[prev in list] [next in list] [prev in thread] [next in thread]
List: focus-ms
Subject: SecurityFocus Microsoft Newsletter #58
From: Marc Fossi <mfossi () securityfocus ! com>
Date: 2001-10-29 20:06:27
[Download RAW message or body]
SecurityFocus Microsoft Newsletter #58
--------------------------------------
This newsletter issue is sponsored by: SecurityFocus
(http://www.securityfocus.com)
Win timely, comprehensive, actionable attack warnings with SecurityFocus
ARIS.
Isn't it time you took back control of your environment and better protect
yourself from attacks? SecurityFocus ARIS is a global early warning
system that gives you hours, days - even weeks - to defend your network
infrastructure from threats and attacks before they hit.
ARIS proactively alerts you to an approaching threat as it's developing,
giving you precious time to protect your network, thus preventing
catastrophic damage.
ARIS gathers real-time data from over 7,000 partners in 138 countries
around the world. The SecurityFocus trained security experts comb the
ARIS database for patterns and trends before they become recognizable
threats. ARIS customers receive alerts of developing attacks that contain
detailed attack information and scenarios, as well as the specific
countermeasures needed to thwart the attack.
Visit the SecurityFocus booth at CSI (
<http://www.securityfocus.com/trade/tradeshow.shtml>
http://www.securityfocus.com/trade/tradeshow.shtml) this month and enter
to win a one-year subscription of SecurityFocus ARIS - the leading Attack
Alert System.
So, why not rest easy tonight?
To speak directly with an ARIS customer service representative, please
contact ARISsales@securityfocus.com, or call +1-650-655-6300.
-------------------------------------------------------------------------------
I. FRONT AND CENTER
1. The Value of Honeypots, Part Two
2. Preventing and Detecting Malware Installations on NT/2K
3. Introduction to Security Policies, Part Four: A Sample Policy
4. Homeland Cyber Security – We Need a Czar, Not a Coordinator
II. MICROSOFT VULNERABILITY SUMMARY
1. Microsoft Excel and PowerPoint Macro Security Bypass Vulnerability
2. Microsoft Internet Explorer Zone Spoofing Vulnerability
3. Microsoft Internet Explorer HTTP Request Encoding Vulnerability
4. Microsoft Exchange OWA Server Resource Starvation Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
1. Can Kerberos be cracked?? (Thread)
2. Something about ISA Server 2000... (Thread)
3. Win2k Vulnerability Hotfix Issues (Thread)
4. NT/Win2K bug (Thread)
5. Securing Personal Web Servers (Thread)
6. Delete Windows 2000 Guest account (Thread)
7. New version of HFNetChk from Microsoft. (Thread)
8. Flushing DLLs follow-up (Thread)
9. Post SP 6a SRP (Thread)
10. Backup plan for URLScan logfiles (Thread)
11. Flushing DLLs from memory (Thread)
12. POP3 and IMAP authentication after Q303451 (Thread)
13. IP Spoofing / Mac adress (Thread)
14. SecurityFocus Microsoft Newsletter #57 (Thread)
15. Patches with Win2k Datacenter (Thread)
16. Does Windows NT use TCP port 2000/2001? (Thread)
17. MS issues bum security patch, contradicts self (Thread)
18. Terminal Service for Remote Connections (Thread)
19. AW: Does Windows NT use TCP port 2000/2001? (Thread)
20. Citrix Terminal Service for Remote Connections (Thread)
21. NT/2K Forensics Server Project (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. NetScreen
2. SecureLogon
3. Lumeta Firewall Analyzer
4. iRiS Antivirus
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. John the Ripper (Win32) 1.6
2. The Hash Algorithm Toolkit v1.3
3. osfinger
4. Advanced Net Tools (ANT) 2.3
VI. SPONSORSHIP INFORMATION
I. FRONT AND CENTER
-------------------
1. The Value of Honeypots, Part Two
by Lance Spitzner
Now that we have been discussing the different types of honeypots and
their value, let's discuss some examples. The more I work with honeypots,
the more I realize that no two honeypots are alike. Because of this, I
have identified what I call 'level of involvement'. Simply put, the more
involved a honeypot is, the more value it can have. At the same time, the
more involved a honeypot is, the more risk it is likely to have. The more
a honeypot can do and the more an attacker can do to a honeypot, the more
value can be derived from it. By the same token, the more an attacker can
do to the honeypot, the more potential damage that attacker can inflict on
the host system.
http://www.securityfocus.com/cgi-bin/infocus.pl?id=1498
2. Preventing and Detecting Malware Installations on NT/2K
by H. Carvey, CISSP
Recent history has seen the release of several Trojans, worms, and viruses
(collectively known as malicious software or malware) specifically
targeting Windows NT and Windows 2000 (2K). For the most part, much of the
malware has taken advantage of long-since patched vulnerabilities. For
example, the sadmind/IIS worm exploited the directory transversal
vulnerability in IIS, which had been patched in Nov 2000. In fact, it
seems as if many of the recent worms - including sadmind/IIS, Code Red,
and Code Blue - were released as a wake-up call to encourage
administrators to patch their systems. After all, Code Red was noisy, but
it did very little damage to the systems it infected.
http://www.securityfocus.com/cgi-bin/infocus.pl?id=1499
3. Introduction to Security Policies, Part Four: A Sample Policy
by Charl van der Walt
This is the fourth in a four-part overview of security policies. In the
first article, we looked at what policies are and what they can achieve.
The second article looked at the organizational support required to
implement security policies successfully. The third installment discussed
how to develop and structure a security policy. This installment will take
a look at a few examples of security policies.
http://www.securityfocus.com/cgi-bin/infocus.pl?id=1497
4. Homeland Cyber Security – We Need a Czar, Not a Coordinator
by Richard Forno
The appointment of Richard Clarke as the head of cyber-security is the
latest in a long line of Presidential attempts to monitor and deter
security threats on the Internet.
http://www.securityfocus.com/columnists/32
II. BUGTRAQ SUMMARY
-------------------
1. Microsoft Excel and PowerPoint Macro Security Bypass Vulnerability
BugTraq ID: 3402
Remote: No
Date Published: 2001-10-04 00:00:00
Relevant URL:
http://www.securityfocus.com/bid/3402
Summary:
Microsoft Excel and PowerPoint contain a macro security feature. This
feature scans a document when a user opens it to determine if there are
any embedded macros. Then, depending on the security setting, the user is
prompted whether or not to allow the macro to run, or the macro is
bypassed automatically.
A malformed Excel or PowerPoint document could potentially bypass this
macro security feature, allowing the macro code to be executed without the
user's knowledge. This could allow an attacker to embed malicious code
within the malformed macro and having it execute on the target host.
This code would run with the permissions of the user currently logged in.
The malformed document containing the macro must still be opened by the
user in order for the macro to execute.
2. Microsoft Internet Explorer Zone Spoofing Vulnerability
BugTraq ID: 3420
Remote: Yes
Date Published: 2001-10-10 00:00:00
Relevant URL:
http://www.securityfocus.com/bid/3420
Summary:
Microsoft Internet Explorer contains a security-setting feature that can
be modified according to a user's preferences. There are five different
zones, each can be manipulated to control what actions a web site can take
on a user's system.
The Intranet Zone contains all sites within a local intranet or network.
By default this zone is set to Medium-Low, allowing most content within
the site to run without prompting the user.
The Internet Zone contains all web sites not specified in other zones. By
default this zone is set to Medium, enforcing that a user is to be
prompted before running content.
A vulnerability exists in Internet Explorer, which could allow a web site
to be viewed in the Intranet Zone, rather than the Internet Zone. Thus,
allowing content to be viewed with less-restrictive security settings.
This is achievable by converting an IP address into a dotless IP address.
Upon submitting the dotless IP address, Internet Explorer will return and
treat the web site as a Local Intranet site. Therefore, any malicious
content on the site will run with less restrictive settings.
Content that will run is dependant on the settings in the Local Intranet
Zone. Users may have modified or customized the settings to a lower level,
expecting that only trusted network/intranet sites will be viewed in this
zone.
Successful exploitation of this vulnerability could lead to the execution
of malicious script or ActiveX controls.
3. Microsoft Internet Explorer HTTP Request Encoding Vulnerability
BugTraq ID: 3421
Remote: Yes
Date Published: 2001-10-10 00:00:00
Relevant URL:
http://www.securityfocus.com/bid/3421
Summary:
Internet Explorer contains a vulnerability which could allow an attacker
to construct a URL which would redirect the user to a third party website
and send commands to that site which, to the third party site, would
appear to have come from the user.
This vulnerability would most likely be exploited against a user who
subscribed to some form of web-based service such as email or file
hosting.
Successful exploitation of this vulnerability would require specific
knowledge of the targetted user and be difficult to exploit on a
widespread scale.
4. Microsoft Exchange OWA Server Resource Starvation Vulnerability
BugTraq ID: 3368
Remote: Yes
Date Published: 2001-09-26 00:00:00
Relevant URL:
http://www.securityfocus.com/bid/3368
Summary:
Outlook Web Access is an optional component of Microsoft Exchange Server
which runs in conjunction with Microsoft Internet Information Server. It
provides access to a user's Exchange mailbox through a web interface.
When processing client access requests, OWA Server does not place limits
on folder depth. Remote attackers can exploit this to cause a denial of
service by requesting access to complex folder structures (which need not
exist).
The CPU and memory consumed while processing these requests may result in
a denial of service on the server. Since this is a resource exhaustion
attack, all other processes on the system (other services) will be
affected.
The denial of service condition will cease once OWA server has finished
processing the request. Repeated attacks can cause a prolonged denial of
service.
To exploit this vulnerability, an attacker must authenticate as a
legitimate client.
IV. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Can Kerberos be cracked?? (Thread)
Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=013e01c15da0$e47dba40$0b00010a@lauradominion.com&threads=1
2. Something about ISA Server 2000... (Thread)
Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=00bf01c15d9b$3fd80400$0b00010a@lauradominion.com&threads=1
3. Win2k Vulnerability Hotfix Issues (Thread)
Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=217C727FF4584640A37BECF039962E234E3E4F@mail1.sevenww.co.uk&threads=1
4. NT/Win2K bug (Thread)
Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=OF8000A278.3D663845-ON4A256AF0.00089E3D@juptech.com&threads=1
5. Securing Personal Web Servers (Thread)
Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=OF5D1B103C.43AF458D-ON85256AF0.00454C90@nbc.gov&threads=1
6. Delete Windows 2000 Guest account (Thread)
Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=H00002c4084e351a@MHS&threads=1
7. New version of HFNetChk from Microsoft. (Thread)
Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=0393D629EEDEC246956A0F2CEBF8F83B01A3F4@njmail1.dbma.com&threads=1
8. Flushing DLLs follow-up (Thread)
Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=4A8E2E6FBFC0D511B0590008C7336EA00E3D77@zaexc8.w9&threads=1
9. Post SP 6a SRP (Thread)
Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=5.1.0.14.0.20011023182522.0210d9b8@mail.tellurian.net&threads=1
10. Backup plan for URLScan logfiles (Thread)
Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=20011023202320.46435.qmail@web20901.mail.yahoo.com&threads=1
11. Flushing DLLs from memory (Thread)
Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=023c01c15b57$fea1e630$0200a8c0@lifelesswks&threads=1
12. POP3 and IMAP authentication after Q303451 (Thread)
Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=109CF3ABA252CB4DA96C9F71D325107C502A3D@CorpML1.indy.lmiv.com&threads=1
13. IP Spoofing / Mac adress (Thread)
Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=B45465FD9C23D21193E90000F8D0F3DF01C1FAFA@mailsrv.linkvest.com&threads=1
14. SecurityFocus Microsoft Newsletter #57 (Thread)
Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=Pine.GSO.4.30.0110221521040.18765-100000@mail&threads=1
15. Patches with Win2k Datacenter (Thread)
Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=001f01c15b10$10466de0$6eeca8c0@parkplacetexas.corp&threads=1
16. Does Windows NT use TCP port 2000/2001? (Thread)
Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=20011022164213.80013.qmail@web20906.mail.yahoo.com&threads=1
17. MS issues bum security patch, contradicts self (Thread)
Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=NFBBLAEICLEBFNIBCMKMEEKECGAA.tcgreene@bellatlantic.net&threads=1
18. Terminal Service for Remote Connections (Thread)
Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=EBEKIPJCIAPMGAMINGHHKECPDAAA.andrewk@spray-quip.com&threads=1
19. AW: Does Windows NT use TCP port 2000/2001? (Thread)
Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=000201c158b0$5b097780$6f0216ac@phoenix&threads=1
20. Citrix Terminal Service for Remote Connections (Thread)
Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=57D874A37662D411A42000508B444D7B1FE2FE@MHHNET2&threads=1
21. NT/2K Forensics Server Project (Thread)
Relevant URL:
http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=20011019130703.39440.qmail@web20507.mail.yahoo.com&threads=1
IV.NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. NetScreen
by NetScreen Technologies
Platforms:N/A
Relevant URL:
http://www.netscreen.com/products.htm
Summary:
The NetScreen line of security solutions integrate the firewall, VPN and
traffic management functionality all in one dedicated hardware platform
that delivers unprecedented performance. NetScreen's products are based on
a secure packet processor - an innovative design that includes a
custom-designed ASIC for encrypting and screening, a high-performance
multibus architecture, embedded high-speed RISC CPU and dedicated
software.
2. SecureLogon
by iSecureX Technologies
Platforms: Windows 95/98, Windows NT, Windows 2000
Relevant URL:
http://www.isecurex.com/e/securelogon/index.htm
Summary:
SecureLogon for Windows provide secure logon for Windows network which
meets high security requirements without passwords. User's profile such as
username and password was encrypted and stored in Logon Key(which can be
smart card or UKey). Insertion of Logon Key will trigger and complete the
user logon process automatically. It releases the computer users of
getting involved with remember and input work of username and password,
which are in many cases tedious and bothering. User can also check to
create random passwords and lock the machine if the Logon Key removed.
3. Lumeta Firewall Analyzer
by Lumeta Corporation
Platforms: UNIX, Windows NT, Windows 2000
Relevant URL:
http://www.lumeta.com/firewall.html
Summary:
Using patent-pending technology, the Lumeta Firewall Analyzer (LFA)
provides an off-line assessment of the enterprise network from both the
outside in and the inside out -- based on a thorough examination of the
firewall's rule set. LFA explictly depicts what your Check Point or Cisco
Pix firewalls actually allow through. Allows testing the firewall rules
before deployment, and auditing the rules after deployment.
4. iRiS Antivirus
by iRiS Software
Platforms: Solaris, Windows 95/98, Windows NT, Windows 3.x, AIX, HP-UX,
MacOS, OS/2, DOS, Netware, Windows CE
Relevant URL:
http://www.irisav.com/prod/
Summary:
iRiS AntiVirus is a powerful virus solution that is certified by the
International Computer Security Association to detect 100% of "viruses in
the wild." This superior virus detection capability when combined with
iRiS' industry leading curing capabilities yields the most advanced virus
protection package available.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. John the Ripper (Win32) 1.6
by Solar Designer
Relevant URL:
http://www.openwall.com/john/
Platforms: Windows 95/98, Windows NT
Summary:
John the Ripper is a password cracker, currently available for UNIX, DOS,
WinNT/Win95. Its primary purpose is to detect weak UNIX passwords.
2. The Hash Algorithm Toolkit v1.3
by Aaben Kryptografi Ltd
R3levant URL:
http://www.secure-hash-algorithm-md5-sha-1.co.uk
Platforms: Windows 2000, Windows 3.x, Windows 95/98, Windows CE, Windows
NT
Summary:
The Secure Hash Algorithm Directory provides information, recources and
products for MD5 and SHA-1, optionally including HMAC.
3. osfinger
by setuid - setuid@digitalmaphia.com
Relevant URL:
http://www.blackcode.org/l0gik
Platforms: Windows 2000, Windows 95/98, Windows NT
Summary:
OSfinger v1.0, uses a know portal for OS fingerprinting system, which will
try to determine the running a given host
4. Advanced Net Tools (ANT) 2.3
by Mikersoft
Relevant URL:
http://www.mikersoft.com/ant/anttrial.zip
Platforms: Windows 2000, Windows 95/98
Summary:
Share Scanner can scan any network for a list of shared drives. ARP
Configuration allows you to add/remove ARP entries and view the ARP table
all from a Windows GUI. Route Configuration allows you to add/remove
Routing entries and view the route table all from a Windows GUI. Adapter
Configuration allows you to view all adapters and add remove IP addresses
of individual adapters using a Windows GUI. IP Configuration shows you all
of the configuration information for all of the adapters on your system.
Net Stats shows all of the current connections on your PC and their
current state. It also shows what ports applications are listening on. You
can set the refresh rate at any speed you wish. TraceRoute tells you how
many hops (routers) are between your PC and another destination. It will
also show you the slowest connection point. Network Scanner can scan any
class A, B or C network for any list of open ports. Network Scanner takes
advantage of multi-threading. You can use many threads to scan at the same
time for quick results. You can save your port list to a text file. You
can also save your list of found connections to a text file. Port Scanner
can scan any computer for a list, or range of open ports. Set your speed
of finding open ports by setting the timeout variable. Ping Utility allows
you to change the size of the packets, the timeout, and the number of
packets to ping. Advanced DNS Utility shows you extended information on a
given hostname or IP address. You can also lookup the mail exchange
servers, or domain name servers for a specific domain. Query types
available: A, ANY, NS, MX, SOA. Command Test, a utility for connecting to
an open port and testing commands. Works like a telnet client but you can
send 1 line at a time. Whois Client where you can configure the whois
server for multiple DNS name types. With ANT you don't even need to use
the main GUI interface, all menus are accessible from the system tray
icon.
VI. SPONSORSHIP INFORMATION
---------------------------
This newsletter issue is sponsored by: SecurityFocus (
<http://www.securityfocus.com> http://www.securityfocus.com)
Win timely, comprehensive, actionable attack warnings with SecurityFocus
ARIS.
Isn't it time you took back control of your environment and better protect
yourself from attacks? SecurityFocus ARIS is a global early warning
system that gives you hours, days - even weeks - to defend your network
infrastructure from threats and attacks before they hit.
ARIS proactively alerts you to an approaching threat as it's developing,
giving you precious time to protect your network, thus preventing
catastrophic damage.
ARIS gathers real-time data from over 7,000 partners in 138 countries
around the world. The SecurityFocus trained security experts comb the
ARIS database for patterns and trends before they become recognizable
threats. ARIS customers receive alerts of developing attacks that contain
detailed attack information and scenarios, as well as the specific
countermeasures needed to thwart the attack.
Visit the SecurityFocus booth at CSI (
<http://www.securityfocus.com/trade/tradeshow.shtml>
http://www.securityfocus.com/trade/tradeshow.shtml) this month and enter
to win a one-year subscription of SecurityFocus ARIS - the leading Attack
Alert System.
So, why not rest easy tonight?
To speak directly with an ARIS customer service representative, please
contact ARISsales@securityfocus.com, or call +1-650-655-6300.
-------------------------------------------------------------------------------
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic