Security UPDATE, March 26, 2003

[InfoSec News <isn () c4i org>]

********************
Windows & .NET Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows Server 2003, Windows 2000, and
Windows NT systems.
   http://www.secadministrator.com
********************

~~~~ THIS ISSUE SPONSORED BY ~~~~

FREE White Paper on SQL Injection
   http://list.winnetmag.com/cgi-bin3/flo/y/eQDj0CJgSH0CBw08T70Am

Appliance Filtering Offers Simplicity and Lower TCO
   http://list.winnetmag.com/cgi-bin3/flo/y/eQDj0CJgSH0CBw08T80An
   (below IN FOCUS)

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: FREE WHITE PAPER ON SQL INJECTION ~~~~
   ALERT: How a Hacker Launches a SQL Injection Attack - Step-by-Step!
It's as simple as placing additional SQL commands into an input box on
a web form giving hackers complete access to all your backend data!
Firewalls and IDS will not stop SQL Injection attempts because they
are NOT seen as intrusions. Download this *FREE* white paper from SPI
Dynamics for a complete guide to protection!
   http://list.winnetmag.com/cgi-bin3/flo/y/eQDj0CJgSH0CBw08T70Am
~~~~~~~~~~~~~~~~~~~~

March 26, 2003--In this issue:

1. IN FOCUS
     - Security Research: A Double-Edged Sword

2. SECURITY RISKS
     - Code Execution Vulnerability in Windows Script Engine
     - DoS in Microsoft ISA Server

3. ANNOUNCEMENTS
     - Get a Sample Issue of Exchange & Outlook Administrator
     - Get the eBook That Will Help You Get Certified!

4. SECURITY ROUNDUP
     - News: New Book Helps You Manage Corporate Security
     - News: Microsoft Warns About IIS WebDAV Component

5. SECURITY TOOLKIT
     - Virus Center
     - FAQ: How Can I Use DiskPart to Create a RAID 5 Set?

6. NEW AND IMPROVED
     - Track Configuration Changes
     - Secure Enterprise with Firewall/VPN Appliance
     - Submit Top Product Ideas

7. HOT THREADS
     - Windows & .NET Magazine Online Forums
         - Featured Thread: IIS Server Security

8. CONTACT US
   See this section for a list of ways to contact us.

~~~~~~~~~~~~~~~~~~~~

1. ==== IN FOCUS ====
   (contributed by Mark Joseph Edwards, News Editor,
mark () ntsecurity net)

* SECURITY RESEARCH: A DOUBLE-EDGED SWORD

Many people work to discover security risks in software and also to
ensure that users aren't unnecessarily exposed to those risks. In the
past, researchers often released complete details about security
problems and simultaneously notified the public at large about the
problems--while everyone awaited the vendor's response, including the
production of a patch.

Over the past couple of years, most researchers have changed how they
handle the security risks they discover. Currently, most researchers
report their findings to the appropriate vendor and give the vendor
enough information to create an adequate patch. Researchers typically
try to work within vendors' time frames for patch production and
customer notification. When vendors aren't responsive enough or
completely fail to acknowledge and repair security problems in their
products, researchers usually release details about the discovered
problems, sometimes accompanied by scathing remarks about the vendors'
lackadaisical attitude.

Some time ago, several companies (including but not limited to
Microsoft, @stake, Foundstone, Oracle, Internet Security Systems--ISS,
Guardent, BindView) teamed together to form the Organization for
Internet Safety (OIS). One of OIS's first projects was to draft a
specification that includes guidelines to help security researchers
and product vendors interact to achieve vulnerability remedies and
reporting procedures for public notification.

> From what I understand, the specification is close to completion, and
it should help researchers--whether independent or not--fine-tune how
they handle their discoveries. Security forum operators might also use
the guidelines to support a sense of diplomacy and responsibility
among today's security researchers.

One team of researchers, CERT, already has a process in place that
defines the way the organization handles problems reported to it. CERT
works to ensure that vendors know about discovered security problems
and coordinates with vendors to release information to the public.
CERT and various vendors pass information back and forth and prepare
bulletins for public notification.

However, at least one rogue researcher has been undermining CERT's
efforts to protect the public at large. Over the past couple of weeks,
someone has posted four messages to public discussion forums that
leaked sensitive information before CERT had a chance to finish its
coordinated process. During the CERT process, someone gained
unpublished vulnerability information and anonymously exposed it to
potential intruders before vendors had time to finish their
coordinated efforts to protect users. You can read about the problem
in the "eWeek" story "More CERT Documents Leaked."
   http://www.eweek.com/article2/0,3959,962679,00.asp

I think you'll agree that this behavior is irresponsible,
self-centered, and manipulative. The anonymous person who posted the
stolen vulnerability information has pledged to continue leaking CERT
bulletin data--that is, until CERT finds out who's leaking the
information and changes its process to prevent the exploitation. The
anonymous person thinks that vulnerability information should be
available to potential intruders before administrators have time to
patch or modify their systems for better protection.

Such irresponsible activity might eventually place a heavy burden on
mailing list operators to better research messages sent to their lists
for publication. Right now, security mailing list moderators basically
ensure messages are relevant to list topics, and they guide
conversation to limit inordinate amounts of fruitless discussion.
However, posting on-topic information that any user wants to submit
can be a problem, as we see in this matter of publishing vulnerability
information leeched from CERT. Such actions place list moderators in a
difficult situation because moderators can't always know where or how
users obtain their submitted information.

~~~~~~~~~~~~~~~~~~~~

~~~~ SPONSOR: APPLIANCE FILTERING OFFERS SIMPLICITY AND LOWER TCO ~~~~
   Using the appliance-based approach for web filtering provides
administrators with significant advantages over software only
filtering, including: Lower Overall TCO, Platform Independence, and
Minimal Ongoing Maintenance. With the iPrism Web Filtering solution, a
single, self-contained appliance is all you need to manage your web
filtering. iPrism uses a unique, 100% human-reviewed database that is
updated daily, provides built-in reports, and real-time override
capabilities. FREE Online Test Drive!
   http://list.winnetmag.com/cgi-bin3/flo/y/eQDj0CJgSH0CBw08T80An
~~~~~~~~~~~~~~~~~~~~

2. ==== SECURITY RISKS ====
   (contributed by Ken Pfeil, ken () winnetmag com)

* CODE EXECUTION VULNERABILITY IN WINDOWS SCRIPT ENGINE
   A new vulnerability in the Windows Script Engine can result in the
execution of arbitrary code on the vulnerable system. This
vulnerability stems from a flaw in the way the Windows Script Engine
for JScript processes information. Microsoft has released Security
Bulletin MS03-008 (Flaw in Windows Script Engine Could Allow Code
Execution) to address this vulnerability and recommends that affected
users immediately apply the appropriate patch mentioned in the
bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=38384

* DoS IN MICROSOFT ISA SERVER
   A new vulnerability in Microsoft Internet Security and Acceleration
(ISA) Server 2000 can result in a Denial of Service (DoS) condition.
This vulnerability stems from a flaw in the way ISA Server's DNS
intrusion-detection application filter handles a specific type of
request when the filter scans incoming DNS requests. Microsoft has
released Security Bulletin MS03-009 (Flaw In ISA Server DNS Intrusion
Detection Filter Can Cause Denial Of Service) to address this
vulnerability and recommends that affected users immediately apply the
patch mentioned in the bulletin.
   http://www.secadministrator.com/articles/index.cfm?articleid=38385

3. ==== ANNOUNCEMENTS ====
   (brought to you by Windows & .NET Magazine and its partners)

* GET A SAMPLE ISSUE OF EXCHANGE & OUTLOOK ADMINISTRATOR
   Exchange & Outlook Administrator, the monthly print newsletter from
Windows & .NET Magazine, gives you the in-depth articles you need to
secure, maintain, and troubleshoot your messaging environment. Try an
issue of Exchange & Outlook Administrator, and discover for yourself
what our expert authors know that you don't. Click here!
   http://list.winnetmag.com/cgi-bin3/flo/y/eQDj0CJgSH0CBw078G0AZ

* GET THE eBOOK THAT WILL HELP YOU GET CERTIFIED!
   The "Insider's Guide to IT Certification," from the Windows & .NET
Magazine Network, has one goal: to help you save time and money on
your quest for certification. Find out how to choose the best study
guides, save hundreds of dollars, and be successful as an IT
professional. The amount of time you spend reading this book will be
more than made up by the time you save preparing for your
certification exams. Order your copy today!
   http://list.winnetmag.com/cgi-bin3/flo/y/eQDj0CJgSH0CBw06cX0AY

4. ==== SECURITY ROUNDUP ====

* NEWS: NEW BOOK HELPS YOU MANAGE CORPORATE SECURITY
   Butterworth-Heinemann has released a new book, "The Manager's
Handbook for Corporate Security: Establishing and Managing a
Successful Assets Protection Program," that helps managers learn how
to better handle corporate security needs. A company spokesperson said
that the new book, by Gerald Kovacich and Edward Halibozek, covers a
range of information, including physical security, information
security, merger and acquisitions security, emergency/contingency
planning, executive protection, personnel security, event security,
and many other security processes.
   http://www.secadministrator.com/articles/index.cfm?articleid=38394

* NEWS: UPDATE: MICROSOFT WARNS ABOUT IIS WEBDAV COMPONENT
   Microsoft issued Security Bulletin MS03-007 (Unchecked Buffer In
Windows Component Could Cause Web Server Compromise) regarding a
serious problem in WWW Distributed Authoring and Versioning (WebDAV).
Users who installed Microsoft's URLScan tool for Microsoft IIS were
thought to be protected against intrusion from this latest
vulnerability--unless they modified the URLScan configuration in a way
that would keep it from catching excessively long URLs. However, Russ
Cooper posted a message to the NTBugTraq mailing list stating that
Mark and David Litchfield of Next Generation Security Software
(NGSSoftware) had discovered variant ways to exploit such an attack on
IIS systems, and that based on knowledge Cooper has about the matter,
disabling WebDAV wouldn't stop these attacks. The only way to prevent
the attacks is to load the patch immediately. To read the original
article and link to the Microsoft bulletin and patch, click on the URL
below.
   http://www.secadministrator.com/articles/index.cfm?articleid=38374

5. ==== SECURITY TOOLKIT ====

* VIRUS CENTER
   Panda Software and the Windows & .NET Magazine Network have teamed
to bring you the Center for Virus Control. Visit the site often to
remain informed about the latest threats to your system security.
   http://www.secadministrator.com/panda

* FAQ: HOW CAN I USE DISKPART TO CREATE A RAID 5 SET?
   ( contributed by John Savill, http://www.windows2000faq.com )

A. A RAID 5 set consists of data spread across three physical disks,
of which one can fail without causing any data loss. To use the
DiskPart utility from the "Microsoft Windows 2000 Server Resource Kit"
or the "Microsoft Windows 2000 Professional Resource Kit" to create a
RAID 5 set, perform the following steps:
   1. Download and install the DiskPart utility from the Microsoft Web
 site.
   2. Go to Start, Run, then type "cmd" to start a command-line
 session.
   3. Type "diskpart" to start a DiskPart session.
   4. Type "create volume raid size=<size in MB> disk=<disk numbers>"
where <size in MB> is the amount of space you want to use from each
disk (in megabytes) and <disk numbers> are the numbers of the disks
that you want to use in the RAID 5 configuration. For example, "create
volume raid size=6000 disk=1,2,3" creates a RAID 5 set that's 12GB
(i.e., 6000MB x 2) across three disks (one-third of the space is used
for fault tolerance).

6. ==== NEW AND IMPROVED ====
   (contributed by Sue Cooper, products () winnetmag com)

* TRACK CONFIGURATION CHANGES
   Ecora Software released Ecora Enterprise Auditor 3.0, a product
suite for automated, cross-platform configuration reporting and change
management. The software installs on an administrative desktop (no
agents required) and collects configuration data from Windows, UNIX,
Linux, Novell NetWare, Cisco Systems, Microsoft SQL Server, Exchange
Server, IIS, Active Directory (AD), Citrix, Oracle, and Lotus Domino
platforms into a SQL Server database. The data can be used to audit,
report, and identify and track changes. Hundreds of built-in reports
are incorporated, and a drag-and-drop interface lets you create
customized Fact Finding Reports. You can run reports interactively,
schedule them for off-hours, or schedule them to run regularly. Ecora
Enterprise Auditor 3.0 gives you a before and after view for all
changes and lets you observe changes that took place in any given time
period. Contact Ecora Software at 877-923-2672, 603-436-1616, and
sales () ecora com.
   http://www.ecora.com

* SECURE ENTERPRISE WITH FIREWALL/VPN APPLIANCE
   WatchGuard Technologies announced the Firebox V60L, a wire-speed
100Mbps firewall for midsized enterprises that provides 50Mbps Triple
DES (3DES) VPN throughput and up to 150 VPN tunnels. The 1U (1.75")
appliance supports network separation with multiple LAN interfaces and
includes networking features such as Quality of Service (QoS), dynamic
routing, server load balancing, and Virtual LAN (VLAN) support. The
Firebox V60L is based on an intelligent custom security
application-specific integrated circuit (ASIC) that accelerates
firewall, VPN, Network Address Translation (NAT), and QoS actions.
Secure central management is Java-based. Available through
distributors or resellers, the price is $3990. Contact WatchGuard at
800-734-9905 and 206-521-8340.
   http://www.watchguard.com

* SUBMIT TOP PRODUCT IDEAS
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Do you know of a terrific
product that others should know about? Tell us! We want to write about
the product in a future What's Hot column. Send your product
suggestions to whatshot () winnetmag com.

7. ==== HOT THREADS ====

* WINDOWS & .NET MAGAZINE ONLINE FORUMS
   http://www.winnetmag.com/forums

Featured Thread: IIS Server Security
   (Three messages in this thread)

A user writes that he has Windows 2000 Server running Microsoft IIS
for his organization's Web site, which uses Secure Sockets Layer
(SSL). He says he's diligent about making sure that all Win2K Server,
IIS, and Microsoft Internet Explorer (IE) patches have been installed.
He wants to know whether any software applications he can install on
his Web server will further enhance its security. Lend a hand or read
the responses:
   http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=56028

8. ==== CONTACT US ====
   Here's how to reach us with your comments and questions:

* ABOUT IN FOCUS -- mark () ntsecurity net

* ABOUT THE NEWSLETTER IN GENERAL -- letters () winnetmag com (please
mention the newsletter name in the subject line)

* TECHNICAL QUESTIONS -- http://www.winnetmag.com/forums

* PRODUCT NEWS -- products () winnetmag com

* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? Customer
Support -- securityupdate () winnetmag com

* WANT TO SPONSOR SECURITY UPDATE? emedia_opps () winnetmag com

********************
   This email newsletter is brought to you by Security Administrator,
the print newsletter with independent, impartial advice for IT
administrators securing a Windows 2000/Windows NT enterprise.
Subscribe today!
   http://www.secadministrator.com/sub.cfm?code=saei25xxup

   Receive the latest information about the Windows and .NET topics of
your choice. Subscribe to our other FREE email newsletters.
   http://www.winnetmag.com/email

|-+-|-+-|-+-|-+-|-+-|

Thank you for reading Security UPDATE.

MANAGE YOUR ACCOUNT
   You can manage your entire Windows & .NET Magazine Network email
newsletter account on our Web site. Simply log on and you can change
your email address, update your profile information, and subscribe or
unsubscribe to any of our email newsletters all in one place.
   http://www.winnetmag.com/email

Thank you!
__________________________________________________________
Copyright 2003, Penton Media, Inc.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.