**********************************************************
WINDOWS 2000 MAGAZINE SECURITY UPDATE
**Watching the Watchers**
The weekly Windows 2000 and Windows NT security update newsletter brought
to you by Windows 2000 Magazine and NTSecurity.net
http://www.win2000mag.com/update/
**********************************************************
This week's issue sponsored by
Network-1 - CyberwallPLUS - Packet Filtering Firewalls
http://www.network-1.com/products/index.htm
Sunbelt Software - STAT: NT/2000 Vulnerability Scanner
http://www.sunbelt-software.com/product.cfm?id=899
(Below SECURITY ROUNDUP)
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
April 19, 2000 - In this issue:
1. IN FOCUS
- Buffer Overflows: The Developer's Bane
2. SECURITY RISKS
- Buffer Overflow Condition in Microsoft Web Component
- Registry Permissions Could Expose Cryptographic Keys
- Excessive Escape Characters Can Slow IIS
3. ANNOUNCEMENTS
- Put Your Knowledge of Microsoft Products to the Test!
- Are You One in a Million?
4. SECURITY ROUNDUP
- News: F5 Networks Release SSL-Accelerator
- News: Software Pirates Thrive on Auction Sites
5. NEW AND IMPROVED
- Simplify Access to Private Data and Applications
- Next Generation E-Business Virus Security Solution
6. HOT RELEASES (ADVERTISEMENT)
- Windows Security Issues?
- VeriSign - The Internet Trust Company
7. SECURITY TOOLKIT
- Book Highlight: Hacking Exposed: Network Security Secrets and
Solutions
- Tip: How to Restore Default File Permission Settings
- Windows 2000 Security: Advances in Administrative Authority
- Writing Secure Code: Avoid Buffer Overruns with String Safety
- Ultimate Security Toolkit: NetRecon 3.0
8. HOT THREADS
- Windows 2000 Magazine Online Forums
NTFS Permissions
- Win2KSecAdvice Mailing List
DVWSSR.DLL Buffer Overflow Vulnerability IIS Web Servers
- HowTo Mailing List
How to Wipe Disks
Single Sign-on
~~~~ SPONSOR: NETWORK-1 - CYBERWALLPLUS--PACKET FILTERING FIREWALLS ~~~~
CyberwallPLUS – the world’s best packet filtering firewall – provides
network and system managers with the network access control and intrusion
detection needed to secure today’s "electronically open" networks. Now
administrators can deploy a complete end-to-end network security solution,
including Internet firewalls, LAN-based firewalls and even the World’s
first embedded firewall for Windows NT/2000 severs. All of your
CyberwallPLUS firewalls can be remotely administered with the Cyberwall
Central utility. Through its fine grain access control and active intrusion
detection, Network-1’s CyberwallPLUS firewalls prevent network attacks and
stops hackers cold. Visit http://www.network-1.com/products/index.htm to
learn more about CyberwallPLUS and request a free network security
whitepaper.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Jim Langone
(Western Advertising Sales Manager) at 800-593-8268 or jim@win2000mag.com,
OR Tanya T. TateWik (Eastern and International Advertising Sales Manager)
at 877-217-1823 or ttatewik@win2000mag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. ========== IN FOCUS ==========
Hello everyone,
For a brief moment last week, it appeared as though someone had discovered
a genuine back door in a Microsoft Web product. As it turns out, the
product has no back door, but it does have some interesting code and a
nasty buffer overflow condition.
The story broke last Thursday night when a researcher informed Microsoft
that he thought a particular component that ships with various Web
platforms had a back door. Apparently, someone found a suspicious string of
words inside a file (dvwssr.dll, part of Visual InterDev 1.0), thought that
it might represent telltale signs of a back door, and tipped off the
researcher. The hacker investigated the code and reported his findings to
Microsoft. The string inside the DLL clearly read, "Netscape engineers are
weenies!" and after some investigation, the researcher learned that the
string obscured a URL-based file request sent to the DLL in question.
According to Microsoft, barely an hour after it received the initial bug
report, a reporter from the Wall Street Journal called to ask for a denial
or confirmation of the alleged back door. By Friday afternoon, Microsoft
had openly confirmed that a bug did exist in the DLL file. In Security
Bulletin MS00-025 (released Friday), the company said that the DLL in
question might let a Web author access certain files of other Web sites on
the same server, if the relevant server files had incorrect permission
settings.
As it turns out, the embedded phrase is not a true back door, only a key
string used to obscure part of a URL. Someone with knowledge of the
obscuring routine still needs specific file access permission to exploit
the routine. No risk exists until an administrator sets file access
permissions in a particular way. But that isn't the end of the story.
Researchers began looking for other problems with the dvwssr.dll file
and quickly found them. By late Friday afternoon, a message was circulating
on various mailing lists that stated a buffer overflow condition exists in
the dvwssr.dll file. Apparently, an attacker can launch a Denial of Service
(DoS) attack against the server by sending the DLL a URL parameter string
of 5000 characters. Furthermore, under certain circumstances, the buffer
overflow can let an attacker run code on a remote system.
After news of the overflow condition reached Microsoft, the company
revised its original security bulletin with the new risk details. In
addition, the company recommended that because Visual InterDev 1.0 is so
old and probably not widely used, administrators should delete the
dvwssr.dll file from servers to eliminate associated risks.
The entire scenario flushed out arguments for and against two old sore
spots in the security community: full and immediate vulnerability
information disclosure, and the potential benefits of open source projects
when it comes to secure coding practices. As soon as this story hit the
news outlets Friday morning, the debates began on several public forums.
People cried foul because they felt the initial vulnerability report was
misleading and confusing. They used the incident to claim that full and
immediate vulnerability disclosure is detrimental. Yet proponents said that
without such disclosure, researchers wouldn't have found the buffer
overflow condition in the first place. I think both sides have valid
arguments. Sometimes a risk needs to be held in confidence for a period of
time for a good reason; in other incidents, the best course is to release
full risk information immediately. Both approaches depend on the
circumstances involved, so no static rule applies across the board.
On the open source issue, supporters believe that making source code
available for review reduces the number of security risks in that code
because more eyes will find more problems. But is this really true?
Elias Levy, CTO, SecurityFocus, pointed out in a recent commentary about
open source projects that there is no guarantee that people will review
open source code from a security perspective. Nor is there any guarantee
that people will report any security problems they find. Keep in mind that
black hats review code to exploit bugs, not report them. The bottom line is
that peer review of source code is only as valuable as the skill set and
morals of the peer performing the review.
The real priority with developing solid code is to educate developers
about the finer points of secure programming so that they avoid common
programming pitfalls, such as buffer overflows. This approach stops basic
security problems before they originate instead of depending on peer review
to discover them. Providing developers with better knowledge and improved
tool sets will quickly decrease the number of security-related problems we
encounter, which means that everyone can enjoy a safer network. Until next
time, have a great week.
Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net
2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)
* BUFFER OVERFLOW CONDITION IN MICROSOFT WEB COMPONENT
Core SDI reported a buffer overflow condition in a component of Microsoft's
Visual InterDev 1.0. The component, dvwssr.dll, provides support for Visual
InterDev's Link View feature. Because of an unchecked buffer, an intruder
can crash the Microsoft IIS Web service or cause arbitrary code to execute
on the server by sending the component an abnormally long URL. The problem
affects any IIS system that has the Windows NT 4.0 Option Kit installed,
Windows 9x Personal Web Servers, and any system with FrontPage 98 Server
Extensions installed.
http://www.ntsecurity.net/go/load.asp?iD=/security/iis4-9.htm
* REGISTRY PERMISSIONS COULD EXPOSE CRYPTOGRAHPIC KEYS
Sergio Tabanelli discovered that loose permissions on a particular Registry
key let a user compromise the cryptographic keys of other users on the same
system. The Registry key is used to indicate an external DLL-based driver
definition for a hardware-based encryption accelerator. The drivers have
access to cryptographic keys stored on the system, and an intruder could
develop a Trojan driver because the Registry key is not protected against
manipulation by regular users. The problem affects all editions of Windows
NT 4.0. Microsoft has issued a patch for Intel and Alpha, as well as
Support Online article Q259496.
http://www.ntsecurity.net/go/load.asp?iD=/security/reg1.htm
* EXCESSIVE ESCAPE CHARACTERS CAN SLOW IIS
Vanja Hrustic reported a problem with IIS where an intruder can use a
malformed URL that contains a large number of escape characters to increase
Web service overhead. When parsing a URL with an excessive number of escape
character sequences, IIS consumes most all of the available CPU cycles on
the server. Microsoft has released a patch for IIS 4.0 and IIS 5.0 as well
as Support Online article Q254142.
http://www.ntsecurity.net/go/load.asp?iD=/security/iis4-8.htm
3. ========== ANNOUNCEMENTS ==========
* PUT YOUR KNOWLEDGE OF MICROSOFT PRODUCTS TO THE TEST!
Play the Microsoft TechNet Puzzler and use your expertise to win a trip
to the Tech-Ed 2000 Conference in Orlando and a BMW Z3 Roadster!
http://www.microsoft.com/technet/puzzler/default.asp
* ARE YOU ONE IN A MILLION?
Last month, Microsoft announced that shipments of Windows 2000 have jumped
beyond the 1-million-unit mark. If you're a recent purchaser, be sure to
visit our Windows 2000 Experience Web site. You'll find news, articles, a
technical forum, vendors--everything you need to migrate intelligently.
http://www.windows2000experience.com
4. ========== SECURITY ROUNDUP ==========
* NEWS: F5 NETWORKS RELEASE SSL-ACCELERATOR
F5 Networks has released a Secure Sockets Layer (SSL) accelerator feature
for its BIG-IP product. BIG-IP is a load-balancing tool that helps maximize
throughput and service uptime. With SSL-Accelerator, BIG-IP can help
increase speed and manageability for secure online transactions that use
SSL technology.
http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=119&TB=news
* NEWS: SOFTWARE PIRATES THRIVE ON AUCTION SITES
The Software & Information Industry Association (SIIA) recently conducted a
survey to determine how much software sold at online auction sites was
pirated. A review of sale items at auction sites on Amazon.com, eBay,
Yahoo, and Excite@Home between March 31 and April 3 determined that 91
percent of the packages were not legal to sell. The figure represents a 31
percent increase over the previous survey conducted in August 1999.
http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=120&TB=news
~~~~ SPONSOR: SUNBELT SOFTWARE--STAT: NT/2000 VULNERABILITY SCANNER ~~~~
Ever had that feeling of ACUTE PANIC that a hacker has invaded your
network? Plug NT/2000's over 850 holes before they plug you. You _have_ to
protect your LAN _before_ it gets attacked. STAT comes with a responsive
web-update service and a dedicated Pro SWAT team that helps you to hunt
down and kill Security holes. Built by anti-hackers for DOD sites. Download
a demo copy before you become a statistic.
http://www.sunbelt-software.com/product.cfm?id=899
5. ========== NEW AND IMPROVED ==========
(contributed by Judy Drennen, products@win2000mag.com)
* SIMPLIFY ACCESS TO PRIVATE DATA AND APPLICATIONS
Jela Company released OnlyYou 1.1, software that lets users on Windows NT
and Windows 9x platforms use and protect their IDs and passwords. Press the
OnlyYou hot key and identify yourself to extract your password from 128-bit
encrypted storage. By eliminating the need to remember your passwords, you
don't compromise security.
OnlyYou 1.1 costs $23.50 for a single-user license. Network and volume
licenses are available. For more information contact Jela Company,
800-275-0097 or go to the Web site.
http://www.jelaco.com/
* NEXT-GENERATION E-BUSINESS VIRUS SECURITY SOLUTION
McAfee announced McAfee ActiveVirus Defense, a next-generation e-business
virus security solution that integrates a suite of antivirus products.
ActiveVirus Defense delivers centralized policy management, enforcement,
and reporting capabilities with virus analysis and fixes and faster
updating capabilities to the McAfee product line. McAfee Active Virus
Defense runs on Windows 2000, Windows NT, and Windows 9x. For more
information, contact McAfee, 800-338-8754 or go to the Web site.
http://www.mcafee.com/
6. ========== HOT RELEASES (ADVERTISEMENT) ==========
* WINDOWS SECURITY ISSUES?
Internet Security Systems delivers years of Windows security experience in
a comprehensive, easily understood service. Windows security issues that
normally take hours or days to research and repair are easily available
through SAVANT.
http://www.iss.net/securing_e-business/sec_management_sol/customer_life_cycle/savant.php
* VERISIGN - THE INTERNET TRUST COMPANY
Protect your servers with 128-bit SSL encryption! Get VeriSign's FREE
guide, "Securing Your Web Site for Business." You will learn everything you
need to know about using SSL to encrypt your e-commerce transactions for
serious online security. Click here!
http://www.verisign.com/cgi-bin/go.cgi?a=n016007870003000
7. ========== SECURITY TOOLKIT ==========
* BOOK HIGHLIGHT: HACKING EXPOSED: NETWORK SECURITY SECRETS AND SOLUTIONS
By Stuart McClure, Joel Scambray, et al.
Online Price: $39.99
Softcover; 484 Pages
Published by McGraw-Hill, September 1999
ISBN 0072121270
Defend your network against the sneakiest hacks and latest attacks. In
"Hacking Exposed: Network Security Secrets and Solutions," security experts
Stuart McClure, Joel Scambray, and George Kurtz give you the full scoop on
some of the most highly publicized and insidious break-ins and show you how
to implement bulletproof security on your system. The handbook covers
security, auditing, and intrusion-detection procedures for Windows NT,
Windows 9x, UNIX (including Linux), and Novell networks. The companion Web
site contains custom scanning scripts and links to security tools.
For Windows 2000 Magazine Security UPATE readers only--Receive an
additional 10 percent off the online price by typing WIN2000MAG in the
discount field on the Shopping Basket Checkout page. To order this book, go
to
http://www.fatbrain.com/shop/info/0072121270?fromwin=2000mag
Or visit the Windows 2000 Magazine Network Bookstore at
http://www1.fatbrain.com/store.cl?p=win2000mag&s=97772
* TIP: HOW TO RESTORE DEFAULT FILE PERMISSION SETTINGS
(contributed by http://www.ntfaq.com)
A user wants to know how to restore the default security settings for files
and directories. Restoring security settings is easy if you have a copy of
the Windows NT Resource Kit. The Resource Kit contains a file called
fixacls.exe that will reset file and directory permissions based on the
definitions in the perms.inf file in the %SYSTEMROOT%\INF\ directory.
* WINDOWS 2000 SECURITY: ADVANCES IN ADMINISTRATIVE AUTHORITY
In his latest Web exclusive column, Randy Franklin Smith points out that
one of the worst problems with Windows NT security turns out to be one of
the best enhancements in Windows 2000. The enhancement involves how Win2K
handles administrative authority. When you understand how NT handles
administrative authority and the changes Microsoft made in Win2K, you'll
begin to see the opportunities you have for improving security in your
network. Be sure to read Smith's new column on our Web site.
http://www.ntsecurity.net/go/win2ksec.asp
* WRITING SECURE CODE: AVOID BUFFER OVERRUNS WITH STRING SAFETY
In his latest column, David LeBlanc says that string handling is one of the
most error-prone aspects of C and C++ programming. String-handling errors
account for most of the buffer overruns that result in security problems.
LeBlanc has lots of good advice for developers who want to avoid pitfalls
in writing Win32-based code. Be sure to stop by and read LeBlanc's latest
column.
http://www.ntsecurity.net/go/seccode.asp
* ULTIMATE SECURITY TOOLKIT: NETRECON 3.0
In his latest review, Steve Manzuik looks at NetRecon 3.0. NetRecon lets
security administrators quickly scan their networks for a variety of
security risks, including weak passwords and Denial of Service (DoS)
vulnerabilities. Stop by and read the entire review today!
http://www.ntsecurity.net/go/ultimate.asp
8. ========== HOT THREADS ==========
* WINDOWS 2000 MAGAZINE ONLINE FORUMS
The following text is from a recent threaded discussion on the Windows
2000 Magazine online forums (http://www.win2000mag.com/support).
April 14, 2000, 04:04 A.M.
NTFS Permissions
How can I add a new NTFS permission on a top-level folder and its
subfolders/files without replacing the existing NTFS permissions
(groups/permissions are not the same on subfolders/files).
Thread continues at
http://www.win2000mag.com/support/Forums/Application/Index.cfm?CFApp=69&Message_ID=99309
* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following thread is in the spotlight this
week:
Dvwssr.dll Buffer Overflow Vulnerability in IIS Web Servers
We've been playing a little more, trying to exploit this buffer overflow,
and because we don't have InterDev installed on our system, we copied the
.dll to the /msadc directory. With this configuration, we have been able to
make the code jump to our buffer. Under these circumstances, the actual
buffer overflow will allow us to execute arbitrary code in the target
machine.
http://www.ntsecurity.net/go/w.asp?A2=IND0004C&L=WIN2KSECADVICE&P=218
Follow this link to read all threads for April, Week 3:
http://www.ntsecurity.net/go/w.asp?A1=ind0004b&L=win2ksecadvice
* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
HowTo for Security mailing list. The following threads are in the
spotlight this week:
1. How to Wipe Disks
I work for a government agency that is about to get rid of a bunch of old
PCs. We now have a new security policy stating that the content of the
disks has to be wiped out before the PCs leave the agency. Does anybody
know a good utility that could do this job?
http://www.ntsecurity.net/go/L.asp?A2=IND0004B&L=HOWTO&P=3133
2. Single Sign-on
I have a hybrid network (Windows NT with some Novell and HP-UX), and I was
wondering if anyone is familiar with a way (or third-party product) to
synchronize a password change across all platforms? I'm concerned only
about OS-level passwords and unconcerned with the application level.
http://www.ntsecurity.net/go/L.asp?A2=IND0004B&L=HOWTO&P=4248
Follow this link to read all threads for April, Week 3:
http://www.ntsecurity.net/go/l.asp?A1=ind0004b&L=howto
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@win2000mag.com)
Ad Sales Manager (Western) - Jim Langone (jim@win2000mag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com)
Associate Publisher/Network - Martha Schwartz (mschwartz@win2000mag.com)
Editor - Gayle Rodcay (gayle@win2000mag.com)
New and Improved – Judy Drennen (products@win2000mag.com)
Copy Editor – Judy Drennen (jdrennen@win2000mag.com)
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
========== GET UPDATED! ==========
Receive the latest information about the Windows 2000 and Windows NT topics
of your choice. Subscribe to these other FREE email newsletters at
http://www.win2000mag.com/sub.cfm?code=up99inxsup.
Windows 2000 Magazine UPDATE
Windows 2000 Magazine Thin-Client UPDATE
Windows 2000 Magazine Exchange Server UPDATE
Windows 2000 Magazine Storage UPDATE
Windows 2000 Magazine Training & Certification UPDATE
Windows 2000 Pro UPDATE
Application Service Provider UPDATE
SQL Server Magazine UPDATE
SQL Server Magazine XML UPDATE
IIS Administrator UPDATE
WinInfo UPDATE
SUBSCRIBE/UNSUBSCRIBE/CHANGE ADDRESS
Thank you for reading Windows 2000 Magazine Security UPDATE.
You are currently subscribed to securityupdate as: packet@PACKETSTORM.SECURIFY.COM
To subscribe, go to the UPDATE home page at
http://www.win2000mag.com/update
or send a blank email to join-securityupdate@list.win2000mag.net.
To remove yourself from the list, send a blank email to
leave-securityupdate-120275L@list.win2000mag.net.
To change your email address, send a message with the sentence
set securityupdate email="new email address"
as the message text to lyris@list.win2000mag.net. Replace the words "new email address" with your new email address (include the quotes).
If you have questions or problems with your UPDATE subscription, please contact securityupdate@win2000mag.com. We will address your questions or problems as quickly as we can, but please allow 2 issues for resolution.
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|
Copyright 2000, Windows 2000 Magazine