********************************************************** WINDOWS NT MAGAZINE SECURITY UPDATE **Watching the Watchers** The weekly Windows NT security update newsletter brought to you by Windows NT Magazine and NTsecurity.net http://www.winntmag.com/update/ ********************************************************** This week's issue sponsored by Sunbelt Software - STAT: NT Vulnerability Scanner http://www.sunbelt-software.com/stat.htm Network-1 Security Solutions - Embedded NT Firewalls http://www.network-1.com/eval/eval6992.htm (Below Security Roundup) |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- November 24, 1999 - In this issue: 1. IN FOCUS - Windows NT Magazine and NTSecurity.net Join Forces 2. SECURITY RISKS - Internet Explorer 5.0 XML Redirects - Vermillion FTP Server Subject to Denial of Service - WordPad Subject to Crash - HP JetDirect Denial of Service - ZetaMail 2.1 Subject to Denial of Service - G6 FTP Server Subject to Denial of Service 3. ANNOUNCEMENTS - Answers To NT Frequently Asked Questions - Security Poll: Have You Taken Any Formal Security Training? 4. SECURITY ROUNDUP - Feature: Melissa Variant Prilissa on the Loose - Feature: ESE Page Zeroing Enhances Exchange Security - Feature: The Philosophy of Security - UNIX vs. NT - Review: 3Com's New 3CR990 Encrypting NIC 5. NEW AND IMPROVED - Virus Protection for File Servers 6. HOT RELEASE - kforce.com 7. SECURITY TOOLKIT - Book Highlight: Windows NT Magazine Administrator's Survival Guide: System Management and Security - Security Shareware: NightVision - Tip: Controlling NetBIOS Access - HowTo: Backing Up and Restoring Win2K System State 8. HOT THREADS - Windows NT Magazine Online Forums: Default Admin Share - Win2KSecAdvice Mailing List: Event Logs of Failed Logons Windows Update Carries a Bug - HowTo Mailing List: Removing Hidden Shares MS Access Security ~~~~ SPONSOR: SUNBELT SOFTWARE - STAT: NT VULNERABILITY SCANNER ~~~~ Ever had that feeling of ACUTE PANIC that a hacker has invaded your network? Plug NT's holes before they plug you. There are many hundreds of known NT vulnerabilities. New ones are found daily. You just have to protect your LAN _before_ it gets attacked. STAT is a new tool that solves your NT security exposure in a completely unique fashion. STAT is not just a shrink-wrap product. It comes with a responsive web-update service and a dedicated Pro SWAT team that helps you to hunt down and kill Security holes. Originally built by anti-hacker experts for Secure Government sites. Download a demo copy before you become a statistic. http://www.sunbelt-software.com/stat.htm ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Want to sponsor Windows NT Magazine Security UPDATE? Contact Vicki Peterson (Western and International Advertising Sales Manager) at 877- 217-1826 or vpeterson@winntmag.com, OR Tanya T. TateWik (Eastern Advertising Sales Manager) at 877-217-1823 or ttatewik@winntmag.com. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ 1. ========== IN FOCUS ========== Hello everyone, It's now official: NTSecurity.net has joined forces with Windows NT Magazine to bring you an even stronger offering of NT security information. With the new partnership, Windows NT Magazine and NTSecurity.net will combine resources and efforts to produce a stronger security newsletter and a more content-rich NT-related security Web site. To understand how we've reorganized our security-related publications under the new alliance, you might need to understand a bit about the history of NTSecurity.net. I started NTSecurity.net in 1996 as an independent project to offer the community a quick summary of all known NT-related security vulnerabilities and fixes in one location. The site quickly evolved to include vulnerabilities for all Microsoft OSs and applications, as well as third-party Windows-based applications. Today, NTSecurity.net encompasses more than just vulnerability and fix information. At the site, you'll finds news, features, product reviews, how-to articles, books, security software tools, several security mailing lists, a newsletter, and a wealth of other timely security-related information. If you're a frequent visitor to NTSecurity.net, you already know about the Windows Security Alerts (WinSA) and Windows Security Digest (WinSD) mailing lists. The lists have been around for some time and are popular with the security community. Subscribers to the WinSA mailing list receive security alerts as we learn of new risks; WinSD is a weekly digest newsletter that covers security news from a variety of third-party information resources. Under the new partnership, WinSA, WinSD, and the Security UPDATE mailing list are combined into one mailing list. The content formerly published in WinSD will become part of Security UPDATE. In addition to receiving new content, each Security UPDATE subscriber will now automatically receive the security alerts formerly provided by WinSA. What are security alerts? As we become aware of new Windows-related security risks, we analyze the risk, write up the details (including any known workarounds and fixes) and immediately alert our readers via email. The alert service reduces the time you spend learning about new risks on your own, and helps you avoid overlooking any new risks that may affect your network. Not only have we combined the email-based publications, but we are also consolidating Web-based resources. Although you'll still find security-related information on the Windows NT Magazine Web site, most security information will now appear on NTSecurity.net instead of WinNTMag.com. In a nutshell, NTSecurity.net has become the new point- of-publication for all of Windows NT Magazine's Web-based security- related articles and information. In the near future, you'll begin to see notable changes at the NTSecurity.net Web site that reflect this new partnership. You'll find new, regularly published content that includes exclusive columns from notable industry insiders, weekly editorials and news analysis, in- house product reviews, how-to articles, lots of security tips, even more book recommendations, and several other features that are still on the drawing board (more on those in a future edition of this newsletter). The alliance represents Windows NT Magazine's commitment to providing each of you with the best and most up-to-date security information available anywhere today. We hope you enjoy this first edition of Security UPDATE using the new expanded format. And by all means, if you have any comments or suggestions, please feel free to send them my way. Until next time, have a great week. Sincerely, Mark Joseph Edwards, News Editor mark@ntsecurity.net 2. ========== SECURITY RISKS ========= (contributed by Mark Joseph Edwards, http://www.ntsecurity.net) * INTERNET EXPLORER 5.0 XML REDIRECTS Georgio Guninski reported a problem with Internet Explorer (IE) 5.0 under Windows NT 4.0 and Windows 95. According to the report, IE 5.0 has a problem with the way it handles HTTP redirects in Extensible Markup Language (XML) objects. The problem unnecessarily exposes a user's local file. When a user embeds an XML document within an HTML document, IE 5.0 doesn't handle the HTTP redirects properly, thereby allowing access to the domain of the embedded XML document. http://www.ntsecurity.net/go/load.asp?iD=/security/IE54.htm * VERMILLION FTP SERVER SUBJECT TO DENIAL OF SERVICE USSRLabs discovered a denial of service (DoS)condition in Vermillion FTP Daemon (VFTPD) 1.23 caused by a buffer overflow condition in the CWD command. By sending a CWD command three times in a row with a command buffer of exactly 504 characters, an intruder can crash the server. http://www.ntsecurity.net/go/load.asp?iD=/security/verm1.htm * WORDPAD SUBJECT TO CRASH Windows NT and Windows 9x ship with a built-in word processor (WordPad), which relies on riched20.dll. The DLL has an overflow condition present when viewing Rich Text Format (RTF) files that can cause WordPad to crash. The vulnerability doesn't appear to offer a means of executing arbitrary code, so the risk is limited to that of a minor nuisance. http://www.ntsecurity.net/go/load.asp?iD=/security/richedit1.htm * HP JETDIRECT DENIAL OF SERVICE The HP JetDirect J3111A module with firmware G.05.35 suffers from a buffer overflow in its internal Web server that can lead to a crash and, thus, a denial of service (DoS). If a user enters a particular URL in a Web browser, the printer crashes and prints a diagnostics page showing the contents of all registers and 64 bytes of all memory addresses that the address registers point to. http://www.ntsecurity.net/go/load.asp?iD=/security/jetdirect1.htm * ZETAMAIL 2.1 SUBJECT TO DENIAL OF SERVICE UssrLabs discovered a buffer overflow condition in ZetaMail 2.1 mail server; the condition is present in the server's user login sequence. By sending a username and password of 3500 characters, an intruder can crash the server. http://www.ntsecurity.net/go/load.asp?iD=/security/zetamail1.htm * G6 FTP SERVER SUBJECT TO DENIAL OF SERVICE UssrLabs reported a denial of service (DoS) vulnerability in Gene6's G6 FTP Server caused by a buffer overflow condition. When a user logs into the FTP server using a long username (2000 characters), the service will begin consuming memory and CPU cycles until it exhausts all resources, causing the server to stop responding. http://www.ntsecurity.net/go/load.asp?iD=/security/g6ftp.htm 3. ========== ANNOUNCEMENTS ========== * ANSWERS TO NT FREQUENTLY ASKED QUESTIONS Check out this technically rich FAQ site: http://www.jsiinc.com/reghack.htm. Established by Jerold Schulman, it includes more than 1800 fully searchable Windows NT tips, techniques, and Registry hacks. With new listings added daily, it is a superior resource from one of the sharpest minds in the industry. * SECURITY POLL: HAVE YOU TAKEN ANY FORMAL SECURITY TRAINING? On November 1, we posted a nonscientific survey on NTSecurity.net asking readers if they had taken any security training, and if so, was that training mandated or voluntary. To view the survey results, visit http://www.ntsecurity.net/go/loadit.asp?/forums/2cents/polls.asp?idf=107&tb= polls 4. ========== SECURITY ROUNDUP ========== * FEATURE: MELISSA VARIANT PRILISSA ON THE LOOSE Users recently discovered a Melissa virus variant named Prilissa. The virus infects Word 97 documents and spreads by sending the infected document as an email attachment using Microsoft Outlook to the first 50 addresses in each address book. The subject line reads "Message From (username)." The text in the body of the message reads "This document is very Important and you've GOT to read this!!!" When a user opens the infected document, the virus disables virus protection security settings, conversion confirmation, and recently opened file list. In addition, the virus triggers on December 25, a Christian holiday. Once triggered, the virus writes a Moslem-related message on the screen, modifies the user's autoexec.bat file and, upon reboot, displays a second Moslem-related message. Most major antivirus software vendors have produced signature files to detect and remove the virus. Be sure to update your files today. http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=179&TB=news http://www.symantec.com/press/1999/n991122b.html * FEATURE: ESE PAGE ZEROING ENHANCES EXCHANGE SECURITY Extensible Storage Engine (ESE) Page Zeroing, also called scrubbing, is a feature that Microsoft first made available in Exchange Server 5.5 Service Pack 2 (SP2). Scrubbing overwrites unused pages in Exchange Server databases with a byte pattern so that a user can't recover data within these unused pages using conventional means. When users delete an item from the Exchange server, such as when they delete a message from their mailbox, Exchange removes references to the item and marks as unused the pages the item was occupying (assuming you've disabled Deleted Item Retention). Without scrubbing, someone can retrieve the deleted data using conventional retrieval methods. http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=138&TB=f * FEATURE: THE PHILOSOPHY OF SECURITY - UNIX VS. NT Simson L. Garfinkel writes a compelling article for ZDTV that looks at some of the fundamental differences between the security approaches in Windows NT and UNIX. Garfinkel points out several shortcomings that Microsoft developers could have taken efforts to eliminate and also points out that UNIX isn't perfect either. http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=137&TB=f * REVIEW: 3COM'S NEW 3CR990 ENCRYPTING NIC In his review for Planet IT, Edward J. Correia examines 3Com's new 3CR990-TX 10/100 Fast Ethernet NIC. The new network adapter sports Data Encryption Standard (DES) and 3DES encryption and offloads processing from the system with its built-in encryption hardware engine. http://www.ntsecurity.net/go/2c.asp?f=/howto.asp?IDF=112&TB=howto ~~~~ SPONSOR: NETWORK-1 SECURITY SOLUTIONS - EMBEDDED NT FIREWALLS ~~~~ CyberwallPLUS-SV is the first embedded firewall for NT servers. It secures valuable servers with network access controls and intrusion prevention. Visit to register for a free trip to SANS Security `99 in San Francisco. 5. ========== NEW AND IMPROVED ========== (contributed by Carolyn Mascarenas, products@winntmag.com) * VIRUS PROTECTION FOR FILE SERVERS Trend Micro announced ServerProtect 5.0, virus protection software for file servers. You can organize a series of antivirus management operations into one task. You can centrally and remotely manage multiple Windows NT and Novell NetWare servers and domains simultaneously from one Windows-based management console. You can configure ServerProtect to automatically download scan engines, pattern files, and program files to ensure you are updated with all the latest technology needed to fight the newest viruses. Pricing is on a per seat/volume basis and starts at $600 for 25 users. Contact Trend Micro, 408-867-6404. http://www.antivirus.com 6. ========== HOT RELEASE (ADVERTISEMENT) ========== * KFORCE.COM Afraid of getting lost on another job board? Real results by real people at kforce.com. Resumes read by 2,300 Career Specialists, Confidential Searching, and a Career Development Coach! Click on ***kforce.com*** where opportunity has a new address. http://ad.doubleclick.net/clk;629716;3578931;w?http://www.kforce.com 7. ========== SECURITY TOOLKIT ========== * BOOK HIGHLIGHT: WINDOWS NT MAGAZINE ADMINISTRATOR'S SURVIVAL GUIDE: SYSTEM MANAGEMENT AND SECURITY By John Enck Online Price: $31.95 Softcover; 359 pages Published by Duke Press, June 1998 Windows NT Magazine brings you Windows NT Magazine Administrator's Survival Guide: System Management and Security--the first book in the Survival Guide series. John Enck has assembled the best articles and authors to share their vast experience with mission-critical system management and security issues. The articles have been updated, and Enck has added new introductory material to set the context for readers. Busy NT users will find the hands-on, problem-solving approach they have come to rely on in the magazine invaluable in this rich, user-friendly resource. For Windows NT Magazine Security UPDATE readers only--Receive an additional 10 PERCENT off the online price by typing in WINNTMAG in the referral field on the Shopping Basket Checkout page. To order this book, go to http://www.fatbrain.com/shop/info/188241988X?from=SUT864. * SECURITY SHAREWARE: NIGHTVISION (contributed by Jonathan Chau, jjc@winntmag.com) For administrators, there's nothing worse than when the network goes down overnight. NightVision, a new network monitoring utility, acts as the eyes behind your head. NightVision can monitor both Windows and UNIX machines over a TCP/IP or UDP connection, and you can seamlessly integrate the program into any network. The product works by periodically checking to determine whether the connected systems are still up and responsive. If NightVision detects an error, it can email or page the specified administrator to alert them to the problem. http://www.jriver.com/products/night-vision.html * TIP: CONTROLLING NETBIOS ACCESS (contributed by Mark Joseph Edwards, http://www.ntsecurity.net) About once each month, someone asks me how to block access to NetBIOS from the Internet without using a firewall. You can accomplish this task in at least two different ways, and both are fairly simple to implement. The first method uses Windows NT's built-in TCP/IP security, in which an administrator defines which ports to block. By examining the TCP/IP properties under the Network applet in the Control Panel, you'll find the security settings. The dialog box is located on the IP Address tab under the Enabled Security section. Keep in mind that when you block ports using this feature, the ports remain blocked until you re-adjust the settings. To block NetBIOS, deny incoming access to TCP ports 135, 137, and 138, as well as UDP port 139. Another way to achieve the same result is to stop the Server service. The Server service is necessary for NetBIOS functionality, and when that service is not running, NetBIOS is not available. The Server service is not required to run an Internet Information Server (IIS) Web server or many other servers you might expose to the Internet. The only limitation in stopping the Server service is that you can no longer access that machine's resources using NetBIOS-based tools such as NT Explorer or User Manager. To use such tools, you simply start the Server service for the required time period, then stop the service when you're done managing the server over NetBIOS. Even though both methods block NetBIOS access to a given NT system, these methods are not replacements for an adequate network border protection system such as a firewall. * HOWTO: BACKING UP AND RESTORING WIN2K SYSTEM STATE Windows 2000 (Win2K) contains several crucial system components that are essential to successful operation. You should ensure that you properly back up these components and that you can successfully restore them if things go wrong. In his Web Exclusive for Windows NT Magazine Online, Zubair Ahmad discusses Win2K system state recovery tips and techniques that you'll find useful with Win2K. http://www.ntsecurity.net/go/2c.asp?f=/howto.asp?IDF=112&TB=howto 8. ========== HOT THREADS ========== * WINDOWS NT MAGAZINE ONLINE FORUMS The following text is from a recent threaded discussion on the Windows NT Magazine online forums (http://www.winntmag.com/support). November 18, 1999, 10:21 A.M. Default Admin Share How do I stop the default Admin share on a Windows NT Workstation permanently? Thread continues at http://winntmag.com/support/Forums/Application/Index.cfm?CFApp=69&Message_ID =78648 * WIN2KSECADVICE MAILING LIST Each week we offer a quick recap of some of the highlights from the Win2KsecAdvice mailing list. The following threads are in the spotlight this week: 1. Event Logs of Failed Logons http://www.ntsecurity.net/go/page_listserv.asp?A2=IND9911C&L=WIN2KSECADVICE& P=2241 2. Windows Update Carries a Bug http://www.ntsecurity.net/go/page_listserv.asp?A2=IND9911C&L=WIN2KSECADVICE& P=1043 Follow this link to read all threads for November Week 3: http://www.ntsecurity.net/go/loadit.asp?id=page_listserv.asp?s=win2ksec * HOWTO MAILING LIST Each week, we offer a quick recap of highlights from the "HowTo for Security" mailing list. The following threads are in the spotlight this week: 1. Removing Hidden Shares http://www.ntsecurity.net/go/loadit.asp?/go/page_listserv.asp?A2=IND9911C&L= HOWTO&D=0&P=8802 2. MS Access Security http://www.ntsecurity.net/go/loadit.asp?/go/page_listserv.asp?A2=IND9911C&L= HOWTO&D=0&P=9968 Follow this link to read all threads for November Week 3: http://www.ntsecurity.net/go/loadit.asp?id=page_listserv.asp?s=howto |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- WINDOWS NT MAGAZINE SECURITY UPDATE STAFF News Editor - Mark Joseph Edwards (mje@winntmag.com) Ad Sales Manager (Western and International) - Vicki Peterson (vpeterson@winntmag.com) Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@winntmag.com) Editor - Gayle Rodcay (gayle@winntmag.com) New and Improved - Carolyn Mascarenas (products@winntmag.com) Security Shareware - Jonathan Chau (jjc@winntmag.com) Editor-at-Large - Jane Morrill (jane@winntmag.com) |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- Thank you for reading Windows NT Magazine Security UPDATE To subscribe, go to http://www.winntmag.com/update or send email to listserv@listserv.ntsecurity.net with the words "subscribe securityupdate anonymous" in the body of the message without the quotes. To unsubscribe, send email to listserv@listserv.ntsecurity.net with the words "unsubscribe securityupdate" in the body of the message without the quotes. ========== GET UPDATED! ========== Receive the latest information on the NT topics of your choice. Subscribe to these other FREE email newsletters at http://www.winntmag.com/sub.cfm?code=up99inxsup. Windows NT Magazine UPDATE Windows NT Magazine Thin-Client UPDATE Windows NT Exchange Server UPDATE Windows 2000 Pro UPDATE SQL Server Magazine UPDATE |-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+- Copyright 1999, Windows NT Magazine