SecurityFocus Microsoft Newsletter #53
From: Marc Fossi (mfossi@securityfocus.com)Date: 09/24/01
- Previous message: Kinsey, Robert: "RE: Quick Norton AV question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Date: Mon, 24 Sep 2001 13:13:37 -0600 (MDT) From: Marc Fossi <mfossi@securityfocus.com> To: Focus-MS <focus-ms@securityfocus.com> Subject: SecurityFocus Microsoft Newsletter #53 Message-ID: <Pine.GSO.4.30.0109241313080.19643-100000@mail>
SecurityFocus Microsoft Newsletter #53
--------------------------------------
This newsletter is sponsored by: Founstone
ULTIMATE HACKING: HANDS ON - NT/2000 SECURITY
If you're running a Windows network, then this is the intensive 3-day
course with everything a hacker knows...that you'll need to know!
Foundstone wrote the book on Windows security, literally, with our newest
publication "Hacking Exposed: Windows 2000." Our hands-on class, based on
the book and real world consultant experience, provides a dynamic
environment to learn this security knowledge. As a Specialist in
Microsoft's Security Services Partner Program, Foundstone knows hacking,
security and Microsoft. Register now for the class in Irvine, California,
December 11-13.
Please visit us at:
http://www.foundstone.com/NT/
-------------------------------------------------------------------------------
I. FRONT AND CENTER
1. What September 11th May Mean to Netizens
2. Recipe for trouble
II. MICROSOFT VULNERABILITY SUMMARY
1. Microsoft Windows NT RPC Endpoint Mapper Denial of Service...
2. Microsoft IIS UTF Directory Traversal and Remote Command...
3. Microsoft Index Server 2.0 File Information and Path Disclosure...
4. Microsoft Outlook Express 6 Plain Text Message Script Execution...
III. MICROSOFT FOCUS LIST SUMMARY
1. New worm? 'readme.eml' (Thread)
2. W2K Security Templates (Thread)
3. Front Page Extensions Security Issues (Thread)
4. Move those files! cmd.exe tftp.exe etc ... (Thread)
5. fport for Win ME or 98 (Thread)
6. FW: W2K Security Templates (Thread)
7. URLSCAN (Thread)
8. [GFISEC] Nimda worm analysis (Thread)
9. Sophos Disinfect Utility (Thread)
10. Batch Files which Check for Nimda Infection (Thread)
11. Unknown Telnet server (Thread)
12. Windows Update (Thread)
13. Nimda and patched machines (Thread)
14. Detailed Nimda Analysis Report (Thread)
15. Outloook Security Setting (Thread)
16. Nimda Poison Pill (Thread)
17. Mutex (Thread)
18. URLScan... Hooray! [pause] Where's the source code? (Thread)
19. Re[2]: Unknown Telnet server (Thread)
20. BOOK: Hacking Exposed Windows 2000: Network Security Secrets...
21. W32/Nimda and Outlook Web Access (Thread)
22. W32/Nimda.a@mm (Thread)
23. New Worm Named W32/Minda.a@mm (Thread)
24. Infected EXE files? (Thread)
25. Nimda Worm Alert (fwd) (Thread)
26. test for browser vulnerability (Thread)
27. Nimda worm (Thread)
28. Syslog Viewer/Reporter (Thread)
29. New problem (Thread)
30. New Worm: Massive Scans for cmd.exe/root.exe (fwd) (Thread)
31. New IIS Worm (Thread)
32. Administrivia: New Worm (Thread)
33. Virus/Worm Alert (Code Red Derived) - Concept Virus v.5...
34. Frontpage Server Extension on Production server. (Thread)
35. SecurityFocus Microsoft Newsletter #52 (Thread)
36. Incident Response Course for NT/2K (Thread)
37. HFNetChk 3.2 beta is now available (Thread)
38. IIS5 does not reload pages passed through ISAPI filters...
39. MS URL SCAN (Thread)
40. Yet another OE worm (fwd) (Thread)
41. NT4+IIS4 = spam problem? (Thread)
IV.NEW PRODUCTS FOR MICROSOFT PLATFORMS
1. RiverWorks Enterprise VPN
2. BioLogon Windows 95
3. GemSAFE Enterprise
4. NetFortress Remote
5. Ethenticator MS 3000
V. NEW TOOLS FOR MICROSOFT PLATFORMS
1. IIS Worms Detector
2. Code Blue Removal Utility
3. CodeBlue v3
4. IP Restrictions Scanner (IRS)
VI. SPONSORSHIP INFORMATION
I. FRONT AND CENTER
-------------------
1. What September 11th May Mean to Netizens
by Richard Forno
Legislators must resist the urge to infringe on civil liberties in the
name of security.
http://www.securityfocus.com/columnists/25
2. Recipe for trouble
By Tim Mullen
If you were to lay out all of Microsoft's software products upon a single
table, you would have a veritable smorgasbord of shrink-wrapped packages
of all sizes, shapes, and colors spread about like a king's banquet.
Whether you prefer server products, Internet tools, programming languages,
graphics and photo manipulation, productivity and management suites, or
simply entertainment and games, Microsoft has an entrée for every cuisine.
http://www.securityfocus.com/columnists/24
II. BUGTRAQ SUMMARY
-------------------
1. Microsoft Windows NT RPC Endpoint Mapper Denial of Service Vulnerability
BugTraq ID: 3313
Remote: Yes
Date Published: 2001-09-10
Relevant URL:
http://www.securityfocus.com/bid/3313
Summary:
Remote Procedure Call (RPC) services are typically used by distributed
applications such as SQL server and Exchange server. RPC services are
assigned TCP and UDP ports dynamically. The RPC Endpoint Mapper service
provides a mapping between RPC services and their currently assigned
ports. Therefore, when a client requires access to a service using RPC,
it must first request a port mapping from the RPC Endpoint Mapper, then it
communicates directly with the service.
When the RPC Endpoint Mapper, which typically resides on port 135, is sent
a particular type of malformed data, it can cause the service to fail.
This will cause all client attempts to communicate with RPC services on
the target host to fail, resulting in a denial of services.
The service can be restored to normal operation after a reboot of the
server.
2. Microsoft IIS UTF Directory Traversal and Remote Command Execution Vulnerability
BugTraq ID: 3348
Remote: Yes
Date Published: 2001-09-19
Relevant URL:
http://www.securityfocus.com/bid/3348
Summary:
Microsoft Internet Information Server is vulnerable to a UTF directory
traversal, which could allow an attacker to execute commands remotely on
the target server.
Normally, IIS blocks attempts to access directories outside of the webroot
in HTTP requests. If 'directory traversal' character sequences that try
to do this are found in an HTTP request, IIS blocks the request.
However, if special UTF encoding is used, this filtering is bypassed,
allowing an attacker to traverse outside of the webroot and execute
commands on the system.
Remote web clients may access any known file in the context of the
IUSR_machinename account. The IUSR_machinename account is a member of the
Everyone and Users groups by default, therefore, any file on the same
logical drive as any web-accessible file that is accessible to these
groups can be deleted, modified, or executed.
It is believed exploitation of this vulnerability requires the presence of
an executable 'scripts'-type virtual folder. Removal of these folders
could mitigate this vulnerability. This has not been verified by
Microsoft.
It is important to note that remote command execution vulnerabilities
similar to this were used by the Code Red, Code Blue, and Nimda worms.
It should be expected that a worm will exploit this vulnerability to
propagate itself.
Additional technical details are forthcoming.
3. Microsoft Index Server 2.0 File Information and Path Disclosure Vulnerability
BugTraq ID: 3339
Remote: Yes
Date Published: 2001-09-14
Relevant URL:
http://www.securityfocus.com/bid/3339
Summary:
The sqlqhit.asp sample file is used for performing web-based SQL queries.
Malicious users could send specifically crafted HTTP request to an
Internet Information Services server running Index Server to reveal path
information, file attributes, and possibly some lines of the file
contents.
The sqlqhit.asp file is located in the \inetpub\iissamples\ISSamples\
folder and is installed by default.
4. Microsoft Outlook Express 6 Plain Text Message Script Execution Vulnerability
BugTraq ID: 3334
Remote: Yes
Date Published: 2001-09-12
Relevant URL:
http://www.securityfocus.com/bid/3334
Summary:
In order for scripting components in an email message to execute, the
email message must be have a content-type of text/html set in it's header.
The content-type field in the header is used by email clients and gateway
filtering software to determine how to handle the message. Many
administrators use gateway software to filter mail of content-type
text/html so that messages containing potentially malicious scripts are
not delivered.
A vulnerability exists in Outlook Express 6 which may lead to code
embedded in an email message of content-type 'text/plain' to be executed.
The script code must be contained within the first 57 characters on the
first line of the message. Any additional characters on either line will
cause the message to be parsed in plain text. It is not known why this
behaviour is present.
Only the <script> tag appears to function in this manner.
It is important to note that Outlook Express 6 does not allow any
scripting to be executed by default. This security feature must be turned
off in order to exploit this vulnerability.
IV. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. New worm? 'readme.eml' (Thread)
Relevant URL:
2. W2K Security Templates (Thread)
Relevant URL:
3. Front Page Extensions Security Issues (Thread)
Relevant URL:
4. Move those files! cmd.exe tftp.exe etc ... (Thread)
Relevant URL:
5. fport for Win ME or 98 (Thread)
Relevant URL:
6. FW: W2K Security Templates (Thread)
Relevant URL:
7. URLSCAN (Thread)
Relevant URL:
8. [GFISEC] Nimda worm analysis (Thread)
Relevant URL:
9. Sophos Disinfect Utility (Thread)
Relevant URL:
10. Batch Files which Check for Nimda Infection (Thread)
Relevant URL:
11. Unknown Telnet server (Thread)
Relevant URL:
7305859f@ha.osd.mil">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-09-21%26thread%3d006b01c141f0$e82cef60$7305859f@ha.osd.mil
12. Windows Update (Thread)
Relevant URL:
13. Nimda and patched machines (Thread)
Relevant URL:
14. Detailed Nimda Analysis Report (Thread)
Relevant URL:
15. Outloook Security Setting (Thread)
Relevant URL:
16. Nimda Poison Pill (Thread)
Relevant URL:
af05a8c0@anchorsign.com">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-09-21%26thread%3d07ab01c1417d$5ee4e0a0$af05a8c0@anchorsign.com
17. Mutex (Thread)
Relevant URL:
af05a8c0@anchorsign.com">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-09-21%26thread%3d075301c14163$9ba7d5c0$af05a8c0@anchorsign.com
18. URLScan... Hooray! [pause] Where's the source code? (Thread)
Relevant URL:
19. Re[2]: Unknown Telnet server (Thread)
Relevant URL:
20. BOOK: Hacking Exposed Windows 2000: Network Security Secrets & Solutions (Thread)
Relevant URL:
1000a8c0@internal.gelgit.com">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-09-21%26thread%3d000a01c14067$5cd55ae0$1000a8c0@internal.gelgit.com
21. W32/Nimda and Outlook Web Access (Thread)
Relevant URL:
22. W32/Nimda.a@mm (Thread)
Relevant URL:
23. New Worm Named W32/Minda.a@mm (Thread)
Relevant URL:
d35e0f0a@strategy.com">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-09-21%26thread%3d000601c1408b$f80f7940$d35e0f0a@strategy.com
24. Infected EXE files? (Thread)
Relevant URL:
25. Nimda Worm Alert (fwd) (Thread)
Relevant URL:
26. test for browser vulnerability (Thread)
Relevant URL:
27. Nimda worm (Thread)
Relevant URL:
0200a8c0@comprecorp.com">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-09-21%26thread%3d225b01c1408e$988fa910$0200a8c0@comprecorp.com
28. Syslog Viewer/Reporter (Thread)
Relevant URL:
af05a8c0@anchorsign.com">http://www.securityfocus.com/frames/index.html?content=%2ftemplates%2farchive.pike%3flist%3d88%26date%3d2001-09-21%26thread%3d005201c14089$4ed120b0$af05a8c0@anchorsign.com
29. New problem (Thread)
Relevant URL:
30. New Worm: Massive Scans for cmd.exe/root.exe (fwd) (Thread)
Relevant URL:
31. New IIS Worm (Thread)
Relevant URL:
32. Administrivia: New Worm (Thread)
Relevant URL:
33. Virus/Worm Alert (Code Red Derived) - Concept Virus v.5 (Thread)
Relevant URL:
34. Frontpage Server Extension on Production server. (Thread)
Relevant URL:
35. SecurityFocus Microsoft Newsletter #52 (Thread)
Relevant URL:
36. Incident Response Course for NT/2K (Thread)
Relevant URL:
37. HFNetChk 3.2 beta is now available (Thread)
Relevant URL:
38. IIS5 does not reload pages passed through ISAPI fil ters (Thread)
Relevant URL:
39. MS URL SCAN (Thread)
Relevant URL:
40. Yet another OE worm (fwd) (Thread)
Relevant URL:
41. NT4+IIS4 = spam problem? (Thread)
Relevant URL:
IV.NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. RiverWorks Enterprise VPN
by Indus River Networks
Platforms: Windows 95/98 and Windows NT
Relevant URL:
http://www1.securityfocus.com/templates/product.html?id=1150
Summary:
RiverWorks Enterprise VPN is an enterprise-class Virtual Private
Networking solution that provides secure network access to remote users,
branch offices and trading partners. RiverWorks EVPN is the only solution
that delivers the scalability, manageability and simplicity required by
corporations worldwide to rapidly deploy large-scale remote access
networks to thousand of users.
2.BioLogon Windows 95
by Identicator Technologies
Platforms: Windows 95/98
Relevant URL:
http://www1.securityfocus.com/templates/product.html?id=413
Summary:
The ability to provide a secure user authentication access control is
available for Windows 95 with BioLogon[tm] Win 95 version. With many of
the similar features as BioLogon[tm] NT4.0 the Win95 version provides you
true user authentication again with the ease of use function.
3.GemSAFE Enterprise
by Gemplus Corporation
Platforms: Windows 2000, Windows 95/98 and Windows NT
Relevant URL:
http://www1.securityfocus.com/templates/product.html?id=1386
Summary:
GemSAFE is the Gemplus family of solutions that addresses the computing
security needs of individuals, enterprises and integrators by taking
advantage of the inherent benefits of smart cards.
4. NetFortress Remote
by Fortress Technologies
Platforms: Windows 2000, Windows 95/98 and Windows NT
Relevant URL:
http://www1.securityfocus.com/templates/product.html?id=1048
Summary:
The NetFortress Remote safely and easily extends your secure business
network to remote workers and telecommuters in a simplified, cost
effective and secure manner. The NetFortress Remote works with the
NetFortress Classic and M-Series to build secure tunnels through the
Internet so sensitive information can be transmitted with complete
confidentiality. The NetFortress Remote can also operate in a corporate
environment to secure internal data communications on a LAN or WAN.
Whether the NetFortress Remote is used for internal or remote access, this
client transparently encrypts and authenticates all pertinent data to
protect against eavesdropping and data tampering.
5. Ethenticator MS 3000
by Ethentica
Platforms: Windows NT
Relevant URL:
http://www1.securityfocus.com/templates/product.html?id=1385
Summary:
The Ethenticator's unique ability to grant access to networks and
protected websites without having to remember or type passwords makes it a
lifesaver while you're on the road with a thousand other things on your
mind. Its secure access features put your mind at ease, too, with reliable
protection from unauthorized use and data theft. The Ethenticator MS 3000
also eliminates the need to remember passwords and lets you instantly
access any web site on the Internet that requires your password, any
application or other text-based information secured by a password or user
name / password combination on your mobile computer.
V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. IIS Worms Detector
by Felipe Moniz
Relevant URL:
http://www.securityfocus.com/tools/2224
Platforms: Windows 2000 and Windows 95/98
Summary:
IIS Worms Detector scans for Code Red, Code Blue and Nimda Worm locally.
2. Code Blue Removal Utility
by Felipe Moniz, Security Specialist
Relevant URL:
http://www.securityfocus.com/tools/2223
Platforms: Windows 2000
Summary:
Code Blue Detection and Removal Utility for IIS 5.
3. CodeBlue v3
by Michael <mystic@tenebrous.com>
Relevant URL:
http://www.securityfocus.com/tools/2220
Platforms: UNIX, Windows 2000, Windows 95/98 and Windows NT
Summary:
CodeBlue is an attempt to increase the awareness of hosts that are
infected with malicious worms by scanning Apache log files and emailing
the infected hosts with details of their infection and how to obtain help
removing the worm. Currently, CodeBlue scans Apache logs for Code Red,
Code Red 2, and Nimda.
4. IP Restrictions Scanner (IRS)
by mao
Relevant URL:
http://www.securityfocus.com/tools/2219
Platforms: Windows 2000
Summary:
Many servers and network devices like routers and switches provides
features like ACLs, IP Filters, Firewall rules and so on to give access to
their Services only to particular IP addresses (usually Administrator's
workstations). The main purpose of this program is to find out IP
restrictions that have been set for a particular service on a host. It
combines "ARP Poisoning" and "Half-Scan" techniques and tries totally
spoofed TCP connections to the selected port of the target. IRS does not
scan for opened ports but for valid IP source addresses allowed to
connect.
VI. SPONSORSHIP INFORMATION
---------------------------
This newsletter is sponsored by: Founstone
ULTIMATE HACKING: HANDS ON - NT/2000 SECURITY
If you're running a Windows network, then this is the intensive 3-day
course with everything a hacker knows...that you'll need to know!
Foundstone wrote the book on Windows security, literally, with our newest
publication "Hacking Exposed: Windows 2000." Our hands-on class, based on
the book and real world consultant experience, provides a dynamic
environment to learn this security knowledge. As a Specialist in
Microsoft's Security Services Partner Program, Foundstone knows hacking,
security and Microsoft. Register now for the class in Irvine, California,
December 11-13.
Please visit us at:
http://www.foundstone.com/NT/
-------------------------------------------------------------------------------
- Previous message: Kinsey, Robert: "RE: Quick Norton AV question"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
|
