SecurityFocus Microsoft Newsletter #71

From: Marc Fossi (mfossi@securityfocus.com)
Date: 01/28/02


Date: Mon, 28 Jan 2002 12:35:58 -0700 (MST)
From: Marc Fossi <mfossi@securityfocus.com>
To: Focus-MS <focus-ms@securityfocus.com>

SecurityFocus Microsoft Newsletter #71
--------------------------------------

This issue is sponsored by: CipherTrust Inc.

PROTECT YOUR EMAIL SYSTEMS **FREE EMAIL SECURITY WHITE PAPER**

How secure are your email systems? Stop HACKERS, VIRUSES, WORMS, TROJAN
HORSES, and SPAM from threatening your email systems and wiping out or
exposing critical data on corporate servers. IronMail can protect Exchange
from all major attacks and secures Outlook Web Access, all in a hardened
appliance.

Visit here to request FREE SECURITY white paper.

http://www.ciphertrust.com/article/c0102_03s_05.htm

-------------------------------------------------------------------------------

I. FRONT AND CENTER
     1. SecurityFocus is Hiring!
     2. Network Intrusion Detection Signatures, Part 2
     3. Software Licensing: The Hidden Threat to Information Security
     4. SecurityFocus Promotion
II. MICROSOFT VULNERABILITY SUMMARY
     1. DaanSystems NewsReactor Password Encoding Vulnerability
     2. Microsoft Windows NT Inaccurate Login Logging Vulnerability
     3. Apple MacOS Internet Explorer File Execution Vulnerability
     4. Oracle RDBMS Server Default Account Vulnerability
     5. Avirt Gateway Suite Telnet Proxy Remote SYSTEM Access...
     6. Working Resources BadBlue Enterprise Edition File Upload...
     7. Oracle SQL*Plus Unauthorized Shell Command Execution Vulnerability
     8. Oracle Database Auditing Insecure Default Configuration...
     9. Avirt Gateway Suite HTTP Proxy Remote Buffer Overflow...
     10. Avirt Gateway Suite Telnet Proxy Remote Buffer Overflow...
     11. SpoonFTP Bounce Vulnerability
     12. COWS CGI Online Worldweb Shopping Diagnose.CGI Cross-Site...
     13. Multiple Vendor NTFS File Wipe Vulnerability
     14. Working Resources BadBlue Directory Traversal Vulnerability
     15. COWS CGI Online Worldweb Shopping Information Disclosure...
     16. Working Resources BadBlue Invalid Request Denial of Service...
     17. Netopia Timbuktu Pro Denial of Service Vulnerability
     18. COWS CGI Online Worldweb Shopping Compatible.CGI Cross-Site...
     19. COWS CGI Online Worldweb Shopping Insecure File Permissions...
     20. Netscape/Mozilla Null Character Cookie Stealing Vulnerability
III. MICROSOFT FOCUS LIST SUMMARY
     1. Persistent Shares viewable between users? (Thread)
     2. How to get my encrypted files back - Copy to FAT32... (Thread)
     3. IE6 Privacy and Secure Web Site (Thread)
     4. file? - PowerReg.exe - summary (Thread)
     5. Blackhat Security Briefings 2002, New Orleans (Thread)
     6. local login rights (Thread)
     7. subinacl help (Thread)
     8. remote shutdown (Thread)
     9. Restricting bandwidth per IP address to a proxy server (Thread)
     10. Disabling Terminal Service access by default (Thread)
     11. SecurityFocus Microsoft Newsletter #70 (Thread)
     12. How to get my encrypted files back. (Thread)
     13. Registry Lockdown (Thread)
     14. Seperate User for Services (Thread)
     15. Need Registry Info (Thread)
     16. nt4 wkstation registry lockdown (Thread)
     17. Removing OS and version info from Telnet header (Thread)
     18. PGP causes IPSec to become disabled (Thread)
IV. NEW PRODUCTS FOR MICROSOFT PLATFORMS
     1. MultiSecure
     2. Norton Ghost
     3. Websense Enterprise
     4. Tripwire Manager
V. NEW TOOLS FOR MICROSOFT PLATFORMS
     1. Leviathan Auditor v1.1
     2. APassword v1.01
     3. xScan v1.3
     4. NGSSniff
VI. SPONSORSHIP INFORMATION

I. FRONT AND CENTER
-------------------
1. SecurityFocus is Hiring!

SecurityFocus is currently looking for a programmer/debugger for its
Threat Analysis teams. This position requires skillsets which I have
outlined below.

These positions require the staff members to be located in Calgary,
Alberta, Canada. Relocation assistance is possible from within Canada.
Skills will require verification by the way of an actual practical test
before an in-person interview is secured.

Skills required:

        - Expertise with SoftICE & IDA Pro (or similar tools).
        - Expertise with x86 assembly language
        - Programming ability in C & C++, targeting both the Unix and
          Windows platforms
        - Strong report writing skills and ability to interface with
          customers.

Additional skills preferred:

        - Working knowledge of computer viruses, worms, and trojans
          propagation techniques
        - Working knowledge of honeypots.

Personal Skills Required:

Any applicant must be able to work in a team environment and deal with
very tight deliverables. An outgoing pleasant personality is an absolute
requiremant. No rockstars, no primadonas.

About SecurityFocus

SecurityFocus, is the leading provider of security intelligence products
and services for business. They include SIA (Security Intelligence Alert),
which alerts subscribers to security vulnerabilities, and ARIS (Attack
Registry & Intelligence Service), which predicts cyber assaults on
customer networks, based on global attack data. SecurityFocus also
licenses the world's largest and most comprehensive vulnerability
information database, hosts the most popular security community mailing
list on the Internet, Bugtraq, and publishes original security content on
its Web site.

Please send resumes if interested to Alfred Huger ah@securityfocus.com

2. Network Intrusion Detection Signatures, Part 2
by Karen Kent Frederick

This is the second in a series of articles on understanding and developing
signatures for network intrusion detection systems. In the first
installment we looked at signature basics, the functions that signatures
serve, header values, signature components, and choosing signatures. In
this article we will continue our discussion of IP protocol header values
in signatures by closely examining some signature examples. Although it
may be relatively easy to develop a signature that matches a particular
type of traffic, it will likely cause unexpected false positives and false
negatives. Signatures must be carefully developed and tested in order to
create a signature set that is highly accurate, yet is also as efficient
as possible.

http://www.securityfocus.com/infocus/1534

3. Software Licensing: The Hidden Threat to Information Security
by Richard Forno

Software licensing agreements, along with legislation such as DMCA and
UCITA may make consumers vulnerable to the whims of vendors.

http://www.securityfocus.com/columnists/55

4. **SecurityFocus Promotion: Two Week Trial of SIA**

SecurityFocus(tm), a leading provider of enterprise security threat
management systems, announces new pricing for SIA(tm) our Security
Intelligence Alert Service. We are also offering a FREE two-week trial of
SIA between January 21st and March 15th, 2002.

SIA provides the most comprehensive and customizable vulnerability and
malicious code alerts available. SIA delivers complete, up-to-the-minute,
specific, actionable information that allows enterprises to prevent
attacks before they occur.

SIA allows you to:

**Fully protect your systems with comprehensive alerts that are specific
to your infrastructure. SIA allows you to specify down to the version
level those products for which you wish to receive alerts.

**Reduce the threat of network downtime from attacks. SIA provides
everything you need to know: thorough technical description of the attack,
workarounds or available patches, signatures for updating IDSs,
mitigation/disinfection strategies, etc.

**Save hours a day by not having to look through hundreds of emails or
dozens of websites. SIA allows you to prioritize your current
vulnerabilities and eliminate the highest risks first.

To take advantage of our FREE two-week trial offer and receive real-time
configuration-specific vulnerability and malicious code alerts, please
call toll-free 1-866-577-6300 in the United States and Canada, or
+1-650-655-6300 outside North America. You may also contact us at
sales@securityfocus.com, or click here
http://www.securityfocus.com/feedback to have a sales representative
contact you.

II. BUGTRAQ SUMMARY
-------------------
1. DaanSystems NewsReactor Password Encoding Vulnerability
BugTraq ID: 3927
Remote: No
Date Published: Jan 22 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3927
Summary:

NewsReactor is a shareware program distributed by DaanSystems. It is
available for the Microsoft Windows platform.

A problem with NewsReactor could allow users to gain access to sensitive
information. The problem is in the securing of passwords.

NewsReactor is a Usenet harvesting tool. It can be used to browse Usenet
posts, and extract binaries. NewsReactor can be configured to monitor
specific news groups, and extract files ending in certain extensions.

When NewsReactor is configured, it saves news server configuration
information to the NewsReactor.ini file. The password to access a news
server is stored insecurely, using a slide-rule encoding technique. When
the password is saved to the NewsReactor.ini file, it is encoded using a
format that involves moving 64 characters up the ASCII table.

This trivial encoding scheme can allow a local user with read access to
the NewsReactor.ini file to gain access to a news server using another
user's credentials.

2. Microsoft Windows NT Inaccurate Login Logging Vulnerability
BugTraq ID: 3933
Remote: No
Date Published: Jan 21 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3933
Summary:

Recent versions of Microsoft Windows include the ability to restrict and
audit local logins. It is possible to define a security policy limiting
the number of incorrect login attempts allowed before an account is locked
out, and to log successful and failed login attempts.

It is possible, under some circumstances, to log into the local machine
while leaving a log event implying a failed login attempt. This behavior
has been reported to occur the account in question has been locked due to
multiple failed login attempts, as defined in the security policy. In
this case, a successful login attempt may be logged as a failed attempt.

This vulnerability may result in successful break-ins going undetected.

3. Apple MacOS Internet Explorer File Execution Vulnerability
BugTraq ID: 3935
Remote: Yes
Date Published: Jan 22 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3935
Summary:

A vulnerability has been discovered in MacOS systems running Internet
Explorer 5.0 and earlier. MacOS X is not affected by this issue.

File URLs may be used by a malicious webmaster to execute programs on a
web user's local system. For example, the malicious webmaster creates a
webpage which contains a link to a file on a web user's local system using
a file URL. The exact path to the location of the file must be known by
the attacker. This includes being able to anticipate the name of a
particular user's hard drive.

This issue may be exploited to execute "Speakable Items" in MacOS 9.0 and
later. Speakable Items are a series of utilities written in AppleScript
which can perform various functions, such as restarting the computer,
changing the screen resolution, closing windows, etc.

This issue may also be exploitable through maliciously crafted
HTML-enabled e-mail.

4. Oracle RDBMS Server Default Account Vulnerability
BugTraq ID: 3899
Remote: Yes
Date Published: Jan 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3899
Summary:

Oracle RDBMS Server is a fully-featured relational database management
system. Oracle RDBMS provides a set of administrative tools for the Oracle
database. Oracle is available for the Unix, Linux, and Microsoft Windows
platforms.

In default installation of the Oracle database, the RDBMS Server installs
a number of "demo" accounts with preset passwords. Default account
usernames resemble personal names such as "SCOTT". Remote attackers who
are aware of the default accounts may use them to gain unauthorized access
to the database.

Users of this product may not be aware of the existence of the default
accounts. An attacker gaining access to the system through one of these
accounts may also be able to access the local system with the privileges
of the oracle user and group.

5. Avirt Gateway Suite Telnet Proxy Remote SYSTEM Access Vulnerability
BugTraq ID: 3901
Remote: Yes
Date Published: Jan 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3901
Summary:

Avirt Gateway Suite is a product combining the functionality of Avirt
Gateway and Avirt Mail. It is designed as a single solution for
collection of client machines sharing a single internet connection. It is
available for the Microsoft Windows operating system.

A vulnerability exists in the Gateway Suite. By default, a telnet proxy
server is installed and listening on port 23. It is installed as a
windows service when possible.

Any user within the allowable IP range for the server may make a direct
telnet connection. Once connected, it is possible to browse the server
directory structure through use of the 'dir' and 'ls' commands, or to open
a command prompt with the 'dos' command. As the server runs as SYSTEM,
this could lead to a total compromise of the vulnerable server.

6. Working Resources BadBlue Enterprise Edition File Upload Vulnerability
BugTraq ID: 3917
Remote: Yes
Date Published: Jan 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3917
Summary:

Working Resources BadBlue Enterprise Edition is a webserver intended to
share various resources and is developed for Microsoft Windows
environments.

A feature built into BadBlue Enterprise Edition permits users to upload
files to the host. This is a not a default configuration, the
administrator must configure the virtual directory.

If this upload feature is configured without password protection, it is
possible for remote users to upload files containing executable code. Once
the file is uploaded it may be possible for the user to call the file,
initiating the execution of the malicious file.

Successful exploitation of this vulnerability could result in a malicious
script file being placed on a host, or the installation of a backdoor or
trojan.

7. Oracle SQL*Plus Unauthorized Shell Command Execution Vulnerability
BugTraq ID: 3900
Remote: Yes
Date Published: Jan 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3900
Summary:

Oracle Server is a fully-featured relational database management system.

SQL*Plus is the primary interface for the Oracle server, it integrates
Oracle SQL and PL/SQL. SQL*Plus enables the retrieval and modification of
data and the general maintenance of the database. Oracle is available for
the Unix, Linux, and Microsoft Windows platforms.

Under the default settings, any connected SQL*Plus user may execute
arbitrary shell commands.

Oracle installs a number of "demo" accounts with preset passwords. If an
attacker gains access to a "demo" account, this issue could be exploited
remotely.

Successful exploitation of this vulnerability could lead to a compromise
of the host.

8. Oracle Database Auditing Insecure Default Configuration Vulnerability
BugTraq ID: 3902
Remote: Yes
Date Published: Jan 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3902
Summary:

Oracle is a commercial relational database product. Oracle is available
for the Unix, Linux, and Microsoft Windows platforms.

An insecurity exists in the default configuration of Oracle 8i and 9i
database products. Oracle Auditing is disabled in the default install and
must be enabled by the user of the product. Oracle Auditing provides
accounting of specific database objects, operations, users, and
privileges.

It is not advised to put a database into production without the Oracle
Auditing functionality, as it is one of the basic security features
offered by the product. The result is that malicious activity may go
undetected.

9. Avirt Gateway Suite HTTP Proxy Remote Buffer Overflow Vulnerability
BugTraq ID: 3904
Remote: Yes
Date Published: Jan 18 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3904
Summary:

Avirt Gateway Suite is a product combining the functionality of Avirt
Gateway and Avirt Mail. It is designed as a single solution for
collection of client machines sharing a single internet connection. It is
available for the Microsoft Windows operating system.

The Gateway Suite includes an HTTP proxy which resides on port 8080 by
default. Due to incorrect bounds checking of the HTTP headers on the
proxy, it is possible to cause a buffer overflow. This can be
accomplished by creating HTTP header fields that exceed 2139 bytes. When
the proxy processes these headers, the buffer overflows, causing EIP to be
overwritten. This could be used to execute arbitrary code on the Avirt
Gateway Suite system. Since the HTTP proxy runs as a SYSTEM level
service, this code would likely be executed with that privilege level.

This vulnerability could also be used in a denial of service (DoS) attack
on the Avirt Gateway Suite.

10. Avirt Gateway Suite Telnet Proxy Remote Buffer Overflow Vulnerability
BugTraq ID: 3905
Remote: Yes
Date Published: Jan 18 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3905
Summary:

Avirt Gateway Suite is a product combining the functionality of Avirt
Gateway and Avirt Mail. It is designed as a single solution for
collection of client machines sharing a single internet connection. It is
available for the Microsoft Windows operating system.

The Gateway Suite includes a Telnet proxy which resides on port 23 by
default. Due to incorrect bounds checking of commands issued to the
proxy, it is possible to cause a buffer overflow. This can be
accomplished by submitting a command which exceeds 2000 bytes. When the
proxy processes this command, the buffer overflows, causing EIP to be
overwritten. This could be used to execute arbitrary code on the Avirt
Gateway Suite system. Since the Telnet proxy runs as a SYSTEM level
service, this code would likely be executed with that privilege level.

This vulnerability could also be used in a denial of service (DoS) attack
on the Avirt Gateway Suite.

11. SpoonFTP Bounce Vulnerability
BugTraq ID: 3910
Remote: Yes
Date Published: Jan 20 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3910
Summary:

SpoonFTP is a shareware FTP Server for Microsoft Windows 9x/ME/NT/2000
operating systems.

SpoonFTP is prone to FTP bounce attacks.

An attacker who logs in to the FTP server may use the PORT command to
connect to an arbitrary port on a remote host, including ports below 1024.
The PORT command is normally intended to be used to create a connection to
the client machine on a high-numbered port. As a result of this
vulnerability, the attacker may use the FTP server as a proxy.

12. COWS CGI Online Worldweb Shopping Diagnose.CGI Cross-Site Scripting Vulnerability
BugTraq ID: 3914
Remote: Yes
Date Published: Jan 21 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3914
Summary:

COWS CGI Online Worldweb Shopping is a commercial shopping system which is
written in Perl. COWS will run on most Linux and Unix variants as well as
Microsoft Windows operating systems.

The diagnose.cgi script in COWS do not properly filter HTML tags, making
it possible to launch cross-site scripting attacks.

An attacker may exploit this situation by creating a malicious link
containing script code. When a legitimate user of the service browses the
link, the malicious script code will be executed on the user in the
context of the site hosting the vulnerable software.

Such attacks may be used to steal cookie-based authentication credentials
from legitimate users.

13. Multiple Vendor NTFS File Wipe Vulnerability
BugTraq ID: 3912
Remote: No
Date Published: Jan 21 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3912
Summary:

Under some circumstances, many Windows-based file cleaning utilities do
not properly wipe data from NTFS file systems. NTFS is supported in
Windows XP/NT/2000 operating systems.

Files in NTFS consist of multiple data streams. Alternate Data Streams
(ADS) may be used to store additional data in the same way a standard data
stream does. One of the attributes of Alternate Data Streams is that the
data is hidden from the user.

Data contained in Alternate Data Streams may not be properly removed using
many Windows file-wiping utilities (such as BCWipe, Eraser, SecureClean,
East-Tec Eraser 2000, PGP). For example, if a file-wiping utility is used
to delete a normal file then the Alternate Data Stream attached to that
file will remain intact.

One possible consequence of this issue is that a user will not be able to
use the standard methods to remove potentially malicious data from their
system.

It is important to note that this vulnerability does not affect
file-wiping utilities on older Microsoft Windows operating systems that do
not provide support for the NTFS file system, such as Windows 9x/ME.

14. Working Resources BadBlue Directory Traversal Vulnerability
BugTraq ID: 3913
Remote: Yes
Date Published: Jan 21 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3913
Summary:

Working Resources BadBlue is a webserver intended to share various
resources and is developed for Microsoft Windows environments. Shared
files specifically, are served through a library called 'ext.dll'.

Due to a flaw in BadBlue it is possible for a user to gain read access to
arbitrary directories and files.

If a request constructed with '../' sequences is submitted as a parameter
to the script used to read Microsoft Office documents, the user may break
out of the permitted path. It is then possible to view arbitrary
directories and files residing on the host.

Successful exploitation of this vulnerability could lead to the disclosure
of sensitive data and assist in further attacks against the target host.

Products based on BadBlue technology may share this vulnerability.

15. COWS CGI Online Worldweb Shopping Information Disclosure Vulnerability
BugTraq ID: 3915
Remote: No
Date Published: Jan 21 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3915
Summary:

COWS CGI Online Worldweb Shopping is a commercial shopping system which is
written in Perl. COWS will run on most Linux and Unix variants as well as
Microsoft Windows operating systems.

Some sensitive information is not encrypted by COWS.

For example, a file is created for each user that starts an account with
the service. The filename is the same as the login name of the user. The
contents of these files are not encrypted.

A local attacker could potentially exploit this issue to view information
about users of the shopping service (including personal information and
plaintext authentication credentials).

Furthermore, this information is stored in world-readable files, as
described in BugTraq ID 3922 "COWS CGI Online Worldweb Shopping Insecure
File Permissions Vulnerability".

16. Working Resources BadBlue Invalid Request Denial of Service Vulnerability
BugTraq ID: 3916
Remote: Yes
Date Published: Jan 17 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3916
Summary:

Working Resources BadBlue is a webserver intended to share various
resources and is developed for Microsoft Windows environments. Shared
files specifically, are served through a library called 'ext.dll'.

An issue has been reported in BadBlue which could cause a denial of
services.

When a user submits a request for a Microsoft Office document, BadBlue
creates a process for the request.

However, if a request is made for a non-existant file, BadBlue fails to
terminate the process. A remote user may submit multiple requests of this
type, eventually causing the host to stop responding.

A restart of the service may be required in order to gain normal
functionality.

17. Netopia Timbuktu Pro Denial of Service Vulnerability
BugTraq ID: 3918
Remote: Yes
Date Published: Jan 18 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3918
Summary:

Timbuktu is a remote administration tool. It is available for the
Microsoft Window's family of operating systems and Power PC based
Macintosh computers. It supports a variety of administrative tasks,
including full remote access to the user's desktop.

A vulnerability exists in some versions of Timbuktu. If a large number of
connections are created to the Timbuktu server, the server will no longer
accept new connections.

This has been confirmed on the Macintosh version of the Timbuktu software.
Other versions may share this vulnerability.

A restart of the software may be required to regain normal functionality.

18. COWS CGI Online Worldweb Shopping Compatible.CGI Cross-Site Scripting Vulnerability
BugTraq ID: 3921
Remote: Yes
Date Published: Jan 21 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3921
Summary:

COWS CGI Online Worldweb Shopping is a commercial shopping system which is
written in Perl. COWS will run on most Linux and Unix variants as well as
Microsoft Windows operating systems.

The compatible.cgi script in COWS do not properly filter HTML tags, making
it possible to launch cross-site scripting attacks.

An attacker may exploit this situation by creating a malicious link
containing script code. When a legitimate user of the service browses the
link, the malicious script code will be executed on the user in the
context of the site hosting the vulnerable software.

Such attacks may be used to steal cookie-based authentication credentials
from legitimate users.

19. COWS CGI Online Worldweb Shopping Insecure File Permissions Vulnerability
BugTraq ID: 3922
Remote: No
Date Published: Jan 21 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3922
Summary:

COWS CGI Online Worldweb Shopping is a commercial shopping system which is
written in Perl. COWS will run on most Linux and Unix variants as well as
Microsoft Windows operating systems.

COWS creates a number of files with world-readable permissions, including
user profiles and administrative information. A local attacker could
potentially view information about users of the shopping service
(including personal information and plaintext authentication credentials).

Furthermore, BugTraq ID 3915 "COWS CGI Online Worldweb Shopping
Information Disclosure Vulnerability" details the insecure manner in which
sensitive information is stored. Not only is it possible for a local
attacker to view this information, but most of the sensitive information
stored by COWS is in plaintext.

20. Netscape/Mozilla Null Character Cookie Stealing Vulnerability
BugTraq ID: 3925
Remote: Yes
Date Published: Jan 21 2002 12:00A
Relevant URL:
http://www.securityfocus.com/bid/3925
Summary:

Mozilla is a popular, freely available, open-source web browser. It runs
on most Linux and Unix variants, as well as MacOS and Microsoft Windows
9x/ME/NT/2000/XP operating systems. Netscape is another popular
web-browser product which runs on the same platforms as Mozilla.

An issue has been discovered in Mozilla and Netscape which may allow an
attacker to steal cookie-based authentication credentials from a user of a
vulnerable web browser. The problem is in the handling of NULL (%00)
characters in URLs.

It is possible for an attacker to read cookie-based authentication
credentials that are stored on a web user's system for any domain. The
attacker simply creates a malicious link that contains the hostname of a
server under their control, followed by a NULL character, followed by the
domain the attacker wishes the steal cookies for. Browsing the malicious
link causes the web user to connect to the hostname specified in the first
part of the link. The server can then access cookies set for the domain
that was placed in the URL after the NULL byte.

This issue may only be exploited to steal cookies set for a domain, as
opposed to cookies set for a specific host in that domain. Cookies set
with the secure flag can be stolen if the attacker uses SSL.

III. MICROSOFT FOCUS LIST SUMMARY
---------------------------------
1. Persistent Shares viewable between users? (Thread)
Relevant URL:

E748F5C5A5A8D411B14100508BDCB15CD7FC14@mail.mis.sandstream.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=E748F5C5A5A8D411B14100508BDCB15CD7FC14@mail.mis.sandstream.com&threads=1

2. How to get my encrypted files back - Copy to FAT32... (Thread)
Relevant URL:

OE23d5VcmJE9GmPpC8j00019a97@hotmail.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=OE23d5VcmJE9GmPpC8j00019a97@hotmail.com&threads=1

3. IE6 Privacy and Secure Web Site (Thread)
Relevant URL:

http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=002001c1a4fa$0813a910$0639a8c0@rjp&threads=1

4. file? - PowerReg.exe - summary (Thread)
Relevant URL:

5.0.0.25.2.20020124164156.025b1b50@mail.avicatech.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=5.0.0.25.2.20020124164156.025b1b50@mail.avicatech.com&threads=1

5. Blackhat Security Briefings 2002, New Orleans (Thread)
Relevant URL:

http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=5.1.0.14.0.20020124111754.00bc0700@192.168.3.190&threads=1

6. local login rights (Thread)
Relevant URL:

http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=004b01c1a423$4f5bc730$0100a8c0@kick&threads=1

7. subinacl help (Thread)
Relevant URL:

20020123155710.70716.qmail@web13901.mail.yahoo.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=20020123155710.70716.qmail@web13901.mail.yahoo.com&threads=1

8. remote shutdown (Thread)
Relevant URL:

http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=432423D46AE2D511BDD100025558116D4E27@zatfs004.w9&threads=1

9. Restricting bandwidth per IP address to a proxy server (Thread)
Relevant URL:

rh2r4uchvlu99qv58vvebg81ik1ret4t77@4ax.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=rh2r4uchvlu99qv58vvebg81ik1ret4t77@4ax.com&threads=1

10. Disabling Terminal Service access by default (Thread)
Relevant URL:

JOEMLDMCOGCABLDBEJPHAEFMCFAA.bryan_allerdice@yahoo.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=JOEMLDMCOGCABLDBEJPHAEFMCFAA.bryan_allerdice@yahoo.com&threads=1

11. SecurityFocus Microsoft Newsletter #70 (Thread)
Relevant URL:

http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=Pine.LNX.4.43.0201220927410.23953-100000@mail&threads=1

12. How to get my encrypted files back. (Thread)
Relevant URL:

DBC363EA37C5D311823A00508BCF2A6A09699972@seamail.ssofa.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=DBC363EA37C5D311823A00508BCF2A6A09699972@seamail.ssofa.com&threads=1

13. Registry Lockdown (Thread)
Relevant URL:

3C4C46C8.87EAFF3B@weblinkwireless.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=3C4C46C8.87EAFF3B@weblinkwireless.com&threads=1

14. Seperate User for Services (Thread)
Relevant URL:

20020119162630.9636.qmail@mail.securityfocus.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=20020119162630.9636.qmail@mail.securityfocus.com&threads=1

15. Need Registry Info (Thread)
Relevant URL:

f688fea9@mcs.drexel.edu&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=008d01c1a093$694f5cd0$f688fea9@mcs.drexel.edu&threads=1

16. nt4 wkstation registry lockdown (Thread)
Relevant URL:

f688fea9@mcs.drexel.edu&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=007e01c1a091$7eb83cb0$f688fea9@mcs.drexel.edu&threads=1

17. Removing OS and version info from Telnet header (Thread)
Relevant URL:

F177tdNTXEnSxHnYHra0002289a@hotmail.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=F177tdNTXEnSxHnYHra0002289a@hotmail.com&threads=1

18. PGP causes IPSec to become disabled (Thread)
Relevant URL:

20020118193604.7628.qmail@mail.securityfocus.com&threads=1">http://www.securityfocus.com/cgi-bin/archive.pl?id=88&mid=20020118193604.7628.qmail@mail.securityfocus.com&threads=1

IV.NEW PRODUCTS FOR MICROSOFT PLATFORMS
---------------------------------------
1. MultiSecure
by Ubizen
Platforms: Solaris, Windows NT
Relevant URL:
http://www.ubizen.com/products/index.html
Summary:

MultiSecure is security middleware, providing prime application-level
security for web transactions. It is highly scaleable: it can be used
across multiple applications and it is designed to keep up with changing
business needs. MultiSecure can be applied in e-business applications such
as Internet banking, insurance brokerage, e-trading, e-healthcare and
e-government. MultiSecure® offers you maximum protection to ensure
availability, confidentiality and data integrity of your e-business
transactions. Multiple security measures are enforced on the transactions
as defined in the central security policy. These measures include user
authentication, encryption, digital signatures, firewalls, intrusion
detection and auditing.

2. Norton Ghost
by Symantec
Platforms: Windows 95/98, Windows NT, Windows 2000, Windows XP
Relevant URL:
http://www.symantec.com/sabu/ghost/ghost_personal/
Summary:

Norton Ghost provides high-performance utilities for fast and safe system
upgrading, backup, and recovery. It writes disk images directly to many
popular CD-R/CD-RW drives, making it easy to back up your valuable data.
Now it works faster than ever and supports Windows® XP.

3. Websense Enterprise
by Websense Inc.
Platforms: Linux, Solaris, Windows NT, Windows 2000
Relevant URL:
http://www.websense.com/products/about/wse/index.cfm
Summary:

Websense is based on pass-through filtering technology, the most accurate,
reliable and scalable method of Internet filtering. Pass-through filtering
requires all requests for Web pages to pass through an Internet control
point such as a firewall, proxy server or caching device. Websense is
integrated with these control points and checks each request to
immediately determine whether it should be allowed or denied. All
responses are logged for reporting purposes.

4. Tripwire Manager
by Tripwire, Inc.
Platforms: Linux, Solaris, Windows NT, Windows 2000
Relevant URL:
http://www.tripwire.com/products/manager/index.cfml?
Summary:

Tripwire Manager is a fully functional, cross-platform management console
that allows you to easily manage all installations of Tripwire for Servers
across an enterprise network. Tripwire Manager eliminates the need to
manually monitor multiple discrete network platforms and point solutions.
Instead, you have a comprehensive view of data and network integrity
status from a single, centralized console. Tripwire Manager saves time by
pinpointing integrity violations and reduces management costs by providing
rapid access to detailed reports and actionable data.

V. NEW TOOLS FOR MICROSOFT PLATFORMS
------------------------------------
1. Leviathan Auditor v1.1
by Egemen Tas egemen@kutbil.com
Relevant URL:
http://packetstorm.decepticons.org/Win/indexdate.shtml
Platforms: Windows 2000, Windows NT, Windows XP
Summary:

The Leviathan Auditor is an enumeration and penetration testing tool which
runs on and against Microsoft machines. It dumps Users, Groups, Services,
Shares, Transport devices and MAC addresses over port 139 or 445. It
enumerates RPC portmapper entries over port 135 and also tries to exploit
MS SQL servers if it is presented. With its built-in SQL Server exploit
you can execute remote commands as Local System. Source code is freely
available on demand.

2. APassword v1.01
by Information Packaging
Relevant URL:
http://www.info-pack.com/apassword/
Platforms: Windows 2000, Windows 95/98, Windows NT, Windows XP
Summary:

APassword allows you to generate either single or batches of random
passwords. You can select from a range of character options including:
Letters, Numbers, Symbols, Case Selection and more. These passwords can
then be saved to disk in CSV or one per line format. At the click of a
button the password is displayed in HUGE characters to make it easy to
read out to customers or users.

3. xScan v1.3
by XFOCUS (glacier)
Relevant URL:
http://www.xfocus.org/programs.php
Platforms: Windows 2000, Windows 3.x, Windows 95/98, Windows CE, Windows
NT, Windows XP
Summary:

X-Scan is a general network vulnerabilities scanner for scanning network
vulnerabilities for specific IP address scope or stand-alone computer by
multi-threading method. Plug-ins are supportable and GUI or CUI programs
are separately provided.

4. NGSSniff
by Next Generation Security Software Ltd support@nextgenss.com
Relevant URL:
http://www.nextgenss.com/products/ngssniff.html
Platforms: Windows 2000, Windows XP
Summary:

NGSSniff is a network packet capture and analysis program. It requires
Windows 2000 or XP, and allows users to capture, save and analyse traffic
on their network. The current version of NGSSniff is a BETA test version,
and is thus provided free of charge.

VI. SPONSORSHIP INFORMATION
---------------------------
This issue is sponsored by: CipherTrust Inc.

PROTECT YOUR EMAIL SYSTEMS **FREE EMAIL SECURITY WHITE PAPER**

How secure are your email systems? Stop HACKERS, VIRUSES, WORMS, TROJAN
HORSES, and SPAM from threatening your email systems and wiping out or
exposing critical data on corporate servers. IronMail can protect Exchange
from all major attacks and secures Outlook Web Access, all in a hardened
appliance.

Visit here to request FREE SECURITY white paper.

http://www.ciphertrust.com/article/c0102_03s_05.htm

-------------------------------------------------------------------------------