Information Security News
mailing list archives
Security UPDATE, October 10, 2001
From: InfoSec News <isn () c4i org>
Date: Thu, 11 Oct 2001 06:16:03 -0500 (CDT)
Windows 2000 Magazine Security UPDATE--brought to you by Security
Administrator, a print newsletter bringing you practical, how-to
articles about securing your Windows 2000 and NT systems.
~~~~ THIS ISSUE SPONSORED BY ~~~~
Close Massive Local Security Hole in NT/2000/XP
Connected Home Magazine Virtual Tour
(below SECURITY RISKS)
~~~~ SPONSOR: CLOSE MASSIVE LOCAL SECURITY HOLE IN NT/2000/XP ~~~~
Did you ever consider that the same local administrator account and
password is stored on every NT/2000/XP workstation in your
If this account were to become compromised, or one of your
administrators were to leave, how would you change this backdoor
account on all of your workstations? User Manager Pro for Windows
NT/2000/XP makes mass changes to the local security of your
workstations in minutes.
FREE TRIAL: http://lists.win2000mag.net/cgi-bin3/flo?y=eH5b0CJgSH0BVg0gDY0AO
October 10, 2001--In this issue:
1. IN FOCUS
- The New Microsoft STPP: Is It Enough?
2. SECURITY RISKS
- Excel and PowerPoint Macro-Checking Bypass
- DoS in AOL Instant Messenger
- DoS in Cisco Secure PIX Firewall
- Test Your Windows XP Knowledge--Free!
4. INSTANT POLL
- Results of Previous Poll: Nimda Worm
- Instant Poll: Drop Microsoft IIS?
5. SECURITY ROUNDUP
- News: Microsoft Announces Major Changes to Security Practices
- News: Sun Lowers Costs to Woo IIS Customers
- News: Sun and AOL Announce Passport Competitors
- Feature: 20 Tips for Exchange 2000 Migration
- Review: Enterprise Backup Solutions
6. HOT RELEASE (ADVERTISEMENT)
- Sponsored by Stop Password Hackers with Password Bouncer!
7. SECURITY TOOLKIT
- Virus Center
- FAQ: Why Do I Receive Microsoft Passport-related Errors When I
Visit Some Web Sites?
8. NEW AND IMPROVED
- Manage Passwords
- Establish a Secure Channel
9. HOT THREADS
- Windows 2000 Magazine Online Forums
- Featured Thread: Recommended Antivirus Program
- HowTo Mailing List:
- Featured Thread: Outlook/Exchange Connection
10. CONTACT US
See this section for a list of ways to contact us.
1. ==== COMMENTARY ====
You've no doubt heard the news by now: Microsoft launched the Strategic
Technology Protection Program (STPP) to help companies get secure and
stay secure. STPP consists of five offerings in consulting services and
software that companies can use to change how they handle network
security. The software helps lock down systems and services and helps
automate patch installation. The consulting services help users deal
with design, planning, and serious security threats, such as the Nimda
worm, which affects multiple products. You can learn more about STPP by
reading the related news item in the SECURITY ROUNDUP section of this
STPP is a good step forward for Microsoft and its customers, but is it
enough? The STPP announcement comes after Gartner Group issued its
stern statements 2 weeks ago. Gartner recommends that users who've been
affected by security intrusions due to Microsoft IIS bugs should
consider migrating to another Web server platform, such as iPlanet or
Apache. You can read about Gartner's comments in Paul Thurrott's
related news story on our Web site.
Gartner's comments stem from the number of exploitable vulnerabilities
in the IIS source code. For example, as of October 9, 2001, the
Microsoft security Web site lists 22 bulletins about Internet
Information Services (IIS) 5.0 security vulnerabilities and 36
bulletins about Internet Information Server (IIS) 4.0 security
vulnerabilities. STPP will help Microsoft guard against security
vulnerabilities, but the fact that users need so many patches clearly
indicates a deeper problem: faulty coding practices.
Granted, Microsoft released URLScan, which is a fantastic way to
prevent unknown bugs from becoming exploitable security risks, but even
so, many people view URLScan as just another patch. As you'll learn by
reading our news story about STPP, Microsoft designed new analysis
tools to use when developing Windows XP code--tools that help find bugs
that can become security risks. Microsoft is also using those tools to
analyze Windows 2000 patches and service pack code. So we can expect
IIS 5.0 to become more secure as Microsoft releases new service packs,
and IIS 6.0 should be more secure than its predecessors. URLScan will
be built into IIS 6.0
Before you take Gartner's advice, you might give Microsoft a chance to
show how its new code analysis provides increased security in IIS 6.0.
Of course, to use IIS 6.0, you must move to XP, in which case you might
be interested to learn that Microsoft has again postponed its
controversial new licensing program. Read about it in Paul Thurrott's
new story on our WinInformant Web site at the URL below.
I asked Scott Culp, manager of Microsoft's Security Response Center, if
IIS 6.0 is stronger code than its predecessors. As you know, IIS 5.1
ships with XP, and Culp said Microsoft believes that the quality of the
code in IIS 5.1 is in fact better than what is in IIS 5.0.
"IIS 5.1 was built using the processes and tools that were developed as
part of the Secure Windows Initiative [SWI], and we're seeing dramatic
improvements in products built under SWI, across the board. Fewer
coding errors means fewer vulnerabilities, which should mean better
security. But as you know, security is about more than just code
quality," Culp said. "That's where IIS 6.0 (which will be part of
Windows .Net Server) comes in. The primary difference between IIS 5.1
and IIS 5.0 is the code quality--most other aspects of the product are
the same or only changed in minor ways. In contrast, IIS 6.0 contains
code quality improvements, but also includes significant architectural
changes as well. For instance, IIS 6.0 won't install by default. When
you do install it, the setup wizard will interview you to find out what
you're planning to do with the server, and only enable the services
you'll need. The net is that IIS 5.1 should be more secure than its
predecessors because of the code quality improvements. But IIS 6.0 will
encompass code changes, architectural improvements, and new features.
As a result, the security improvements there should be much more
Nevertheless, if you're considering a move away from IIS, you'll be
interested to know that Sun Microsystems lowered the cost of iPlanet to
woo IIS customers. Formerly, iPlanet cost $1495 per CPU; however, Sun
now offers the platform for $940 per CPU to any customer who moves from
a competing platform. See the news story in the SECURITY ROUNDUP
section of this newsletter.
According to Netcraft's September Web survey results, 49.6 percent of
all Web systems polled run a Microsoft OS and probably IIS. Results
also show that many of those systems exhibit known security risks. As
of September 1, 8.5 percent of the systems Netcraft surveyed still have
the root.exe program, which is a backdoor associated with the Code Red
worm, installed; 37.14 percent still have the IIS-related WebDAV
functionality overly exposed; and 17.14 percent have their
administration Web pages open to the public and are vulnerable to known
URL-encoding exploits and known bugs in IIS-related sample pages and
scripts. Overall, one out of every five IIS servers is vulnerable to
attack. You can read Netcraft's survey results on its Web site.
Speaking of surveys, be sure to stop by our Security Administrator home
page to take our new poll concerning Gartner's comments. Are you
planning to switch Web server platforms? We're interested to know how
Gartner's comments might affect your decisions.
Last week, I mentioned the Eraser tool, which helps users prevent
unauthorized recovery of deleted files. Norman Samuelson wrote to
remind me that to keep data safe, users should be aware that some disk-
defragmentation software can inadvertently expose some or all of your
sensitive data. This scenario might occur when you move sensitive files
during a defragmentation process and the software doesn't wipe the data
sufficiently clean from the disk's formerly occupied sectors. It's a
good idea either to mark your sensitive data files as unmovable within
your defragmentation software or to configure the defragmentation
software to wipe disk data after moving files, if your software offers
such functionality. Otherwise, use a disk-wiping tool that wipes all
unused disk sectors after you've completed the defragmentation process.
Eraser can do that on demand or based on your defined schedule (see URL
below). Until next time, have great week.
Mark Joseph Edwards, News Editor, mark () ntsecurity net
2. ==== SECURITY RISKS ====
(contributed by Ken Pfeil, ken () win2000mag com)
* EXCEL AND POWERPOINT MACRO-CHECKING BYPASS
Peter Ferrie of Symantec Security Response reported a vulnerability
in Microsoft Excel and PowerPoint (for Windows and Macintosh) that
might let a malicious user bypass macro-checking to automatically
execute a script when opening a document. Microsoft released Security
Bulletin MS01-050 to address this problem. The bulletin lists the
patches and patch-installation instructions.
* DOS IN AOL INSTANT MESSENGER
Matthew Sachs reported a Denial of Service (DoS) condition in AOL
Instant Messenger. An attacker who can send instant messages to a user
signed on to the AOL Instant Messenger service can crash that user's
AOL Instant Messenger. The default settings let anyone send instant
messages to the user. When an attacker sends a text message with
certain symbols repeatedly (approximately 640 or more times), the
Instant Messenger client crashes. To minimize exposure to this
vulnerability, users should restrict the ability to receive instant
messages to only the people the users select. AOL has been notified of
* DOS IN CISCO SECURE PIX FIREWALL
A vulnerability in the Cisco Secure PIX Firewall Authentication lets
a Denial of Service (DoS) condition exist. When a user configures AAA
(Authentication, Authorization, Accounting) authentication services on
the Cisco Secure PIX Firewall, a single-source address can consume all
authentication resources, preventing other legitimate users from
authenticating. This DoS affects only the authentication resources;
other established traffic continues unaffected, and the DoS prevents
only new authentication requests. Cisco issued a notice about this
vulnerability and recommends that customers obtain a firmware upgrade
through Cisco distribution channels.
~~~~ SPONSOR: CONNECTED HOME MAGAZINE VIRTUAL TOUR ~~~~
What Does The Home Of The Not-Too-Distant Future Look Like?
You've never seen anything like the Connected Home Magazine Virtual
Tour. Experience (room by room) the latest home entertainment, home
networking, and home automation options that are going to change how
you work and play. While you're there, sign up for a free copy of
3. ==== ANNOUNCEMENT ====
* TEST YOUR WINDOWS XP KNOWLEDGE--FREE!
Our MCSE Exam 70-270 Question-of-the-Day email dives into the new
Windows XP topics such as installing and configuring handheld devices
and managing mobile users, while also measuring your skills in
networking basics, TCP/IP fundamentals, user accounts, protocol
features, and much more. Sign up (for FREE) today!
4. ==== INSTANT POLL ====
* RESULTS OF PREVIOUS POLL: NIMDA WORM
The voting has closed in Windows 2000 Magazine's Security
Administrator Channel nonscientific Instant Poll for the question, "Has
your system become infected by the Nimda worm?" Here are the results
(+/-2 percent) from the 715 votes:
- 31% Significantly--we've lost days disinfecting systems
- 37% Not at all
- 18% Somewhat
- 14% Hardly at all
* INSTANT POLL: DROP MICROSOFT IIS?
The Gartner Group is recommending that companies affected by
security problems in Microsoft IIS drop IIS in favor of other "Web-
server platforms. The current Instant Poll question is, "Does your
company plan to do one of the following? a) Move to a yet-to-be-
determined platform, b) Move to Apache? c) Move to iPlanet, d) Consider
the recommendation, or e) Not change--you need Microsoft technology?"
Go to the Security Administrator Channel home page and submit your
5. ==== SECURITY ROUNDUP ====
* NEWS: MICROSOFT ANNOUNCES MAJOR CHANGES TO SECURITY PRACTICES
Microsoft announced several major changes to its security practices
designed to help mitigate unpatched systems that the Code Red and Nimda
worms recently affected. Microsoft also hopes these practices will help
companies build security into any future networks from the outset.
Brian Valentine, senior vice president of the Windows division at
Microsoft, said that the company will make an unprecedented effort to
help customers secure their systems from Internet-based threats by
using the new Microsoft Strategic Technology Protection Program (STPP).
* NEWS: SUN LOWERS COSTS TO WOO IIS CUSTOMERS
In a bid to take advantage of the recent Microsoft product security
scares, Sun Microsystems has lowered the price of its iPlanet Web
Server by 37 percent. The company hopes that Microsoft IIS customers,
worried about constant security breaches, will move to the Sun
platform. Sun will provide additional tools that ease the process. The
price reduction cuts the cost of iPlanet from $1495 per processor to
$940 per processor, for any customer moving from a competing platform.
* NEWS: SUN AND AOL ANNOUNCE PASSPORT COMPETITORS
A growing feeling in the computer industry is that, where Microsoft
is concerned, you should strike when the company is down. In light of
the amount of negative press this year about Microsoft Windows XP,
HailStorm (now called .NET My Services), and Passport, we shouldn't be
surprised that the company's competitors--such as AOL, Oracle, Sun
Microsystems, and IBM--recently announced initiatives that will compete
with Microsoft's plans for the .NET future. Two of these competitors,
Sun and AOL, announced services that the companies hope will supplant
* FEATURE: 20 TIPS FOR EXCHANGE 2000 MIGRATION
The move from Microsoft Exchange Server 5.5 to Exchange 2000 Server
and the corresponding move from Windows NT to Windows 2000 are among
the most significant changes you'll make to your infrastructure in the
near future. Because an Exchange 2000 migration requires some
fundamental changes to your environment, setting out on the road to
Exchange 2000 without understanding every detail of the migration isn't
smart. Read Kieran McCorry's article for Windows 2000 Magazine (October
2001) to be sure you don't overlook anything crucial.
* REVIEW: ENTERPRISE BACKUP SOLUTIONS
Enterprise-level backup programs can provide peace of mind that the
data on your servers is safe and secure. If your backup software
doesn't give that protected feeling, you might want to invest in a
solid insurance policy for your data. Ed Roth found seven products that
offer the comprehensive client support and advanced features necessary
to enable centralized backup in an enterprise.
The products that Roth considered for this comparative review needed
to offer backup and restoration capabilities on Windows 2000, Windows
NT, Novell NetWare 5.1, and Sun Microsystems' Solaris 8 platforms. The
products also needed to be able to perform online backups and restores
of SQL Server 7.0 databases and Microsoft Exchange Server 5.5's
Directory Store, Information Store (IS), and individual mailboxes. Read
the review to learn what Roth found regarding base capabilities,
performance, media-control features, and manageability.
6. ==== HOT RELEASE (ADVERTISEMENT) ====
* SPONSORED BY STOP PASSWORD HACKERS WITH PASSWORD BOUNCER!
Are your employees and contractors unwittingly leaving your
enterprise exposed to password attacks? Password Bouncer screens new
passwords against "Hacker Wordlists" and prevents users from choosing
vulnerable passwords. Defend your network today with Password Bouncer!
7. ==== SECURITY TOOLKIT ====
* VIRUS CENTER
Panda Software and the Windows 2000 Magazine Network have teamed to
bring you the Center for Virus Control. Visit the site often to remain
informed about the latest threats to your system security.
* FAQ: WHY DO I RECEIVE MICROSOFT PASSPORT-RELATED ERRORS WHEN I VISIT
SOME WEB SITES?
( contributed by John Savill, http://www.windows2000faq.com )
A. I recently encountered this problem in the Microsoft Developer
Network (MSDN) subscriber download area. I can connect to several
Microsoft Passport-related Web sites, but I was unable to use my
Microsoft Passport to connect to the MSDN site. To remedy this
situation, I had to delete my MSDN Microsoft Passport cookie. Your Web
browser stores cookies on your computer in the Cookies subfolder of
your user profile using the following format:
If you're running Microsoft Internet Explorer (IE) 5.5 or IE 6.0, you
can choose to delete all cookies simultaneously. However, if you remove
all your cookies, you'll lose any information contained within your Web
site profiles. To remove all cookies in IE 5.5 or IE 6.0, perform the
1. Start IE.
2. From the Tools menu, select Internet Options.
3. In the Temporary Internet files section of the General tab, click
4. Click OK.
5. Close IE.
8. ==== NEW AND IMPROVED ====
(contributed by Scott Firestone, IV, products () win2000mag com)
* MANAGE PASSWORDS
Zemerick Software released myPasswords Professional, password-
managing software. The Password Recovery tool lets you recover the
passwords that asterisks have hidden in a program's dialogs. The
Password Generator tool creates complex passwords of any length
containing any combination of letters, numbers, and symbols. The
software can handle unlimited databases and entries, and users can
protect each database with a unique password. The software runs on
Windows 2000, Windows NT, Windows Me, Windows 9x, and other systems and
costs $30. Contact Zemerick Software at 304-469-4031.
* ESTABLISH A SECURE CHANNEL
Pragma Systems released SecureShell 2.0, a dual, secure-shell server
that supports Secure Shell 1 (SSH1) and Secure Shell 2 (SSH2) protocols
with Advanced Encryption Standard (AES) Rijndael encryption. The
software establishes a secure channel over any TCP/IP-based connection
for both client and server applications by encrypting data and file
transfers over the Internet. SecureShell 2.0 uses RSA/DSA public-key
encryption and runs on Windows 2000, Windows NT, and Windows 9x
systems. The software costs $799 per server for unlimited client
connections. Contact Pragma Systems at 512-219-7270.
9. ==== HOT THREADS ====
* WINDOWS 2000 MAGAZINE ONLINE FORUMS
Featured Thread: Recommended Antivirus Program
(Six messages in this thread)
Brett wants to know what antivirus program he should use to protect
Windows NT servers. He's using Norton Antivirus but isn't happy with it
and wants suggestions. Read more about the questions and responses, or
lend a hand at the following URL:
* HOWTO MAILING LIST
Featured Thread: Outlook/Exchange Connection
(Eight messages in this thread)
This user is having a problem with his Microsoft Outlook client when
receiving mail from an Exchange Server. His Outlook client doesn't
notify him when new mail arrives, yet the notification functionality
works on other Outlook clients running on other workstations on his
network. Can you help? Read the responses or lend a hand at the
10. ==== CONTACT US ====
Here's how to reach us with your comments and questions:
* ABOUT THE COMMENTARY -- mark () ntsecurity net
* ABOUT THE NEWSLETTER IN GENERAL -- mlibbey () win2000mag com; please
mention the newsletter name in the subject line.
* TECHNICAL QUESTIONS -- http://www.win2000mag.net/forums
* PRODUCT NEWS -- products () win2000mag com
* QUESTIONS ABOUT YOUR SECURITY UPDATE SUBSCRIPTION? -- Email Customer
Support at securityupdate () win2000mag com
* WANT TO SPONSOR SECURITY UPDATE? -- emedia_opps () win2000mag com
Receive the latest information about the Windows 2000 and Windows NT
topics of your choice. Subscribe to our other FREE email newsletters.
Thank you for reading Storage UPDATE.
To subscribe, send a blank email to mailto:Security_UPDATE_Sub () lists win2000mag net
ISN is currently hosted by Attrition.org
To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.
- Security UPDATE, October 10, 2001 InfoSec News (Oct 11)