SecurityFocus Microsoft Newsletter #91

From: Marc Fossi (mfossi@securityfocus.com)
Date: 06/18/02

Previous message: Andrea Efstathiou: "RE: MS02-29 breaks PPTP connections for non-Admin users?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

From: "Marc Fossi" <mfossi@securityfocus.com>
To: "Focus-MS" <focus-ms@securityfocus.com>
Date: Tue, 18 Jun 2002 13:53:43 -0600

SecurityFocus Microsoft Newsletter #91
--------------------------------------

This Issue Sponsored By: Kyberpass

Is your company's Microsoft Outlook e-mail exposed as a note sent on a
postcard? Do you really know who's reading your sensitive corporate
communications? Download our free white paper to learn how the new
Kyberpass Secure E-Mail TrustPlatform makes Outlook an e-mail platform you
can trust! For more information and to read reviews by SC Magazine and
Network Computing visit:
http://www.kyberpass.com/products/secure_email.html or call us now at
800-845-1140.

----------------------------------------------------------------------------

---

I. FRONT AND CENTER 1. Developing an Effective Incident Cost Analysis Mechanism 2. Assessing Security Risk, Part One: What is Risk Assessment? 3. The Commoner's Virus 4. Black Hat Briefings & Training II. MICROSOFT VULNERABILITY SUMMARY 1. Multiple Bugzilla Security Vulnerabilities 2. Geeklog pid CGI Variable SQL Injection Vulnerability 3. Geeklog Multiple Cross Site Scripting Vulnerabilities 4. Datalex Bookit! Consumer Plaintext Authentication Credentials... 5. Geeklog Calendar Event Form Script Injection Vulnerability 6. Apache Tomcat JSP Engine Denial of Service Vulnerability 7. Seanox DevWex File Disclosure Vulnerability 8. Microsoft Internet Explorer FTP Web View Cross Site Scripting... 9. CGIScript.net csNews Double URL Encoding Unauthorized... 10. Microsoft ASP.NET StateServer Cookie Handling Buffer Overflow... 11. CGIScript.net csNews Header File Type Restriction Bypass... 12. Internet Security Systems BlackICE Agent Failure To Reactivate... 13. Splatt Forum Image Tag HTML Injection Vulneraility 14. PHPReactor Global.INC.PHP Cross Site Scripting Vulnerability 15. MyHelpDesk HTML Injection Vulnerability 16. MyHelpDesk Cross-Site Scripting Vulnerability 17. MyHelpDesk SQL Injection Vulnerability 18. W-Agora Remote File Include Vulnerability 19. Seanox DevWex Buffer Overflow Vulnerability 20. CGIScript.net CSNews Sensitive File Disclosure Vulnerability 21. Macromedia JRun JSP Engine Denial Of Service Vulnerability III. MICROSOFT FOCUS LIST SUMMARY 1. CA certificates on W2k (Thread) 2. O-u-t O-f O-f-f-i-c-e Replies (Thread) 3. Out Of Office Replies (Thread) 4. Changing Terminal Server port in TSAC ActiveX Web Control (Thread) 5. ISA best practice (Thread) 6. Help me and my ISA server (Thread) 7. Help me and my ISA server => ISA best practice (Thread) 8. Windows Reverification (Thread) 9. SecurityFocus Microsoft Newsletter #90 (Thread) 10. MS Exchange Server 5.5/ NT User Name Harvesting ? (Thread) 11. How to determine when a patch was applied ? (Thread) IV. MICROSOFT PRODUCTS 1. DumpEvt V1.7.3 2. Enterprise Security Manager 3. Firewall Control V. MICROSOFT TOOLS 1. CHX-I Packet Filter v1.1 2. EventwatchNT v2.3 3. FourEyes v1.0 4. Sudoscript v2.0.0b2 (dev) VI. SPONSORSHIP INFORMATION

I. FRONT AND CENTER ------------------- 1. Developing an Effective Incident Cost Analysis Mechanism By David A. Dittrich

One of the challenges facing security and accounting personnel is to calculate the real costs of security incidents. In this article, SecurityFocus contributor Dave Dittrich discusses the Incident Cost Analysis Modeling Project (I-CAMP), an attempt to develop a workable model for estimating the costs of computer security incidents.

http://online.securityfocus.com/infocus/1592

2. Assessing Internet Security Risk, Part One: What is Risk Assessment? by Charl Van der Walt

The Internet, like the Wild West of old, is an uncharted new world, full of fresh and exciting opportunities. However, like the Wild West, the Internet is also fraught with new threats and obstacles; dangers the average businessman and home user hasn't even begun to understand. But I don’t have to tell you this. You’ve heard that exact speech at just about every single security conference or seminar you’ve ever attended, usually accompanied by a veritable array of slides and graphs demonstrating exactly how serious the threat is and how many millions of dollars your company stands to loose. The “death toll” statistic are then almost always followed by a sales pitch for some or other product that’s supposed to make it all go away. Yeah right.

http://online.securityfocus.com/infocus/1591

3. The Commoner's Virus By George Smith

Despite its virulence, the Klez worm is ignored by the newspapers and dismissed by the digerati. Could the demographics of its victims be a factor?

http://online.securityfocus.com/columnists/87

4. Black Hat Briefings & Training

Attend Black Hat Briefings & Training, July 29 - August 1, Las Vegas, the world's premier technical security event! 8 tracks, 12 training sessions, Richard Clarke keynote, 500 delegates from 30 nations, with a near cult following of both CSOs and "underground" security experts. See for yourself what the buzz is all about.

Please visit www.blackhat.com for more information.

II. BUGTRAQ SUMMARY ------------------- 1. Multiple Bugzilla Security Vulnerabilities BugTraq ID: 4964 Remote: Yes Date Published: Jun 08 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4964 Summary:

Bugzilla is a freely available, open source bug tracking software package. It is available for Linux, Unix, and Microsoft Operating Systems.

Several problems have been discovered in Bugzilla that may allow remote users to gain information through information leakage, or unauthorized access to Bugzilla.

The queryhelp.cgi script distributed with Bugzilla could allow remote users to gain access to information products that set as confidential in the Bugzilla database.

An attacker may be able to hijack user sessions provided the attacker has reverse resolution authority for an IP address, and is able to steal a user's authentication cookie.

When a directory does not exist, Mozilla will attempt to create it. However, by default, the directory is usually created with world-writeable permissions.

It is possible for any user with permissions to edit any other user's details to delete any other user of the board through the edituser.cgi script.

The Real Names field does not filter HTML. An attacker may be able to input malicious HTML in the field, resulting in a cross-site scripting attack.

When performing a mass change, the groupset of all bugs are set to the groupset of the first bug in the mass change sequence.

Bugzilla did not handle encoding from some browsers, which could lead to unintended consequences, such as setting private or confidential information to a publicly displayed mode.

The syncing of the shadow database was done insecurely. Under some circumstances, this could output sensitive data to a user of Bugzilla at random.

2. Geeklog pid CGI Variable SQL Injection Vulnerability BugTraq ID: 4968 Remote: Yes Date Published: Jun 10 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4968 Summary:

Geeklog is freely available, open-source weblog software. It is written in PHP and will run on most Unix and Linux variants, as well as Microsoft Windows NT/2000. Geeklog is backended by MySQL. Geeklog version 1.3.5 and prior are subject to SQL injection attacks.

Geeklog does not properly validate externally-supplied input when including arbitrary characters and additional SQL statements in the 'pid' variable of some CGI requests. As a result, attackers may be able to modify SQL queries performed by the application.

This issue has been reported in the comment.php script, and the following URL has been supplied as an example:

/comment.php?mode=display&sid=foo&pid=PROBLEM_HERE&title=ALPER_Research_Labs

It should be noted that if the 'Magic Quotes' PHP feature is enabled, it may be difficult for attackers to obtain user information from SQL tables. This feature may, however, not be sufficient to remove all possibilities of exploitation.

Exploitation of this vulnerability may result in data corruption, disclosure of sensitive information and intrusion into the database server.

3. Geeklog Multiple Cross Site Scripting Vulnerabilities BugTraq ID: 4969 Remote: Yes Date Published: Jun 10 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4969 Summary:

Geeklog is freely available, open-source weblog software. It is written in PHP and will run on most Unix and Linux variants, as well as Microsoft Windows NT/2000. Geeklog is backended by MySQL.

Geeklog does not filter script code from URL parameters, making it prone to cross-site scripting attacks. Attacker-supplied script code may be included in a malicious link to the 'index.php' or 'comment.php' script. The attacker-supplied script code will be executed in the browser of a web user who visits this link, in the security context of the host running Geeklog. Such a link might be included in a HTML e-mail or on a malicious webpage.

This may enable a remote attacker to steal cookie-based authentication credentials from legitimate users of a host running Geeklog.

This issue has been reported to exist in Geeklog 1.3.5, earlier versions may also be susceptible to this issue.

4. Datalex Bookit! Consumer Plaintext Authentication Credentials Vulnerability BugTraq ID: 4972 Remote: Yes Date Published: Jun 10 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4972 Summary:

Datalex Bookit! Consumer is web-based software for provided travel booking services. It will run on most Unix and Linux variants in addition to Microsoft Windows operating systems.

Datalex Bookit! Consumer may be configured to remember authentication credentials. If a user chooses to have their authentication credentials 'remembered', then the credentials will be stored in a cookie. However, these credentials are stored in plaintext. This becomes an issue if the authentication credentials ever become exposed to an attacker.

It should be also noted that in some cases form data is posted using the GET method. As a result, sensitive information (including plaintext authentication credentials) is sent in CGI parameters.

A number of situations exist where an attacker may be able to gain access to the plaintext credentials. For example, the authentication credentials may be cached on a proxy server. Also, this may be exploited by an attacker in an appropriate position to sniff network traffic between a user's web client and the server running the software. Lastly, cookie-based authentication credentials may potentially be exposed via cross-site scripting or HTML injection attacks.

5. Geeklog Calendar Event Form Script Injection Vulnerability BugTraq ID: 4974 Remote: Yes Date Published: Jun 10 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4974 Summary:

Geeklog is freely available, open-source weblog software. It is written in PHP and will run on most Unix and Linux variants, as well as Microsoft Windows NT/2000. Geeklog is backended by MySQL.

Geeklog does not sufficiently sanitize script code from form fields, making it prone to script injection attacks.

Attacker-supplied script code included in the Link field of a new Calendar Event submission form, may potentially end up in webpages generated by Geeklog and will execute in the browser of a user who views such pages, in the security context of the website.

It should be noted that new Calendar Event submissions are sent to the web site administrator for approval.

This issue may potentially be exploited to hijack web content or steal cookie-based authentication credentials from legitimate users.

6. Apache Tomcat JSP Engine Denial of Service Vulnerability BugTraq ID: 4995 Remote: Yes Date Published: Jun 12 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4995 Summary:

Apache Tomcat is a freely available, open source servlet container that is used to display and interpret Java Servlet and JavaServer Pages (JSP) technologies. Apache Tomcat is available for Unix and Linux variants as well as the Microsoft Windows operating environments.

A vulnerability has been reported in Apache Tomcat for Windows that results in a denial of service condition. The vulnerability occurs when Tomcat encounters a malicious JSP page.

The following snippet of code is reported to crash the Tomcat JSP engine: new WPrinterJob().pageSetup(null,null);

An attacker may exploit this vulnerability by creating a malicious page on vulnerable systems and by requesting the page from the server. This would result in the Tomcat JSP engine to attempt to interpret the page and subsequently crash leading to the denial of service condition.

7. Seanox DevWex File Disclosure Vulnerability BugTraq ID: 4978 Remote: Yes Date Published: Jun 08 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4978 Summary:

Seanox DevWex is a webserver. It is available as a stand-alone Microsoft Windows binary or as a Java application.

The Seanox DevWex Windows binary version is prone to an issue which may cause arbitrary web-readable files to be disclosed to remote attackers. This problem occurs because DevWex does not sufficiently filter '..\' sequences from web requests. As a result, attackers may break out of the webroot directory by making a malicious request containing '..\' sequences. Files targetted by the attacker may be disclosed in this manner.

8. Microsoft Internet Explorer FTP Web View Cross Site Scripting Vulnerability BugTraq ID: 4954 Remote: Yes Date Published: Jun 06 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4954 Summary:

A cross site scripting issue has been reported with some versions of Microsoft Internet Explorer for Windows. Under some configurations, data included within a FTP URL will be rendered as displayed content, allowing the execution of arbitrary JavaScript code within the Local Computer context.

Internet Explorer includes the ability to navigate FTP sites. If the option 'Enable folder view for FTP sites' is set, FTP sites will be displayed in a manner similar to the file system Explorer. This option is enabled by default.

Recent versions of Windows support the 'Enable Web content in folders' option. In part, this option results in some information about the folder or file currently being viewed within the Explorer window. This option is also enabled by default. In the event that a folder is being viewed through FTP, the FTP server name is included in this information.

If both of these options are set, the FTP server name is not sanitized. A malicious link may define a server name which includes HTML content, including script code.

When displayed, this script code will execute within the Local Computer context. By default, this context has significant access rights to the computer. Exploitation of this vulnerability could, indirectly, lead to the execution of arbitrary code on the system as the current user.

This vulnerability has been confirmed to exist under Windows 2000. Other versions of Windows may share this vulnerability. This has not, however, been confirmed.

9. CGIScript.net csNews Double URL Encoding Unauthorized Administrative Access Vulnerability BugTraq ID: 4993 Remote: Yes Date Published: Jun 11 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4993 Summary:

csNews is a script for managing news items on a website. It will run on most Unix and Linux variants, as well as Microsoft Windows operating systems.

csNews may be configured through a web interface. Different users may be defined with varying levels of access. Users with "public" access may modify page content, while admin users are able to configure the script.

Reportedly, users with public access may view and modify some configuration pages normally restricted to admin level users. This may be accomplished by double url encoding metacharacters in the database name provided as a CGI parameter.

Users will be able to view and modify options on the 'Advanced Settings' page, as well as view 'Admin Options'.

This may be exploited by submitting URLs with database names such as default%2edb.

10. Microsoft ASP.NET StateServer Cookie Handling Buffer Overflow Vulnerability BugTraq ID: 4958 Remote: Yes Date Published: Jun 06 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4958 Summary:

Microsoft's ASP.NET is a collection of technology. ASP.NET supports a range of common HTTP tasks, including the ability to maintain session state through the usage of client cookies. This may be accomplished through the use of ASP.NET's StateServer mode, in which state information is stored in a separate server process.

A vulnerability exists in the processing of cookie data by this state server. A malicious remote user could create a cookie with a large amount of data. When this data is processed, a memory buffer will overflow, corrupting adjacent data.

Exploitation of this vulnerability may cause the server process to crash, leading to a denial of service. Additionally, it may be possible to corrupt memory such as stack frame data, and in turn force the server process to execute arbitrary code. This possibility has not, however, been confirmed.

By default, the StateServer process runs as a non-privileged user. This may reduce the consequences of exploitation.

11. CGIScript.net csNews Header File Type Restriction Bypass Vulnerability BugTraq ID: 4994 Remote: Yes Date Published: Jun 11 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4994 Summary:

csNews is a script for managing news items on a website. It will run on most Unix and Linux variants, as well as Microsoft Windows operating systems.

It is possible for an administrator to define a header and footer displayed by csNews. Normally this is restricted to txt, html and htm files. However, it is possible for a malicious adminstrator to bypass this restriction and specify an arbitrary file type.

Reportedly, this may be done simply by submitting a manually constructed HTTP request with the new configuration information.

Exploitation of this vulnerability allows an attacker to display any system file as a header or footer. An attacker may, for example, specify a CGI script file which include authentication information.

The ability to exploit this vulnerability may only require "public" access to csNews if used in conjunction with issues discussed in BID 4993.

12. Internet Security Systems BlackICE Agent Failure To Reactivate After Suspending Vulnerability BugTraq ID: 4950 Remote: Yes Date Published: Jun 06 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4950 Summary:

BlackICE Agent is a home/small office firewall software solution. It is developed for use with Microsoft Windows operating systems. It has been reported that in version 3.1 EAL of BlackICE, the Agent may fail to fully reactivate after a system resumes operation from a suspend state.

It is alleged that the packet filtering component does not resume operation. Consequently, communications passing through the firewall are not subject to the rules and restrictions that comprise the host security policy.

Though the packet filtering engine is not operating, it will appear to the user that the Agent is functioning normally. This will leave the protected host exposed without user knowledge. Attackers may then exploit vulnerable services that are believed to be protected.

13. Splatt Forum Image Tag HTML Injection Vulneraility BugTraq ID: 4953 Remote: Yes Date Published: Jun 06 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4953 Summary:

Splatt forum is web forum software. It will run on most Unix and Linux variants, as well as Microsoft Windows operating systems.

Splatt Forum does not filter HTML from image tags. This may allow an attacker to inject arbitrary script code in forum messages. Injected script code will be executed in the browser of an arbitrary web user who views the malicious forum message, in the context of the website running Splatt Forum.

This can be achieved by entering script or HTML between [img] and [/img] tags in a forum message.

This may potentially be exploited to hijack web content or steal cookie-based authentication credentials from legitimate users.

It may be possible to inject JavaScript and HTML in other parts of forum messages, however this has not been confirmed.

14. PHPReactor Global.INC.PHP Cross Site Scripting Vulnerability BugTraq ID: 4952 Remote: Yes Date Published: Jun 06 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4952 Summary:

php(Reactor) is an integrated system of web applications designed for easy website maintenance. It will run on most Linux and Unix variants, in addition to Microsoft Windows operating systems.

It is reported that php(Reactor) is vulnerable to cross site scripting attacks.

The vulnerability is present in the 'global.inc.php' script. php(Reactor) does not properly santize client-supplied value of the 'go' parameter prior to output.

Attackers may exploit this vulnerability by constructing a link to one of these scripts containing malicious HTML code. If the link is sent to a php(Reactor) user and clicked on, the attacker-supplied HTML code will run in the context of the user's php(Reactor) session. The HTML code may obtain cookie values or perform unauthorized actions as the victim user.

15. MyHelpDesk HTML Injection Vulnerability BugTraq ID: 4967 Remote: Yes Date Published: Jun 10 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4967 Summary:

MyHelpDesk is a web-based helpdesk system written in PHP. It is freely available and will run on most Unix and Linux variants as well as Microsoft Windows operating systems.

A vulnerability has been reported for MyHelpDesk (version 20020509 and earlier) that will allow attackers to inject malicious HTML code.

MyHelpDesk does not properly sanitize HTML tags from form fields. Attackers may pass arbitrary HTML code through the unsanitized form fields. The attacker-supplied HTML code will end up being displayed in MyHelpDesk webpages and will be executed by the web client of users who visit such pages, in the security context of the site running the vulnerable software.

The 'Title', 'Description' and 'Update' fields are not properly santized for malicious HTML input. Additionally, an opportunity for HTML injection exists when a new ticket is created or edited.

This may potentially be exploited to hijack web content or steal cookie-based authentication credentials from legitimate users.

16. MyHelpDesk Cross-Site Scripting Vulnerability BugTraq ID: 4970 Remote: Yes Date Published: Jun 10 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4970 Summary:

MyHelpDesk is a web-based helpdesk system written in PHP. It is freely available and will run on most Unix and Linux variants as well as Microsoft Windows operating systems.

It is reported that MyHelpDesk (version 20020509 and earlier) are vulnerable to cross site scripting attacks.

The vulnerability is present in the 'index.php' script. MyHelpDesk does not properly sanitize HTML from the 'id' CGI parameter prior to output.

Attackers may exploit this vulnerability by constructing a link to a vulnerable scripts, passing malicious HTML code as a value for unsanitized CGI parameters. If the link is sent to a MyHelpDesk user and clicked on, the attacker-supplied HTML code will run in the context of the site running the vulnerable software.

This issue may be exploited to steal cookie-based authentication credentials from legitimate users of MyHelpDesk.

17. MyHelpDesk SQL Injection Vulnerability BugTraq ID: 4971 Remote: Yes Date Published: Jun 10 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4971 Summary:

MyHelpDesk is a web-based helpdesk system written in PHP. It is freely available and will run on most Unix and Linux variants as well as Microsoft Windows operating systems. MyHelpDesk is back-ended by a MySQL database.

It is reported that MyHelpDesk (version 20020509 and earlier) are vulnerable to an SQL injection attack.

A SQL injection vulnerability has been reported within the index.php script. Data supplied by the remote user, via CGI parameters, is used directly as part of SQL statements. As input sanitization is not properly performed, it is possible to modify the logic of a SQL query.

Cleverly executed SQL injection attacks may potentially allow a malicious party to view or modify sensitive information. Additionally, an attacker might potentially use this issue to exploit any existing vulnerabilities in the underlying database.

18. W-Agora Remote File Include Vulnerability BugTraq ID: 4977 Remote: Yes Date Published: Jun 10 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4977 Summary:

W-Agora is a web publishing and forum software. It is implemented in PHP and will run on most Linux and Unix variants, in addition to Microsoft Windows operating systems.

W-Agora is prone to an issue which may allow an attacker to include arbitrary files located on a remote server. In particular, the 'inc_dir' variable found in a number of W-Agora scripts defines the path to the configuration file. It is possible, under some configurations, for an attacker to specify an arbitrary value for the location of the configuration file which points to a file on a remote server.

If the included file is a PHP script, this may allow for execution of arbitrary attacker-supplied code.

Successful exploitation depends partly on the configuration of PHP on the host running the vulnerable software. If 'all_url_fopen' is set to 'off' then exploitation of this issue may be limited.

19. Seanox DevWex Buffer Overflow Vulnerability BugTraq ID: 4979 Remote: Yes Date Published: Jun 08 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4979 Summary:

Seanox DevWex is a webserver. It is available as a stand-alone Microsoft Windows binary or as a Java application.

The Seanox DevWex Windows binary version is prone to a buffer overflow condition. This condition is due to insufficient bounds checking on the length of a HTTP GET request. Excessively long requests (258383+ characters) will trigger the condition.

This may be potentially exploited to execute arbitrary attacker-supplied instructions with the privileges of the webserver process (normally SYSTEM). Additionally, remote attackers may exploit this to cause the server to crash.

20. CGIScript.net CSNews Sensitive File Disclosure Vulnerability BugTraq ID: 4991 Remote: Yes Date Published: Jun 11 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4991 Summary:

csNews is a script for managing news items on a website. It will run on most Unix and Linux variants, as well as Microsoft Windows operating systems.

A number of sensitive csNews files may be accessed by unauthorized users. Database files may be accessed in this manner, potentially exposing database authentication credentials and other sensitive information.

Metacharacters in requests for database files must be double URL encoded. For example:

default%2edb

21. Macromedia JRun JSP Engine Denial Of Service Vulnerability BugTraq ID: 4997 Remote: Yes Date Published: Jun 12 2002 12:00A Relevant URL: http://www.securityfocus.com/bid/4997 Summary:

Macromedia JRun is a J2EE (Java 2 Platform Enterprise Edition) application server for use with IIS (Internet Information Server) 4/5 on the Microsoft Windows operating systems.

A vulnerability has been reported in Macromedia JRun for Windows that results in a denial of service condition. The vulnerability occurs when JRun encounters a malicious JSP page.

The following snippet of code is reported to crash the JRun JSP engine: new WPrinterJob().pageSetup(null,null);

An attacker may exploit this vulnerability by creating a malicious page on vulnerable systems and by requesting the page from the server. This would result in the JRun JSP engine to attempt to interpret the page and subsequently crash leading to the denial of service condition.

III. MICROSOFT FOCUS LIST SUMMARY --------------------------------- 1. CA certificates on W2k (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/65590D572241D311AB160090278618A0D 4D610@EIG_MAIL

2. O-u-t O-f O-f-f-i-c-e Replies (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/5.1.0.14.2.20020613082115.031cfdf 0@mail.hammerofgod.com

3. Out Of Office Replies (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/A6AE363BC0FA8248A7B3A30445A45A020 7D7DCA1@BigExchange.ccbn.com

4. Changing Terminal Server port in TSAC ActiveX Web Control (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/5.1.0.14.2.20020612205423.0319300 8@mail.hammerofgod.com

5. ISA best practice (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/FNEAJEJCKPBMALIBCHNHIENECCAA.kit@ smallfoxx.com

6. Help me and my ISA server (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/9D884881F5E1F24FB845967851720FC30 2C8DECA@red-msg-12.redmond.corp.microsoft.com

7. Help me and my ISA server => ISA best practice (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/C8D4A7339214BF43B80473E27549EABB1 BB64F@LRSSP6.lrsinc.org

8. Windows Reverification (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/02ff01c210e8$27e06670$32c8c80a@in nocuous.vapor

9. SecurityFocus Microsoft Newsletter #90 (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/Pine.LNX.4.43.0206101619210.26905 -100000@mail.securityfocus.com

10. MS Exchange Server 5.5/ NT User Name Harvesting ? (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/20020610194818.67669.qmail@web205 14.mail.yahoo.com

11. How to determine when a patch was applied ? (Thread) Relevant URL:

http://online.securityfocus.com/archive/88/7771AA69152BD61197E700B0D0D1B7258 68161@exchange106.comp.pge.com

IV.NEW PRODUCTS FOR MICROSOFT PLATFORMS --------------------------------------- 1. DumpEvt V1.7.3 by Somarsoft Platforms: Windows NT Relevant URL: http://www.somarsoft.com/ Summary:

Windows NT program to dump the event log, in a format suitable for importing into a database. Used as basis for eventlog managment system, for long-term tracking of security violations, etc. Similar to DUMPEL utility in NT resource kit, but fixes various defects of that utility that make the output unsuitable for importing into databases. Fully functional and free of charge.

2. Enterprise Security Manager by Symantec Platforms: AIX, HP-UX, IRIX, Netware, Solaris, SunOS, True64 UNIX, UNIX, VMS, Windows 95/98, Windows NT Relevant URL: http://enterprisesecurity.symantec.com/products/products.cfm?ProductID=45&PI D=9006109 Summary:

With Symantec Enterprise Security Manager 5.1 you can define security policy on line in a database, and automatically measure how secure you are across the network. In addition, you can control security by drilling down to the details surrounding problems and automatically correcting them with the click of a button.

3. Firewall Control by Lightspeed Systems Platforms: Windows 2000, Windows NT Relevant URL: http://www.lightspeedsystems.com/firewall_control.asp Summary:

Advanced stateful-inspection firewall Virtual Private Network (VPN) Network Address Translation Protection against denial-of-service attacks Access control for network resources Traffic logging and stats

V. MICROSOFT TOOLS ------------------- 1. CHX-I Packet Filter v1.1 by IDRCI Inc. Relevant URL: http://www.idrci.net/idrci_products.htm Platforms: Windows 2000, Windows XP Summary:

Designed to complement the CHX-I application firewall engine at the network level, the CHX-I Packet Filter can be used on Windows 2000/XP servers or workstations as a first level of defense. It's great graphic user interface and management flexibility allows for rapid filter creation and deployment.

2. EventwatchNT v2.3 by Ingmar Koecher contact@netikus.net Relevant URL: http://www.netikus.net/software/eventwatchnt/EventwatchNT_Readme.htm Platforms: Windows 2000, Windows NT, Windows XP Summary:

EventwatchNT is an eventlog monitoring tool. It runs as a Windows NT / Windows 2000 / Windows XP service and waits for new events in the eventlog(s). If an event occurs (configurable) it will be sent to the recipient(s) via smtp email. EventwatchNT can also receive messages from remote unix syslog daemons. EventwatchNT will not miss events that ocurred during a system boot and will try to resend messages when the network or the smtp server are unavailable.

3. FourEyes v1.0 by TPIS Relevant URL: http://www.tpis.com.au/products/fe/ Platforms: Windows 2000, Windows NT, Windows XP Summary:

FourEyes allows network administrators to enforce a four-eyes policy on Windows NT, 2000 and XP by requiring two users to authenticate during a local logon. FourEyes uses the existing software and hardware for authentication, so it will work with passwords, smart cards, tokens or biometrics.

4. Sudoscript v2.0.0b2 (dev) by hbo Relevant URL: http://www.egbok.com/sudoscript/ Platforms: FreeBSD, Linux, NetBSD, OpenBSD, POSIX, Solaris, SunOS Summary:

Sudoscript is a pair of Perl scripts (sudoscriptd/sudoshell) that provide an audited root shell using sudo.

VI. SPONSORSHIP INFORMATION ---------------------------

This Issue Sponsored By: Kyberpass

Is your company's Microsoft Outlook e-mail exposed as a note sent on a postcard? Do you really know who's reading your sensitive corporate communications? Download our free white paper to learn how the new Kyberpass Secure E-Mail TrustPlatform makes Outlook an e-mail platform you can trust! For more information and to read reviews by SC Magazine and Network Computing visit: http://www.kyberpass.com/products/secure_email.html or call us now at 800-845-1140.

---------------------------------------------------------------------------- ---

Previous message: Andrea Efstathiou: "RE: MS02-29 breaks PPTP connections for non-Admin users?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]