SecurityFocus Microsoft Newsletter #69

From: Marc Fossi (mfossi@securityfocus.com)
Date: 01/15/02


Date: Tue, 15 Jan 2002 09:19:08 -0700 (MST)
From: Marc Fossi <mfossi@securityfocus.com>
To: Focus-MS <focus-ms@securityfocus.com>

SecurityFocus Microsoft Newsletter #69
--------------------------------------

LANguard Security Event Log Monitor: FREE offer!

Catch hackers red-handed with GFI's LANguard S.E.L.M.! Performs intrusion
detection through network-wide monitoring of the security event logs of
all NT/2000 servers & workstations. Enables you to respond quickly to
important security events, without spending hours examining logs. Notifies
you of critical security events in real time & more besides!

Get your FREE eval from: http://www.gfi.com/securityfocus/

-------------------------------------------------------------------------------

I. FRONT AND CENTER
     1. SecurityFocus is Hiring!
     2. Social Engineering Fundamentals, Part II: Combat Strategies
     3. An Introduction To Distributed Intrusion Detection Systems
     4. A Security Wish List for 2002
     5. Every Man a Cyber Crook
II. MICROSOFT VULNERABILITY SUMMARY
     1. BrowseFTP Client Buffer Overflow Vulnerability
     2. Michael Lamont Savant Web Server Long Request DoS Vulnerability
     3. Real Media RealPlayer Media File Buffer Overflow Vulnerability
     4. FAQManager.CGI Directory Traversal Vulnerability
     5. BEA Systems WebLogic Server DOS Device Denial of Service...
     6. ModLogAn Splitby Input Validation Vulnerability
     7. BSCW Insecure Default Installation Vulnerability
     8. Microsoft Internet Explorer JavaScript Local File Enumeration...
     9. Geeklog New User Default Admin Privileges Vulnerability
     10. Apache Win32 PHP.EXE Remote File Disclosure Vulnerability
     11. Microsoft Internet Explorer Modeless Dialog DoS Vulnerability
     12. BSCW Remote Command Execution Vulnerability
     13. AOLServer Password Protected File Arbitrary Read Access...
     14. Linksys DSL Router SNMP Trap System Arbitrary Sending...
     15. FAQManager.CGI NULL Character Arbitrary File Disclosure...
     16. Hosting Controller Unauthorized File Access and Upload...
III. MICROSOFT FOCUS LIST SUMMARY
     1. Huge security breach in standard w2k install (Thread)
     2. SQL connection string security (Thread)
     3. Think I've got trouble (Thread)
     4. [SQL connection string security] (Thread)
     5. Password Generation for NT/2K Workstation Local Admin Accounts...
     6. IE headers w patch level - new info (Thread)
     7. [RE: [SQL connection string security]] (Thread)
     8. [RE: SQL connection string security] (Thread)
     9. SSL Key Recovery Tool (Thread)
     10. New Windows 2000 Group Policy Utility (Thread)
     11. Administrivia: Links and Tools (Thread)
     12. ISAPI answer to "Microsoft IIS False Content-Length Field DoS...
     13. Securing OWA w/SSL on IIS5.0 (Thread)
     14. Graphical Alpha-numeric String use to defeat automated-script...
     15. Implications of international SSL key in IE/IIS 5? (Thread)
     16. patch creates new hole? (Thread)
     17. FW: Removing login data from MSIE (Thread)
     18. IE 5.0, 5.5 6.0 https SSL certificate attack - Serious (Thread)
     19. Removing login data from MSIE (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
     1. NetScreen-Global Security Management Software
     2. SiteMinder 4.6
     3. PestPatrol
V. NEW TOOLS FOR MICROSOFT PLATFORMS
     1. Attacker v3.0
     2. Demarc PureSecure v1.05
     3. Securepoint Firewall and VPN Server SB v2.05
     4. NBTEnum - NetBIOS Enumeration Utility v1.0
VI. SPONSORSHIP INFORMATION

I. FRONT AND CENTER
-------------------
1. SecurityFocus is Hiring!

SecurityFocus is currently looking for a programmer/debugger for its
Threat Analysis teams. This position requires skillsets which I have
outlined below.

These positions require the staff members to be located in Calgary,
Alberta, Canada. Relocation assistance is possible from within Canada.
Skills will require verification by the way of an actual practical test
before an in-person interview is secured.

Skills required:

        - Expertise with SoftICE & IDA Pro (or similar tools).
        - Expertise with x86 assembly language
        - Programming ability in C & C++, targeting both the Unix and
          Windows platforms
        - Strong report writing skills and ability to interface with
          customers.

Additional skills preferred:

        - Working knowledge of computer viruses, worms, and trojans
          propagation techniques
        - Working knowledge of honeypots.

Personal Skills Required:

Any applicant must be able to work in a team environment and deal with
very tight deliverables. An outgoing pleasant personality is an absolute
requiremant. No rockstars, no primadonas.

About SecurityFocus

SecurityFocus, is the leading provider of security intelligence products
and services for business. They include SIA (Security Intelligence Alert),
which alerts subscribers to security vulnerabilities, and ARIS (Attack
Registry & Intelligence Service), which predicts cyber assaults on
customer networks, based on global attack data. SecurityFocus also
licenses the world's largest and most comprehensive vulnerability
information database, hosts the most popular security community mailing
list on the Internet, Bugtraq, and publishes original security content on
its Web site.

Please send resumes if interested to Alfred Huger ah@securityfocus.com

2. Social Engineering Fundamentals, Part II: Combat Strategies
by Sarah Granger

This is the second part of a two-part series devoted to social
engineering. In Part One, we defined social engineering as a hackers
clever manipulation of the natural human tendency to trust, with the goal
of obtaining information that will allow him/her to gain unauthorized
access to a valued system and the information that resides on that system.
This article will examine some ways that individuals and organizations can
protect themselves against potentially costly social engineering attacks.
I refer to these practices as combat strategies.

http://www.securityfocus.com/infocus/1533

3. An Introduction To Distributed Intrusion Detection Systems
by Nathan Einwechter, Senior Research Scientist Fate Research Labs

A distributed IDS (dIDS) consists of multiple Intrusion Detection Systems
(IDS) over a large network, all of which communicate with each other, or
with a central server that facilitates advanced network monitoring,
incident analysis, and instant attack data. By having these co-operative
agents distributed across a network, incident analysts, network
operations, and security personnel are able to get a broader view of what
is occurring on their network as a whole.

http://www.securityfocus.com/infocus/1532

4. A Security Wish List for 2002
by Jon Lasser

An end to buffer overflows, and a beginning to serious user education ...
These are a few of my favorite things

http://www.securityfocus.com/columnists/52

5. Every Man a Cyber Crook
By Mark Rasch

Federal anti-hacking law permits cybercrime victims to sue their
attackers. So why is that software companies, webmasters and computer
makers are the ones being hauled into court?

http://www.securityfocus.com/columnists/51

II. BUGTRAQ SUMMARY
-------------------
1. BrowseFTP Client Buffer Overflow Vulnerability
BugTraq ID: 3781
Remote: Yes
Date Published: Jan 04 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3781
Summary:

BrowseFTP is an ftp client that runs on various Microsoft Windows
operating systems.

An issue has been reported which could allow for a malicious ftp host to
execute arbitrary code on a BrowseFTP client user.

This is acheivable when a BrowseFTP user connects to an ftp host, if the
FTP server '220' response is of excessive length. The stack-based
overflow condition can allow for malicious administrators to execute
arbitrary code on (and gain control of) client hosts. It is also possible
to crash the client.

2. Michael Lamont Savant Web Server Long Request DoS Vulnerability
BugTraq ID: 3788
Remote: Yes
Date Published: Jan 05 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3788
Summary:

Michael Lamont Savant web server is an open source web server designed for
Microsoft Windows environments.

A vulnerability exists in Savant web server which could cause the server
to stop responding.

Attacks can be launched if a request is submitted containing an unusual
number of arbitrary characters. Savant web server will stop responding, a
restart of the server may be required in order to regain normal
functionality.

This issue may be the result of an unchecked buffer. If this is the case,
there is a possibility that arbitrary code may be executed on the
vulnerable target. However, this has not yet been confirmed.

3. Real Media RealPlayer Media File Buffer Overflow Vulnerability
BugTraq ID: 3809
Remote: Yes
Date Published: Jan 05 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3809
Summary:

RealPlayer is a software package distributed and maintained by Real Media.
RealPlayer performs tasks such as playing multimedia encoded in Real Media
formats via the Internet. It is available for Microsoft Windows, Unix,
and Linux.

A problem with the handling of file format may make it possible to
remotely crash RealPlayer. The problem could also potentially result in
code execution.

RealPlayer can handle media both in streaming format, or in regular files
formatted for RealPlayer. It interprets these files using Real's
proprietory protocol.

Upon receiving a file with a malformed header, it is possible to crash the
RealPlayer client. A file that specifies a content length greater than
the actual size creates a circumstance where RealPlayer reacts
unpredictably and becomes unstable. This usually results in the crashing
of RealPlayer. This problem may also make it possible to execute
arbitrary code.

4. FAQManager.CGI Directory Traversal Vulnerability
BugTraq ID: 3812
Remote: Yes
Date Published: Jan 07 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3812
Summary:

FAQManager.cgi is a Perl script for maintaining a FAQ (Frequently Asked
Questions) via a web interface. It will run on most Unix/Linux and
Microsoft Windows platforms.

A vulnerability exists in the FAQManager.cgi script which has the
potential to disclose sensitive information to remote attackers.

FAQManager does not properly filter certain types of input from incoming
web requests. It is possible to make a specially crafted web request
containing '../' sequences to break out of wwwroot and display arbitrary
web-readable files. Contents of arbitrary web-readable files that are
disclosed in this manner may contain sensitive information which can
facilitate further attacks on the host by the attacker.

5. BEA Systems WebLogic Server DOS Device Denial of Service Vulnerability
BugTraq ID: 3816
Remote: Yes
Date Published: Jan 08 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3816
Summary:

BEA Systems WebLogic Server is an enterprise level web and wireless
application server for Microsoft Windows and most Unix and Linux vendors.

An issue has been reported which could enable a remote user to crash a
WebLogic host.

By design, requests sent to a WebLogic Server are placed in a queue while
waiting to be performed. The requests are then assigned to a thread that
carries out the task on it. When a request is made for a .jsp resource,
WebLogic invokes an external compiler to handle the request.

Submitting a request for a DOS device appended with a .jsp extension (ie:
aux.jsp), will lead the server to carry out the request as though it is a
legitimate .jsp request. The external compiler is invoked, however due to
the handling of DOS devices, the working thread never stops. Therefore, if
numerous requests, composed in the described manner, are submitted the
server could stop responding.

6. ModLogAn Splitby Input Validation Vulnerability
BugTraq ID: 3821
Remote: No
Date Published: Jan 04 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3821
Summary:

ModLogAn is a freely available, open-source log file analyzer. It can
process log files from a number of different services including webservers
(Apache, MS IIS, Netscape), FTP servers (wu-ftpd, proftpd, etc.) and mail
servers (sendmail, qmail), and a variety of other sources. ModLogAn can be
run on many Unix and Linux variants, as well as Microsoft Windows NT/2000
systems.

An issue in ModLogAn has been reported which may make it possible for a
local attacker to use symlink attacks to overwrite root-owned files. This
vulnerability is in the splitby option of the processor_web plugin, and
should only affect systems which have this feature enabled.

The splitby function enables a user to split logfiles into seperate
reports per each virtual host. When the splitby option parses entries in
log files, it does not adequately validate the input.

When attempting to parse a log entry that has a hostname that starts with
dot-dot slash (../) sequences, it is possible that the ModLogAn output may
end up in an unexpected directory of the attacker's choosing. Vulnerable
versions of ModLogAn run as root. A malicious local user may capitalize on
this opportunity to use symlink attacks to overwrite root-owned files.
This may enable the local attacker to destroy critical data, cause a
denial of services, or possibly escalate privileges.

It should be noted exploitation of this issue may depend on external
vulnerabilities in server products. Like for example, BugTraq ID 3596
"Apache Split-Logfile File Append Vulnerability", as an attacker must have
a way to append malicious data to the log files that ModLogAn parses. The
type of log files ModLogAn parses would not normally be alterable by
unprivileged users.

7. BSCW Insecure Default Installation Vulnerability
BugTraq ID: 3777
Remote: Yes
Date Published: Jan 03 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3777
Summary:

BSCW (Basic Support for Cooperative Work) is a web-based groupware
application, allowing users to share a workspace via a web interface. It
runs on Microsoft Windows NT/2000 systems, as well as a number of Unix
variants.

Normally, BSCW is normally intended to be run as a service that is
available to a select group of users. It provides an interface for
managing workspaces and determining which users may access any given
workspace.

However, a vulnerability has been discovered in the default installation
of BSCW that may allow untrusted users to access the service. The default
configuration of BSCW enables users to self-register. In some cases, this
may be desired. However, in cases where it is not desired this may create
a false sense of security and allow untrusted users onto the service.

This may provide a window of opportunity for an untrusted, malicious user
to access the service to exploit known issues. One example of an existing
issue that may be exploited as a result of untrusted users being able to
self-register is BugTraq ID 3776 "BSCW Remote Command Execution
Vulnerability".

8. Microsoft Internet Explorer JavaScript Local File Enumeration Vulnerability
BugTraq ID: 3779
Remote: Yes
Date Published: Jan 03 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3779
Summary:

Microsoft Internet Explorer is prone to a vulnerability which may disclose
sensitive information to a malicious webmaster.

A problem exists in the way that Internet Explorer deals with JavaScript
onError event handlers.

As a result, it is possible to use JavaScript to search a web user's local
system for a particular file. The path to the file must be known and the
file must not consist of legal, valid script code.

When script code includes a file outside of the document it is embedded in
and the file does not exist or contains invalid data (any that is not
script code), the onError event handler code will run if it is enabled.
This code for the handler can determine whether the file to be included on
the client filesystem exists or not. This can be used to verify the
presence of specific files on client hosts by creating webpages that
include files from the local host using 'file://'.

For example, the following line of script code attempts to access a file
called "testfile.bat" on the web user's local system:

<script language="javascript" src="file://c:\testfile.bat"></script>

The script that runs when the onError event occurs can determine if the
file exists or not.

This vulnerability may be used by attackers to aid in more intelligent
attacks, for example: attackers may be able to construct webpages that
attempt to enumerate files on client hosts associated with other
vulnerable programs.

9. Geeklog New User Default Admin Privileges Vulnerability
BugTraq ID: 3783
Remote: Yes
Date Published: Jan 04 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3783
Summary:

Geeklog is freely available, open-source weblog software. It allows users
to create a virtual community area, complete with user administration,
story posting, etc. It is written in PHP and will run on most Unix and
Linux variants, as well as Microsoft Windows NT/2000. Geeklog is backended
by MySQL.

A vulnerability has been discovered in Geeklog version 1.3 that may allow
the unprivileged, regular user to sign onto the service to gain admin
rights.

Geeklog 1.3 implements a Unix-style privilege model, allowing
administration of users based on what group the user belongs to.

Due to an oversight in the design of Geeklog, the first new user to create
an account with the service is a member of the GroupAdmin/UserAdmin
Groups. This is because the fresh installation includes one
group_assignments record with a user ID of 13. Normally the last default
admin-privileged account would have a user ID of 12. The impact is that
the first regular user is able to administrate both users and groups.

10. Apache Win32 PHP.EXE Remote File Disclosure Vulnerability
BugTraq ID: 3786
Remote: Yes
Date Published: Jan 04 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3786
Summary:

A vulnerability exists in the suggested default configuration for the
Apache PHP.EXE binary on Microsoft Windows platforms. This issue has the
potential to disclose the contents of arbitrary files to remote attackers.

The ScriptAlias line of the following configuration in the httpd.conf
Apache configuration file is known to be the source of this issue:

ScriptAlias /php/ "c:/php/"
AddType application/x-httpd-php .php
Action application/x-httpd-php "/php/php.exe"

As a result, it is possible for an attacker to append a filepath to the
end of web request for php.exe. Files targetted in this manner will be
served to the attacker.

It is also possible to run executables in the PHP directory via successful
exploitation of this vulnerability.

11. Microsoft Internet Explorer Modeless Dialog DoS Vulnerability
BugTraq ID: 3789
Remote: Yes
Date Published: Jan 06 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3789
Summary:

A modeless dialog method is a dialog box which continues to display even
when a user switches to other applications.

An issue has been reported in Microsoft Internet Explorer, which could
enable a malicious web host to cause a visiting user's system to consume
all available system resources.

This is achieved when including the showModelessDialog() function within a
HTML document. If the value passed to this function is the file the
function is included in, an endless loop will be initiated.

This has reportedly causes 100% CPU usage even after the iexplore.exe
process has been ended. A reboot may be required in order to gain normal
functionality.

12. BSCW Remote Command Execution Vulnerability
BugTraq ID: 3776
Remote: Yes
Date Published: Jan 03 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3776
Summary:

BSCW (Basic Support for Cooperative Work) is a web-based groupware
application, allowing users to share a workspace via a web interface. It
runs on Microsoft Windows NT/2000 systems, as well as a number of Linux
and Unix variants.

BSCW provides functionality for calling external programs to perform
conversions from one file format to another file format, such as from GIF
to JPEG.

However, a vulnerability exists in the way that BSCW parses the requests
that are passed to the external programs, making it possible for a
malicious user to execute arbitrary commands. Specifically, BSCW does not
adequately filter shell metacharacters such as '&',';', and '^'. A user
may potentially exploit this issue to make a malicious file conversion
request containing shell metacharacters and arbitrary commands.

Commands will be executed with the privileges of the user running BSCW and
may allow the attacker to gain local, interactive access to the host
running the vulnerable software.

13. AOLServer Password Protected File Arbitrary Read Access Vulnerability
BugTraq ID: 3791
Remote: Yes
Date Published: Jan 06 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3791
Summary:

AOLServer is the open source, freely available HTTP server maintained in
cooperation between AOL and the open source developer community. It
offers features such as TCL interpretation, and dynamic content handling.

A problem has been discovered in AOLServer that could allow remote users
to gain access to protected information. The problem affects AOLServer on
the Microsoft Windows 2000 platform.

AOLServer offers an access control infrastructure on files placed on web
servers. A user may protect a file from download by password protecting
it via the HTTPD.

AOLServer does not sufficiently handle access control requests. If a
remote user knows the path directly to a password protected file hosted on
the AOLServer, the user may access the file directly via the full path,
circumventing authentication. This makes it possible for remote users to
gain arbitrary access to sensitive files.

This problem can allow a remote user to gain arbitrary access to sensitive
information, and could lead to the user gaining access to other
password-protected infrastructure such as web boards hosted on the server.

14. Linksys DSL Router SNMP Trap System Arbitrary Sending Vulnerability
BugTraq ID: 3795
Remote: Yes
Date Published: Jan 06 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3795
Summary:

Linksys DSL routers are high-speed internet access solutions distributed
by the Linksys Group. Linksys DSL routers offer features such as
high-speed internet access, switching built into some routers, and
Voice-over-IP.

A problem with Linksys routers could make it possible for a remote user to
gain sensitive information from a Linksys router, or potentially create a
denial of service. The problem affects Linksys routers which may work
with either Microsoft or Unix and Linux systems.

Linksys routers enable SNMP by default. SNMP can be used to gain
information about traffic and hosts managed by the router. This issue is
compounded by the fact that Linksys routers include a default community
string of "public."

Linksys routers have a design issue that will router SNMP Trap information
to any address. When a Linksys router receives a query from a system, the
router alters it's own configuration to make the querying system the SNMP
Trap system. This can yield sensitive information about network traffic
being handled by the router. Since SNMP uses UDP as it's method of
transport, this could also lead to a number of vulnerable routers being
used to create a distributed denial of service attack.

This problem makes it possible for remote users to gain access to
sensitive network information, or potentially launch a distributed denial
of service attack.

15. FAQManager.CGI NULL Character Arbitrary File Disclosure Vulnerability
BugTraq ID: 3810
Remote: Yes
Date Published: Jan 07 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3810
Summary:

FAQManager.cgi is a Perl script for maintaining a FAQ (Frequently Asked
Questions) file via a web interface. It will run on most Unix/Linux and
Microsoft Windows platforms.

A vulnerability exists in the FAQManager.cgi script which has the
potential to disclose sensitive information to remote attackers.

FAQManager does not properly filter certain types of input from incoming
web requests. As a result, it is possible to append a NULL character (%00)
to the end of a web request for an existing web-readable file. Contents of
the file will be displayed to the attacker making such a malicious
request.

16. Hosting Controller Unauthorized File Access and Upload Vulnerability
BugTraq ID: 3811
Remote: Yes
Date Published: Jan 07 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3811
Summary:

Hosting Controller is an application which centralizes all hosting tasks
to one interface. Hosting Controller gives every user the required control
they need to manage the appropriate web site relevant to them. Hosting
Controller runs on Microsoft Windows systems.

Reportedly, an issue exists in Hosting Controller which could enable a
user to read, delete and upload arbitrary files to the host.

Due to a flaw in filemanager.asp a user could exploit this issue by
attempting to connect to an existing account and specifying '../'
character sequences.

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Huge security breach in standard w2k install (Thread)
Relevant URL:

NEEAINCFLMDKOGNIMDIECEAACEAA.kc@proff-art.dk&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=NEEAINCFLMDKOGNIMDIECEAACEAA.kc@proff-art.dk&threads=1

2. SQL connection string security (Thread)
Relevant URL:

http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=002f01c19a16$17047290$e7cfb6c8@acme&threads=1

3. Think I've got trouble (Thread)
Relevant URL:

0300000a@elsevier.co.uk&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=000001c199ea$31b55950$0300000a@elsevier.co.uk&threads=1

4. [SQL connection string security] (Thread)
Relevant URL:

http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=FA8E4D4EC3CCBC4BAF1ABB6A42D5BE0A024452@satanica.attrition.tld&threads=1

5. Password Generation for NT/2K Workstation Local Admin Accounts (Thread)
Relevant URL:

http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=28A024706B20D4119651009027E7003D0517230E@EMAIL1&threads=1

6. IE headers w patch level - new info (Thread)
Relevant URL:

A80A2A90157C1344BF3DC19A1B2BB2130E841F@hades.persephonesystems.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=A80A2A90157C1344BF3DC19A1B2BB2130E841F@hades.persephonesystems.com&threads=1

7. [RE: [SQL connection string security]] (Thread)
Relevant URL:

20020110221457.23126.qmail@cpdvg202.cms.usa.net&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=20020110221457.23126.qmail@cpdvg202.cms.usa.net&threads=1

8. [RE: SQL connection string security] (Thread)
Relevant URL:

20020110205642.28357.qmail@cpdvg202.cms.usa.net&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=20020110205642.28357.qmail@cpdvg202.cms.usa.net&threads=1

9. SSL Key Recovery Tool (Thread)
Relevant URL:

PBECJIHIEGDLNFICLDMACEMGDDAA.floyd@neospire.net&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=PBECJIHIEGDLNFICLDMACEMGDDAA.floyd@neospire.net&threads=1

10. New Windows 2000 Group Policy Utility (Thread)
Relevant URL:

20020108221212.25477.qmail@mail.securityfocus.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=20020108221212.25477.qmail@mail.securityfocus.com&threads=1

11. Administrivia: Links and Tools (Thread)
Relevant URL:

http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=Pine.LNX.4.430201081608080.6979-100000@mail&threads=1

12. ISAPI answer to "Microsoft IIS False Content-Length Field DoS Vulnerability" ? (Thread)
Relevant URL:

http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=629A2F2C52CDC248B9135FD519A682DE392681@wd21exch004&threads=1

13. Securing OWA w/SSL on IIS5.0 (Thread)
Relevant URL:

20020108182243.87544.qmail@web14606.mail.yahoo.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=20020108182243.87544.qmail@web14606.mail.yahoo.com&threads=1

14. Graphical Alpha-numeric String use to defeat automated-script att ack on manual HTTP validation requests (Thread)
Relevant URL:

A9F857A45F1DD511AB010002B321B505013F1A28@dns1.hbinc.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=A9F857A45F1DD511AB010002B321B505013F1A28@dns1.hbinc.com&threads=1

15. Implications of international SSL key in IE/IIS 5? (Thread)
Relevant URL:

http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=7F78FC5A30A3D21195F90090272ABD0D06AB7361@TIMC-NTS-S01&threads=1

16. patch creates new hole? (Thread)
Relevant URL:

NFEFLALDPOIFPKKBBCDNMEPBCBAA.bill.mote@mem.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=NFEFLALDPOIFPKKBBCDNMEPBCBAA.bill.mote@mem.com&threads=1

17. FW: Removing login data from MSIE (Thread)
Relevant URL:

http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=000401c1954e$9670b100$fdfea8c0@dellydoo&threads=1

18. IE 5.0, 5.5 6.0 https SSL certificate attack - Serious (Thread)
Relevant URL:

41ED4EB3C166D511BAC3009027DE9EBB05CDE716@cin098.info53.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=41ED4EB3C166D511BAC3009027DE9EBB05CDE716@cin098.info53.com&threads=1

19. Removing login data from MSIE (Thread)
Relevant URL:

91F39CDB3876C14AA94081B220162CD20CF20B@EXMBPR04.na.mmfg.net&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=91F39CDB3876C14AA94081B220162CD20CF20B@EXMBPR04.na.mmfg.net&threads=1

IV.NEW PRODUCTS FOR MICROSOFT PLATFORMS
----------------------------------------
1. NetScreen-Global Security Management Software
by NetScreen Technologies
Platforms: Solaris, Windows NT, Windows 2000
Relevant URL:
http://www.netscreen.com/products/nsglobal.html
Summary:

The NetScreen-Global PRO line of security management systems consists of
two products NetScreen-Global PRO and NetScreen-Global PRO Express.
NetScreen-Global PRO is best suited to large enterprise or service
provider deployments of up to ten thousand devices while NetScreen-Global
PRO Express can support up to one hundred NetScreen devices.
NetScreen-Global PRO is a bundle of two components, Policy Manager, a
central policy configuration system pre-installed on a rack-mountable
server, and Report Manager, software for highly scalable monitoring and
reporting. Sharing virtually all of the same policy management and
administration features, NetScreen Global PRO Express is delivered with
Policy Manager and Realtime Monitor, a subset of Report Manager, on a
pre-configured server. Whether it's a deployment of twenty-five devices to
connect remote sites to a central office or a multi-thousand device
rollout by a service provider across multiple customers, NetScreen has a
management solution to match your specific needs.

2. NetScreen-Remote
by NetScreen Technologies
Platforms: Windows 95/98, Windows NT, Windows 2000
Relevant URL:
http://www.netscreen.com/products/nsremote.html
Summary:

The NetScreen-Remote VPN client provides the critical ability for
client-initiated Virtual Private Network (VPN) communication.
NetScreen-Remote is ideal for "road warriors" needing to access
mission-critical networks across an untrusted or public network as well as
end-users within an enterprise environment that require a secure
end-user-to-host connection. NetScreen-Remote, based on SafeNet's
industry-leading VPN client software, runs on an end-user's computer and
facilitates secure remote access to networks, devices, or other hosts.
Security is achieved by using the IPSec protocol and Layer 2 Tunneling
Protocol (L2TP), with Certificates as an additional option. In order to
form a secure communications channel, this software must be used in
conjunction with an IPSec gateway, such as NetScreen's line of integrated
security systems and appliances, or another host running IPSec compatible
software, including other computers running NetScreen-Remote.
NetScreen-Remote encrypted communications can be initiated in any IP
network environment, be it an Ethernet LAN or dial-up modem connection.

3. PestPatrol
by PestPatrol, Inc
Platforms: Windows 95/98, Windows NT, Windows 2000, Windows XP
Relevant URL:
http://www.safersite.com/pestpatrol/pestpatrol.asp
Summary:

PestPatrol detects and removes non-viral malicious code - trojans, remote
administration tools, spyware, hacker tools - that can be as damaging to
your business as a serious virus attack. PestPatrol complements
anti-virus, firewall, and IDS solutions, integrating seamlessly into
existing security infrastructures. Whether the threat comes from outside
or inside your organization, PestPatrol should be part of your security
toolkit.

V. NEW TOOLS FOR MICROSOFT PLATFORMS
----------------------------------------
1. Attacker v3.0
by robinkeir@foundstone.com
Relevant URL:
http://www.foundstone.com/rdlabs/tools.html
Platforms: UNIX, Windows 2000, Windows 95/98, Windows NT
Summary:

A TCP/UDP port listener. You provide a list of ports to listen on and the
program will notify you when a connection or data arrives at the port(s).
Can minimize to the system tray and play an audible alert. This program is
intended to act as a guard dog to notify you of attempted probes to your
computer via the Internet.

2. Demarc PureSecure v1.05
by DEMARC ORG
Relevant URL:
http://www.demarc.com/
Platforms: BSDI, FreeBSD, HP-UX, Linux, NetBSD, OpenBSD, Perl (any system
supporting perl), UNIX, Windows 2000, Windows NT, Windows XP
Summary:

Instead of having one program perform file integrity checks, another
program monitoring the connectivity and health of your network, and yet
another monitoring your network for intrusion detection attempts, Demarc
PureSecure combines all these services into one powerful client/server
program. Not only can you monitor the status of the different machines in
your network, but you can also respond to changes in your network all from
one centralized location.

Security is already a full time job in any network, and the burden of
monitoring the reports from multiple programs across dozens of servers can
result in information overload. The human mind can only process so much
data at any given time before it simply becomes too much to analyze.
Demarc PureSecure centralizes the reporting and analysis for the entire
network which allows you to more easily weed out the important data from
the superfluous background noise, thereby targeting your efforts where
they really belong.

3. Securepoint Firewall and VPN Server SB v2.05
by Lutz Hausmann, lutz.hausmann@linkx.de
Relevant URL:
http://www.securepoint.cc/download.htm
Platforms: Linux, Windows 2000, Windows 95/98, Windows NT
Summary:

The Securepoint Firewall Server is a high-performance, commercial-grade
application designed to offer full protection for network assets. The
Securepoint is a complete software system with an operation system, based
on a secure Linux. You can use the firewall on a standard PC with two or
three network cards, and is easy to install and administer.

4. NBTEnum - NetBIOS Enumeration Utility v1.0
by NTSleuth NTSleuth@email.com
Relevant URL:
http://ntsleuth.0catch.com/
Platforms: Windows 2000, Windows NT
Summary:

Features include class C subnet scan and RestrictAnonymous bypass.

VI. SPONSORSHIP INFORMATION
---------------------------
LANguard Security Event Log Monitor: FREE offer!

Catch hackers red-handed with GFI's LANguard S.E.L.M.! Performs intrusion
detection through network-wide monitoring of the security event logs of
all NT/2000 servers & workstations. Enables you to respond quickly to
important security events, without spending hours examining logs. Notifies
you of critical security events in real time & more besides!

Get your FREE eval from: http://www.gfi.com/securityfocus/

-------------------------------------------------------------------------------



Relevant Pages

  • SecurityFocus Microsoft Newsletter #171
    ... Better Management for Network Security ... GoodTech Telnet Server Remote Denial Of Service Vulnerabilit... ... ASPApp PortalAPP Remote User Database Access Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #176
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #142
    ... MICROSOFT VULNERABILITY SUMMARY ... Mollensoft Enceladus Server Suite Clear Text Password Storage... ... FakeBO Syslog Format String Vulnerability ... Methodus 3 Web Server File Disclosure Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #242
    ... MICROSOFT VULNERABILITY SUMMARY ... PostNuke Blocks Module Directory Traversal Vulnerability ... Groove Networks Groove Virtual Office COM Object Security By... ... The Microsoft Windows IPV6 TCP/IP stack is prone to a "loopback" condition initiated by sending a TCP packet with the "SYN" flag set and the source address and port spoofed to equal the destination source and port. ...
    (Focus-Microsoft)
  • [NT] Vulnerability in the Microsoft Collaboration Data Objects Allows Remote Code Execution (MS05-04
    ... Get your security news from a reliable source. ... A remote code execution vulnerability exists in Collaboration Data Objects ... * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ... * Microsoft Windows Server 2003 and Microsoft Windows Server 2003 Service ...
    (Securiteam)