server 2003, including the new security APIs
that can minimize virus risk and spam traffic. Plus, you'll discover
more about the future of the messaging industry and what's on the
horizon in assessing risk. Register today!
   http://list.winnetmag.com/cgi-bin3/DM/y/ecHw0CJgSH0CBw0BAjH0AH

==== 4. Security Roundup ====

News: Microsoft Patches Leave Systems Insecure and Break RAS
   Users are reporting problems with two of Microsoft's recent
security hotfixes, which patch problems with remote procedure call
(RPC) and Windows file-management functions. Demonstration code
related to the RPC problem that Microsoft Security Bulletin MS03-026
addresses (Buffer Overrun In RPC Interface Could Allow Code Execution)
was released on the Internet. Users discovered that even with the RPC
patch installed, systems were still vulnerable to Denial of Service
(DoS) attacks. Other users reported that after installing the patch
related to the file-management problem that Security Bulletin MS03-029
addresses (Flaw in Windows Function Could Allow Denial of Service),
their RAS servers stopped working properly. Microsoft says that it
will release patches that correct those problems.
   http://www.secadministrator.com/articles/index.cfm?articleid=39709

News: Is RIAA Targeting You?
   The Recording Industry Association of America (RIAA) is hot on the
heels of file swappers, namely those who use popular programs such as
Kazaa to trade music files. If you wonder whether they're targeting
you or your networks, learn how to find out through this news story.
   http://www.secadministrator.com/articles/index.cfm?articleid=39724

News: Bono Introduces Spyware Bill
   Representative Mary Bono (R-CA) introduced a new bill, cosponsored
by Representative Edolphus Towns (D-NY), that would regulate computer
spyware that companies use to gather various information from users.
   http://www.secadministrator.com/articles/index.cfm?articleid=39715

News: Are You Vulnerable to RPC Exploitation?
   If you've read any of the news stories on the Internet about the
recently reported remote procedure call (RPC) security problem, you
might wonder whether the Internet will be brought to its knees any
time. While security experts continue to analyze the extent of the
danger, you do need to protect your systems--and don't depend on
Windows Update service.
   http://www.secadministrator.com/articles/index.cfm?articleid=39740

==== 5. Instant Poll ====

Results of Previous Poll: Cisco IOS Software Vulnerability
   The voting has closed in Windows & .NET Magazine's Security
Administrator Channel nonscientific Instant Poll for the question,
"Did your network experience problems as a result of the recently
reported Cisco IOS software vulnerability?" Here are the results from
the 83 votes.
   -  1% Yes--We experienced a Denial of Service (DoS) because of the
 attack
   - 25% We experienced downtime but only because of an IOS upgrade
   - 65% No
   -  8% Not sure
(Deviations from 100 percent are due to rounding.)

New Instant Poll: RPC/DCOM Probing
   The next Instant Poll question is, "Has your company experienced
someone probing to determine whether you systems are vulnerable to a
remote procedure call(RPC)/Distributed COM (DCOM) exploit?" Go to the
Security Administrator Channel home page and submit your vote for a)
Yes, b) No, or c) I'm not sure.
   http://www.secadministrator.com

==== 6. Security Toolkit ====

Virus Center
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

FAQ: What Command-Prompt Tool Reports System Uptime?
   contributed by Jan De Clercq

Sysinternals' PsInfo is an interesting freeware tool that you can use
to report system uptime. You can download this command-prompt tool
from http://www.sysinternals.com/ntw2k/freeware/psinfo.shtml. PsInfo
also reports on other system characteristics, such as kernel version
and processor type. If you add the -h switch, the PsInfo command also
reports on installed hotfixes. If you add the -s switch, the command
adds a report on installed software. You can also use the tool to
query remote machines. The following command reports uptime and other
system-related information for the machine named fileserver1:

psinfo \\fileserver1

If you want to query a remote machine, the account that runs the
PsInfo tool must have remote registry access to the remote machine's
HKEY_LOCAL_MACHINE\SYSTEM registry subkey. For more information about
configuring remote registry access, see "NT Gatekeeper: Securing
Remote Access to the System Registry," October 2001, InstantDoc ID
22417.
   http://www.secadministrator.com/articles/index.cfm?articleid=22417

==== 7. Event ====

New--Mobile & Wireless Road Show!
   Learn more about the wireless and mobility solutions that are
available today! Register now for this free event!
   http://list.winnetmag.com/cgi-bin3/DM/y/ecHw0CJgSH0CBw0BA8Y0Ai

==== 8. New and Improved ====
   by Sue Cooper, products () winnetmag com

Monitor Web Content from Both Directions
   Clearswift announced MIMEsweeper for Web 5.0, content filtering
that manages and enforces your Web usage, security, privacy, and
compliance policies. The software offers analysis of HTTP and
browser-based FTP traffic, integration with leading antivirus
applications, URL-based blocking of banned sites, comprehensive
auditing and reporting, email alerts to administrators, and granular
policy management. MIMEsweeper for Web disassembles Web transfers,
breaking them down into individual objects for content analysis
according to policy as it applies to the user who initiates the
transmission. MIMEsweeper for Web 5.0 has improved scalability,
performance, and manageability. The product will be available later in
August. Contact Clearswift at 425-460-6000 or info.us () clearswift com.
   http://www.clearswift.com

Submit Top Product Ideas
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to whatshot () winnetmag com.

==== 9. Hot Threads ====

Windows & .NET Magazine Online Forums
   http://www.winnetmag.com/forums

Featured Thread: Auditing Software for Win2K?
   (Two messages in this thread)

A user writes that on his Windows 2000 Server, the Event Viewer
Security logs shows thousands of logon attempts a day for the
Administrator account. He thinks that someone is trying to break into
the account. The information Event Viewer provides (he has also tried
capturing network frames using Network Monitor) isn't sufficient to
find the source. He wants to know the best way to determine the origin
of the logon attempts. Lend a hand or read the responses:
   http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=61753

HowTo Mailing List
   http://63.88.172.96/listserv/page_listserv.asp?s=howto

Featured Thread: Batch Files in AD GPO
   (Six messages in this thread)

A user wants to know whether batch files can be assigned to a Group
Policy Object (GPO) and whether scripts in a GPO must be in VBScript.
Lend a hand or read the responses:
  
 http://63.88.172.96/listserv/page_listserv.asp?A2=IND0307D&L=HOWTO&P=80

==== Sponsored Links ====

Ultrabac
   FREE live trial-Backup & Disaster Recovery software w/ encryption
   http://ad.doubleclick.net/clk;5945485;8214395;x
   http://www.ultrabac.com/default.asp?src=WINTxtLAug03tgt=./

CrossTec
   Free Download - NEW NetOp 7.6 - faster, more secure, remote support
   http://ad.doubleclick.net/clk;5930423;8214395;j
   http://www.crossteccorp.com/w2kmag.htm

===================

==== 10. Contact Us ====

About the newsletter -- letters () winnetmag com
About technical questions -- http://www.winnetmag.com/forums
About product news -- products () winnetmag com
About your subscription -- securityupdate () winnetmag com
About sponsoring Security UPDATE -- emedia_opps () winnetmag com

====================
   This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing Windows and related technologies. Subscribe
 today.
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

To unsubscribe from this email newsletter, send an email message to
mailto:Security-UPDATE_Unsub () list winnetmag com.

To make other changes to your email account such as change your email
address, update your profile, and subscribe or unsubscribe to any of
our email newsletters, simply log on to our Email Preference Center.
   http://www.winnetmag.com/email

Thank you!
__________________________________________________________
Copyright 2003, Penton Media, Inc.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.