Windows Security Digest - May 17, 2000. In this issue: Backpedaling towards security, SECURITY RISKS: Emurl 2.0 exposes Users' Mailboxes, Office 2000 UA Control Scripting, NTMail 5.x Contains an Open Proxy, IIS Denial of Service and Code Exposure, IIS Denial of Service. SECURITY ROUNDUP: Feature:NTFS Access Control Security Enhancements, HowTo: Encrypting Files for Added Security. NEW AND IMPROVED: Message Attachment Scrubbing and Virus Protection, Increase Network Security in Small and Midsized Businesses. SECURITY TOOLKIT: Book Highlight- Cyberwars: Espionage on the Internet, Tip: Detecting Email Worms in Outlook.
0490e918e02438b399b4b0df5d700c3bd9189fbfb1337b1bcec380fd43dba94c
**********************************************************
WINDOWS 2000 MAGAZINE SECURITY UPDATE
**Watching the Watchers**
The weekly Windows 2000 and Windows NT security update newsletter brought
to you by Windows 2000 Magazine and NTSecurity.net
http://www.win2000mag.com/update/
**********************************************************
This week's issue sponsored by
UltraBac Safety Net Backup
http://www.ultrabac.com
Too Many Passwords? Free Single Sign-on White Paper.
http://www.win2000mag.com/jump.cfm?ID=29
(Below SECURITY ROUNDUP)
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
May 17, 2000 - In this issue:
1. IN FOCUS
- Backpedaling Toward Security
2. SECURITY RISKS
- Emurl 2.0 Exposes Users' Mailboxes
- Office 2000 UA Control Scripting
- NTMail 5.x Contains an Open Proxy
- IIS Denial of Service and Code Exposure
- IIS Denial of Service
3. ANNOUNCEMENTS
- New Online Research Panel
- Technet Puzzler--Contest Ends May 21!
- Join Our Team
4. SECURITY ROUNDUP
- Feature: NTFS Access Control Security Enhancements
- HowTo: Encrypting Files for Added Security
5. NEW AND IMPROVED
- Message Attachment Scrubbing and Virus Protection
- Increase Network Security in Small and Midsized Businesses
6. SECURITY TOOLKIT
- Book Highlight: Cyberwars: Espionage on the Internet
- Tip: Detecting Email Worms in Outlook
7. HOT THREADS
- Windows 2000 Magazine Online Forums
Group/User Permissions
- Win2KSecAdvice Mailing List
Fix for Backdoor in Cart32 Software
- HowTo Mailing List
MS Proxy and Domain Filtering
IPSEC VPN on Windows 2000
~~~~ SPONSOR: ULTRABAC SAFETY NET BACKUP ~~~~
Did the "I LOVE YOU" virus wreck havoc with your network? If so, this
should reinforce the importance of using a fast, reliable backup to restore
your computers. While nothing can protect you from a new virus, great
backup software can certainly eliminate lost work and productivity.
UltraBac offers multiple levels of protection against virus damage. Whether
its standard file-by-file or our special image backup, UltraBac has both
the fastest BACKUP and RESTORE speeds of any NT backup utility--image
restores are lightning fast and can restore a 4GB disk in under 10 minutes!
Visit http://www.ultrabac.com more info or to download the latest version
of UltraBac.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Jim Langone
(Western Advertising Sales Manager) at 800-593-8268 or jim@win2000mag.com,
OR Tanya T. TateWik (Eastern and International Advertising Sales Manager)
at 877-217-1823 or ttatewik@win2000mag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
1. ========== IN FOCUS ==========
Hello everyone,
During the past 2 weeks, Love Letter virus reports have saturated the news
headlines. As one popular columnist pointed out, we've probably never
before seen a virus get so much ink. The virus received so much coverage
because of its massive spread; it infected millions of computers around the
world in a short period of time.
People often like to remind others that hindsight is 20/20, and in the
case of the Love Letter virus, that goes double for Microsoft. The company
took a beating over the Love Letter virus from security aficionados because
of the default functionality available in the Microsoft Outlook mail
clients.
To make Microsoft Outlook 2000 and Outlook 98 more secure, Microsoft has
just released a beta version of an Outlook enhancement that will help
prevent malicious file attachments from reaching end users. Because so many
viruses, worms, and Trojans are aimed at Outlook, Microsoft's enhancement
attempts to filter out certain attachments and restrict programmatic access
to the Outlook address book and contacts. When a potential intruder makes a
programmatic attempt to access the address book, a dialog box warns users
of the attempt. Learn more about this enhancement at
http://officeupdate.microsoft.com/2000/articles/out2ksecarticle.htm.
The enhancement also modifies the default security zone setting within
Outlook from the Internet Zone to the Restricted Sites Zone, which helps
prevent certain objects embedded in email from taking action on the system.
But as Russ Cooper (moderator of NTBugTraq) pointed out, that particular
modification is mostly useless without changes to the default settings in
the Restricted Sites Zone itself, and those changes are not part of the
beta release of the Outlook enhancement. NTSecurity.net columnist David
LeBlanc publicly pointed out more than a year ago that if you don't turn
off all scripting in all security zones for Internet Explorer (IE) and
Outlook, you'll see instances where email-based code can still execute.
Don't overlook that fact, or you might become a victim. No one seems to
know why Microsoft has addressed this well-known issue after so much time.
In a message to NTBugTraq readers, Cooper also pointed out that the
current beta of the Outlook enhancement, which is set for release on May
22, has no provision to tighten security in Outlook Express. That fact is
shocking to users who rely on the mail client. The lack seems odd given
that Outlook Express installs by default with every copy of Windows 2000
and reportedly can't be removed from the OS. For that reason, some people
jokingly refer to Outlook Express as a virus.
In any event, Cooper and many others feel that Microsoft should not
overlook the security needs of millions of Outlook Express users. Will
Microsoft wait until some Love Letter-type virus affects millions of
Outlook Express users before it addresses that mail client?
Nonetheless, Outlook 2000 and Outlook 98 users might be pleased with the
new functionality found with the enhancement. Be sure to read the details
Microsoft provides and consider using the new enhancement to better protect
your systems.
Before I sign off this week, I'd like to point out that some people are
filtering email messages based on keywords to prevent any message that
contains the words "love letter" from getting into a user's inbox. The idea
is to block the virus before it infects more systems. Although that
approach works for the original virus strain, it won't work for the
plethora of variants that continue to float around the Internet. Not only
is word filtering a poor way to block malicious content, the act partially
defeats the purpose of email and causes people to miss inbound mail they
would like to receive, such as this newsletter. If you're performing simple
keyword filtering to prevent virus infection, you should seriously consider
investing in an enterprise-enabled antivirus solution.
Also consider using Exchange Administrator Newsletter columnist Sue
Mosher's Outlook 2000 script that automatically converts inbound HTML
content to RTF for safe viewing. The script is a good way to filter
content. You can find the script and other helpful Outlook goodies at
http://www.slipstick.com/dev/code/zaphtml.htm. You might also want to read
Russ Cooper's article (http://ntbugtraq.ntadvice.com/outlookviews.asp)
about Outlook email. Russ outlines how the mail client responds to content
under various scenarios, which can help clear up a lot of confusion. Until
next time, have a great week.
Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net
2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)
* EMURL 2.0 EXPOSES USERS' MAILBOXES
Emurl allows Web-based access to user mailboxes via an encoded URL. Because
of a product design flaw, a user who can properly encode a user account
number can also access any mailbox on the system without a password.
Furthermore, if identical mailboxes exist on two or more systems, an
intruder can use the same URL to access the mailbox on all those systems.
SeattleLab is aware of the problem and has released an updated version of
Emurl.
http://www.ntsecurity.net/go/load.asp?iD=/security/emurl2-1.htm
* OFFICE 2000 UA CONTROL SCRIPTING
The L0pht reported a problem with a Microsoft Office 2000 component called
the Microsoft Office UA Control, which is installed by default and is
categorized as being safe for scripting. L0pht analysis revealed the
component contains functionality to script almost any action in Office 2000
that the user could perform from the keyboard, including lowering the macro
security settings to low. Microsoft has released a patch for the problem.
http://www.ntsecurity.net/go/load.asp?iD=/security/office2000-1.htm
* NTMAIL 5.X CONTAINS AN OPEN PROXY
Simon Talbot reported a problem in NTmail version 5.x (and possibly other
versions) where the product contains a Web configuration interface and can
serve as a proxy for Web access. By default, the Web service listens on
port 8000, and the proxy service listens on port 8080.
If NTMail is configured to turn off the proxy, the proxy will stop
listening on the default port; however, a user can point to the default Web
port (8000) and gain open access to the Internet. NTMail doesn't prohibit
use of the proxy on the Web-based configuration port.
The vendor, NTMailUSA, is aware of the problem but hasn't released a
fix. If you must restrict user access to Web sites via proxy, disable the
Web configuration service in NTMail until the vendor resolves the problem.
http://www.ntsecurity.net/go/load.asp?iD=/security/ntmail5-1.htm
* IIS DENIAL OF SERVICE AND CODE EXPOSURE
Cerberus Information Security reported that Microsoft IIS contains two
security vulnerabilities in the Internet Server API (ISAPI) extension
(ism.dll) that provides Web-based password administration via .htr script
files. The first vulnerability is a Denial of Service (DoS) attack that can
occur when a user provides a password change request that is missing an
expected delimiter. This crashes the ISAPI extension and degrades the
overall performance of the IIS server. In the second vulnerability, a user
can read fragments of certain files by providing a malformed request that
causes the .htr processing to be applied to those files. Microsoft has
released a fix for the problems.
http://www.ntsecurity.net/go/load.asp?iD=/security/iis4-10.htm
* IIS DENIAL OF SERVICE
USSRLabs reported a problem in Microsoft IIS that can allow Denial of
Service (DoS) attacks against the server. IIS has built-in flexibility that
lets it process any arbitrary sequence of file extensions or subresource
identifiers (path_segments). By providing a URL that contains specially
malformed file extension information, a user can arbitrarily increase the
work factor associated with parsing the URL. This can consume much or all
of the CPU availability, creating a DoS attack against the machine.
Microsoft has released a fix for the problem.
http://www.ntsecurity.net/go/load.asp?iD=/security/iis4-11.htm
3. ========== ANNOUNCEMENTS ==========
* NEW ONLINE RESEARCH PANEL
Business Technology Research is offering qualified applicants a
chance to join its new research panel. Provide direct feedback
to leading technology manufacturers about products in development
and influence the concept, content, and advertising for tomorrow's
technology. Registrants will also be entered in a drawing to win a free
Palm Pilot VII. Visit
http://www.survey.com/btresearch/btrpanel.html
* TECHNET PUZZLER--CONTEST ENDS May 21!
Play the Microsoft TechNet Puzzler and use your expertise to win a trip
to the Tech-Ed 2000 Conference in Orlando and a BMW Z3 Roadster!
http://www.microsoft.com/technet/puzzler/default.asp
* JOIN OUR TEAM
The Windows 2000 Magazine group is seeking highly qualified editorial,
technical, and ad sales talent to staff its rapidly growing network of
print and electronic media resources. For more information visit
http://www.duke.com/job.cfm.
4. ========== SECURITY ROUNDUP ==========
* FEATURE: NTFS ACCESS CONTROL SECURITY ENHANCEMENTS
In Windows 2000, Microsoft redesigned how NTFS handles access control to
files and other objects. You might have noticed that Security Configuration
Manager (SCM), which Microsoft released in Windows NT 4.0 Service Pack 4
(SP4), handles access control like Win2K does. The new NTFS access control
model takes time to get used to, but it adds some important features. The
redesign changes access control in three areas. To learn what those changes
are, read Randy Franklin Smith's entire feature on our Web site.
http://www.ntsecurity.net/go/2c.asp?f=/features.asp?IDF=112&TB=f
* HOWTO: ENCRYPTING FILES FOR ADDED SECURITY
If you're running NTFS on your Windows 2000 system, you can give yourself
extra security by encrypting files. To do so, open My Computer, drill down
to the file or folder you want to encrypt, and right-click it to bring up a
menu. Select Properties and click Advanced... on the Properties dialog box.
You'll find an "Encrypt contents to secure data" check-box at the bottom of
the dialog box. Check this box and click OK. Click OK again to dismiss the
Properties dialog box. Be sure to read the rest of John D. Ruley's article
on our Web site.
http://www.ntsecurity.net/go/2c.asp?f=/howto.asp?IDF=104&TB=h
~~~~ SPONSOR: TOO MANY PASSWORDS? FREE SINGLE SIGN-ON WHITE PAPER. ~~~~
AXENT's PassGo(tm) InSync gives users one single password for universal
access and can be deployed for thousands of users in as little as four
days, across the entire enterprise. PassGo InSync is part of AXENT's
Lifecycle Security(tm) solutions for e-security.
This week and through March 10, AXENT is offering a free copy of the white
paper, "Fast Path to Single Sign-On: PassGo Solutions Simplifies Secure
Access." http://www.win2000mag.com/jump.cfm?ID=29
5. ========== NEW AND IMPROVED ==========
(contributed by Judy Drennen, products@win2000mag.com)
* MESSAGE ATTACHMENT SCRUBBING AND VIRUS PROTECTION
Sophos and United Messaging announced a licensing agreement that lets
United Messaging customers benefit from Sophos Anti-Virus (SAV) technology
through a product called Message Control. Message Control uses SAV to
improve customers' network security through virus detection and attachment
scrubbing.
For more information, contact Sophos at 888-767-4679 or
http://www.sophos.com. Or contact United Messaging at 888-993-5088 or
http://www.unitedmessaging.com.
* INCREASE NETWORK SECURITY IN SMALL AND MIDSIZED BUSINESSES
RADWARE and NetGuard will coordinate sales and marketing of security
solutions comprised of NetGuard's GuardianPRO, an NT firewall, and
RADWARE's FireProof, an intelligent, redundant high-availability solution
for managing traffic within multiple firewall systems. GuardianPRO supports
all IP protocols and services including streaming media and Voice-over-IP
(VoIP) services. For more information about NetGuard or GuardianPRO, call
972-738-6900 or go to the company's Web site at http://www.netguard.com.
6. ========== SECURITY TOOLKIT ==========
* BOOK HIGHLIGHT: CYBERWARS: ESPIONAGE ON THE INTERNET
By Jean Guisnel, Gui Masai, et al.
Online Price: $12.80
Softcover; 296 Pages
Published by Perseus Books, December 1999
ISBN 0738202606
"Cyberwars" explores a world where international terrorists plot their
attacks and are tracked by secret service organizations, drug traffickers
do business and launder money, and electronic economic espionage is the
order of the day. Examining efforts to police online communications and
content, the authors assess the implications of pervasive surveillance for
the Internet.
To order this book, go to
http://www.fatbrain.com/shop/info/0738202606?from=win2000mag
or visit the Windows 2000 Magazine Network Bookstore at
http://www1.fatbrain.com/store.cl?p=win2000mag&s=97772.
* TIP: DETECTING EMAIL WORMS IN OUTLOOK
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)
The recent Love Letter virus infected millions of computer users. As you
know, Love Letter spread quickly by accessing the user's address book and
sending a copy of the virus to everyone listed therein.
Outlook users (and possibly users of other mail clients) might find it
useful to have a dummy user in the address book to help detect future
worms. By creating a fictitious user with a bogus email address, a user can
make Microsoft Outlook generate an onscreen error message about that bad
address any time it's used to send email, including when used by a virus or
worm. Having such a bogus email contact won't stop a virus or worm, but it
will alert you that something is accessing your address book without your
approval. You can then contact your network security personnel to
investigate.
7. ========== HOT THREADS ==========
* WINDOWS 2000 MAGAZINE ONLINE FORUMS
The following text is from a recent threaded discussion on the Windows
2000 Magazine online forums (http://www.win2000mag.com/support).
May 16, 2000, 01:04 P.M.
Group/User Permissions
I seem to be having a little problem configuring some of the Group
policies/permissions. Basically, what I need is to be able to give
permission for some people to be able to install software at their local
machine (yet logged into the network). This is mostly for the development
group we have here; other users will still have to hunt down the sys admin.
Is there a way to do this with Windows 2000? What did I miss? Thanks in
advance.
Thread continues at
http://www.win2000mag.com/support/Forums/Application/Index.cfm?CFApp=70&Message_ID=103338.
* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following thread is in the spotlight
this week.
Fix for Backdoor in Cart32 Software
Cart32, a popular shopping basket application, was discovered to contain a
deliberate backdoor that could allow a person with adequate knowledge to
perform actions against a remote system. The vendor, McMurtrey/Whitaker &
Associates, has released a fix.
http://www.ntsecurity.net/go/w.asp?A2=IND0005a&L=WIN2KSECADVICE&P=236
Follow this link to read all threads for May, Week 1:
http://www.ntsecurity.net/go/w.asp?A1=ind0005a&L=win2ksecadvice
* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
HowTo for Security mailing list. The following threads are in the
spotlight this week.
1. MS Proxy and Domain Filtering
I am trying to configure MS Proxy for Domain name filtering on multihomed
server--with two internal sub-nets. What I need is domain name filtering
just for one of the internal subnets. Can somebody help me with this?
http://www.ntsecurity.net/go/L.asp?A2=IND0005C&L=HOWTO&P=892
2. IPSEC VPN on Windows 2000
Has anyone successfully set up a VPN connection using IPSEC on a Windows
2000 and Cisco router that uses IPSEC. I have problems when I am
configuring the router and Win2K.
http://www.ntsecurity.net/go/L.asp?A2=IND0005c&L=HOWTO&P=366
Follow this link to read all threads for May, Week 3:
http://www.ntsecurity.net/go/l.asp?A1=ind0005c&L=howto
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@win2000mag.com)
Ad Sales Manager (Western) - Jim Langone (jim@win2000mag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com)
Associate Publisher/Network - Martha Schwartz (mschwartz@win2000mag.com)
Editor - Gayle Rodcay (gayle@win2000mag.com)
New and Improved Judy Drennen (products@win2000mag.com)
Copy Editor Judy Drennen (jdrennen@win2000mag.com)
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
========== GET UPDATED! ==========
Receive the latest information about the Windows 2000 and Windows NT
topics of your choice, including Win2K Pro, Exchange Server, thin-client,
training and certification, SQL Server, IIS administration, XML,
application service providers, and more. Subscribe to our other FREE email
newsletters at
http://www.win2000mag.com/sub.cfm?code=up00inxwnf.
SUBSCRIBE/UNSUBSCRIBE
Thank you for reading Windows 2000 Magazine Security UPDATE.
To subscribe, go to the UPDATE home page at http://www.win2000mag.com/update.
To remove yourself from the list, send a blank email to securityupdate@win2000mag.com.
If you have questions or problems with your UPDATE subscription, please contact securityupdate@win2000mag.com.
We will address your questions or problems as quickly as we can, but please allow 2 issues for resolution.
|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|
Copyright 2000, Windows 2000 Magazine