Windows & .NET Magazine Security UPDATE--July 2, 2003

[InfoSec News <isn () c4i org>]

====================

==== This Issue Sponsored By ====

Shavlik
   http://list.winnetmag.com/cgi-bin3/DM/y/eRdu0CJgSH0CBw076e0Al

Panda Security
   http://list.winnetmag.com/cgi-bin3/DM/y/eRdu0CJgSH0CBw0BBDp0AT

====================

1. In Focus: Win2K SP4: A Few Things to Know

2. Security Risks
     - Vulnerability in Microsoft WMP 9 Could Allow Media Library
       Access
     - Arbitrary Code-Execution Vulnerability in Microsoft Windows
       Media Server
     - Buffer-Overflow Vulnerability in Alt-N Technologies
       WebAdmin.exe
     - Multiple Buffer Overflows in Atrium Software MERCUR Mail Server

3. Announcements
     - Attend the Black Hat Briefings & Training, July 28 - 31 in Las
       Vegas
     - Windows & .NET Magazine Connections: Fall Dates Announced

4. Security Roundup
     - News: Windows 2003 SP1 to Feature New Security Tool
     - News: Microsoft's Gates Opens War on Spam
     - Feature: Snort Reporting and Alerting

5. Security Toolkit
     - Virus Center
     - FAQ: Why Can't I Access the Encrypted Data on My Clustered
       Shared Disk?

6. Event
     - New--Mobile & Wireless Road Show!
 
7. New and Improved
     - Prevent Threats to Web Servers
     - Submit Top Product Ideas

8. Hot Thread
     - Windows & .NET Magazine Online Forums
         - Featured Thread: Gpedit vs. Security Templates

9. Contact Us
   See this section for a list of ways to contact us.

====================

==== Sponsor: Shavlik ====
 
   Get FREE 25% Maintenance and Easily Deploy Win2K SP4!
   Get FREE 25% maintenance for the first year & manage Win2K SP4 when
you order HFNetChkPro by 7/31/03! Easily scan for & install Win2K SP4
with Shavlik HFNetChkPro and make a powerful impact on your enterprise
security. Nows the time to get patched and stay patched with the
leading security patch management solution. Download our free version
at http://list.winnetmag.com/cgi-bin3/DM/y/eRdu0CJgSH0CBw076e0Al

====================

==== 1. In Focus: Win2K SP4: A Few Things to Know ====
   by Mark Joseph Edwards, News Editor, mark () ntsecurity net

Microsoft has released Windows 2000 Service Pack 4 (SP4). So far, I
haven't heard about any installation problems, except on Citrix
MetaFrame XP systems, and I don't know exactly what those problems
are. You can find installation information in our Windows & .NET
Magazine Forums discussions at the following URL:
   http://63.88.172.222/forums/messageview.cfm?catid=10&threadid=39892

As usual, the new service pack contains all the previous fixes that
Microsoft has made available for Win2K. SP4 might offer a good way for
you to update systems with all fixes available. I'm aware of one
caveat--though so far few users have openly complained about the
following occurrence.

If you have Windows Update service disabled on your systems--and I'm
willing to bet that most of you do--when you install SP4, the
installation program reenables Windows Update without notifying you.
That move isn't exactly user-friendly, so heads up.

Also, you should take time to read the SP4 Supplemental End User
License Agreement (EULA). You'll notice that Item 3, "Automatic
Internet-based Services," describes several features that
automatically contact Microsoft or third-party computers--in some
cases, without prompting you before doing so.

In five instances, Win2K might contact Microsoft without prompting you
first. The first is, of course, the Windows Update service itself.
Microsoft points out that when you connect a device to your system,
the correct device driver might not already be on your system. So for
"ease of use" regarding Plug and Play (PnP) functionality, your system
might contact Microsoft's computers transparently to obtain the proper
drivers.

The second instance is rather vague because Microsoft doesn't iterate
all the circumstances under which such contact might occur. According
to the company, "If you are connected to the Internet, several
features of the software are enabled by default to retrieve content
from Microsoft computer systems and display it to you. When you
activate such a feature, it uses standard Internet protocols, which
transmit the type of operating system, browser and language code of
your Computer to the Microsoft computer system so that the content can
be viewed properly from your Computer. These features only operate
when you activate them, and you may choose to switch them off or not
use them. An example of this feature is Appshelp." So you have one
example, Appshelp, but Microsoft doesn't offer any other examples.

The third instance in which your system contacts Microsoft
transparently involves X.509 digital certificate revocation lists
(CRLs) and root authority updates. Your system might also contact
third parties in the process of validating certificates.

The fourth instance involves Digital Rights Management (DRM). When you
download licenses to use secured content, your system also receives a
list of revoked content (DRM-secured content that has been
compromised). Also, if content owners ask Microsoft to revoke
licenses, the revocations will be included in any revocation list. You
can switch off DRM features that access the Internet if you want to.

The final instance in which software might contact Microsoft
transparently involves Windows Media Player (WMP). If you don't have
the proper codec, when you try to play media, the software might check
for new codecs. In addition, WMP periodically checks for updates to
the player itself.

Another thing about SP4 is that if you install SP4 on a system that
has SP2 installed, SP4 will upgrade that system to 128-bit encryption.
Also, SP4 contains more than 650 patches. Some of those patches are
reportedly new security patches, which, if true, is a good reason to
install the service pack--although I'm not sure why Microsoft would
place new security fixes in a service pack without releasing
associated security bulletins.

Before you install SP4, take time to do some reading. Read the EULA,
of course, and consider reading comments from those who've installed
the service pack in our Forums or on your favorite mailing lists. You
can find comments in our Forums by searching on "SP4".
   http://search.win2000mag.net/query.html?qt=SP4&st=1&rf=1

====================

==== Sponsor: Panda Security  ====

   Viruses like Bugbear.B are routinely infecting networks that are
"fully protected". What to do? Is total protection possible? Find the
answer in the free guide HOW TO KEEP YOUR COMPANY 100% VIRUS FREE from
Panda Software. Learn how the latest viruses enter networks, what they
can do, and the most effective weapons to combat them. Protect your
network effectively and permanently - download this free guide today!
   http://list.winnetmag.com/cgi-bin3/DM/y/eRdu0CJgSH0CBw0BBDp0AT

====================

==== 2. Security Risks ====
   contributed by Ken Pfeil, ken () winnetmag com

Vulnerability in Microsoft WMP 9 Could Allow Media Library Access
   Jelmer discovered that a new vulnerability in Microsoft Windows
Media Player (WMP) 9 Series can result in the modification of Windows
Media Library entries. This vulnerability stems from a flaw in the way
an ActiveX control provides access to information on the user's
computer. Microsoft has released Security Bulletin MS03-021 (Flaw In
Windows Media Player May Allow Media Library Access) to address this
vulnerability and recommends that affected users apply the appropriate
patch mentioned in the bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=39398

Arbitrary Code-Execution Vulnerability in Microsoft Windows Media
Server
   Brett Moore discovered that a new vulnerability in Windows 2000 can
result in the execution of arbitrary code on the vulnerable computer.
This vulnerability stems from a flaw in the way the Internet Server
API (ISAPI) extension nsiislog.dll processes incoming client requests.
Microsoft has released Security Bulletin MS03-022 (Flaw in ISAPI
Extension for Windows Media Services Could Cause Code Execution) to
address this vulnerability and recommends that affected users
immediately apply the patch mentioned in the bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=39399

Buffer-Overflow Vulnerability in Alt-N Technologies WebAdmin.exe
   Mark Litchfield of Next Generation Security Software (NGSSoftware)
discovered a buffer-overflow vulnerability in Alt-N Technologies'
WebAdmin that can result in the execution of arbitrary code on the
vulnerable computer. Alt-N Technologies has released a patch to fix
this vulnerability.
   http://www.secadministrator.com/articles/index.cfm?articleid=39388

Multiple Buffer Overflows in Atrium Software MERCUR Mail Server
   NC Agent discovered multiple buffer-overflow vulnerabilities in
Atrium Software International's MERCUR Mail Server 4.02.09 that can
result in the execution of arbitrary code on the vulnerable computer.
Atrium Software has released version 4.2.15.0, which doesn't contain
these vulnerabilities.
   http://www.secadministrator.com/articles/index.cfm?articleid=39387

==== 3. Announcements ====
   (from Windows & .NET Magazine and its partners)

Attend the Black Hat Briefings & Training, July 28 - 31 in Las Vegas
   This is the world's premier technical IT security event, with lots
of Windows sessions! 10 tracks, 15 training sessions, 1800 delegates
from 30 nations including all of the top experts from CSOs to
"underground" security specialists. See for yourself what the buzz is
all about! Early-bird registration ends July 3. This event will sell
out.
   http://list.winnetmag.com/cgi-bin3/DM/y/eRdu0CJgSH0CBw0pHV0Al

Windows & .NET Magazine Connections: Fall Dates Announced
   Jump-start your fall 2003 training plans by securing your seat for
Windows & .NET Magazine Connections Fall, scheduled for November 2
through 6, 2003, in Orlando, Florida. Register now to receive the
lowest possible registration fee. Call 800-505-1201 or 203-268-3204
for more information.
   http://list.winnetmag.com/cgi-bin3/DM/y/eRdu0CJgSH0CBw0qSH0Aj

==== 4. Security Roundup ====

News: Windows 2003 SP1 to Feature New Security Tool
   The first service pack for Windows Server 2003--due in
December--will include a roles-based Security Configuration Wizard
that will provide administrators with a definitive list of the
services required for each Windows 2003-based server. The wizard will
be based on an XML database that includes information about Windows
2003, Exchange, SQL Server, and other Microsoft products.
   http://www.secadministrator.com/articles/index.cfm?articleid=39365

News: Microsoft's Gates Opens War on Spam
   In an open letter to customers posted to the Microsoft Web site,
Chairman and Chief Software Architect Bill Gates pledged to step up
his company's efforts to combat spam through technological innovation
and partnerships with other companies and governments. Gates notes
that spam is a "ridiculous ... nuisance and a distraction," and a
plague that preys on less sophisticated email users, including
children.
   http://www.secadministrator.com/articles/index.cfm?articleid=39389

Feature: Snort Reporting and Alerting
   Before you begin to use Snort, you'll want to know about some of
the popular and effective reporting and alerting tools available,
including the Analysis Console for Intrusion Databases (ACID) and
Silicon Defense's SnortSnarf reporting tools--and receive tips about
how to send real-time alerts when events trigger specific signatures.
You can download the latest version of Snort, several reporting and
alerting add-ons, and several good step-by-step white papers that
describe how to configure and run Snort at Snort.org. If you haven't
used Snort before, Jeff Fellinge recommends that you read these white
papers before you do. To get a head start on using Snort, be sure to
read the article on our Web site.
   http://www.secadministrator.com/articles/index.cfm?articleid=39235&pg=1&show=479

==== 5. Security Toolkit ====

Virus Center
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

FAQ: Why Can't I Access the Encrypted Data on My Clustered Shared
Disk?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. If you're having trouble accessing encrypted data on a clustered
shared disk, the reason might be that you're using a local profile
rather than a roaming profile, and the server by which you accessed
the shared disk has failed, leaving another machine in the cluster to
host access. When you encrypt a file, the cluster node that provides
access creates a certificate (i.e., an encryption key) and stores it
in your profile. If the node fails, another node in the cluster will
begin hosting the resource, and you'll no longer have the encryption
key to access the data. To work around this problem, use a roaming
profile or regularly export your encryption keys from the node where
you encrypted the data to the other nodes where you might have local
profiles.

==== 6. Event ====

New--Mobile & Wireless Road Show!
   Learn more about the wireless and mobility solutions that are
available today! Register now for this free event!
   http://list.winnetmag.com/cgi-bin3/DM/y/eRdu0CJgSH0CBw0BA8Y0Ar

==== 7. New and Improved ====
   by Sue Cooper, products () winnetmag com

Prevent Threats to Web Servers
   Privacyware released ThreatSentry, a threat-prevention and
management solution for Windows Web servers. An advanced neural
application that combines modeled metrics and machine learning, it
offers protection from known and undocumented network threats and
other misuse. ThreatSentry collects, analyzes, and organizes Microsoft
IIS server events to create an evolving baseline of acceptable
activity. ThreatSentry compares your server connections to this
baseline to identify and prevent any activity that falls outside of
acceptable parameters. You can configure the software to prevent
suspicious connections, block untrusted IPs, generate error-code
responses, or completely stop Web services. ThreatSentry supports
Windows Server 2003/2000 and IIS 5.0. Contact Privacyware at
732-212-8110 or info () privacyware com.
   http://www.privacyware.com

Submit Top Product Ideas
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to whatshot () winnetmag com.

==== 8. Hot Thread ====

Windows & .NET Magazine Online Forums
   http://www.winnetmag.com/forums

Featured Thread: Gpedit vs. Security Templates
   (Three messages in this thread)

A user understands that on a single non-networked machine he can use
predefined security templates (e.g., basicdc.inf) and compare them
with the current setup. He wants to know whether these type of
templates are applied to all users including administrators and
whether they can be tailored for specific users or groups. Lend a hand
or read the responses:
   http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=60584

==== Sponsored Link ====

AutoProf
   Jerry Honeycutt Desktop Deployment Whitepaper
   http://list.winnetmag.com/cgi-bin3/DM/y/eRdu0CJgSH0CBw0BA1Z0Al

===================

==== 9. Contact Us ====

About the newsletter -- letters () winnetmag com
About technical questions -- http://www.winnetmag.com/forums
About product news -- products () winnetmag com
About your subscription -- securityupdate () winnetmag com
About sponsoring Security UPDATE -- emedia_opps () winnetmag com

====================
   This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing Windows and related technologies. Subscribe
 today.
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

Thank you!
__________________________________________________________
Copyright 2003, Penton Media, Inc.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.