Security UPDATE, September 10, 2003

Security UPDATE, September 10, 2003

Windows & .NET Magazine Security UPDATE--September 10, 2003

===============

==== This Issue Sponsored By ==== TNT Software http://www.tntsoftware.com/winsec091003 Ecora Software https://www.ecora.com/ecora/jump/se1.asp

==========

1. In Focus: A Suite Spot for Better Office Security? 2. Security Risks - Information Disclosure Vulnerability in Microsoft NetBIOS - Automatic Macro Execution Vulnerability in Microsoft Word - Arbitrary Code Execution Vulnerability in Microsoft WordPerfect Converter - Arbitrary Code Execution Vulnerability in Microsoft VBA - Arbitrary Code Execution Vulnerability in Microsoft Access Snapshot Viewer 3. Announcements - Find Your Next Job at Our IT Career Center - Attend Black Hat Briefings & Training Federal! 4. Security Roundup - Feature: Windows Server 2003: Secure By Default - Feature: Is True Recovery Always Possible? 5. Security Toolkit - Virus Center - FAQ: How Do I Restrict Access to Some or All of the Control Panel Applets on NT Systems? 6. Event - New--Mobile & Wireless Road Show! 7. New and Improved - Stop Suspicious Downloads - Ease Sign-On Pain - Tell Us About a Hot Product and Get a T-Shirt! 8. Hot Thread - Windows & .NET Magazine Online Forums - Featured Thread: Can't Log On 9. Contact Us See this section for a list of ways to contact us.

==========

==== Sponsor: TNT Software ==== FREE Download: Automate Event Log Monitoring Automate event log monitoring, provide real-time intrusion detection, and satisfy mandated auditing requirements all with TNT Software's ELM Log Manager. Preferred by small businesses because of its ease of use and Fortune 500 companies because of its reliability, ELM 3.1 is the affordable solution with the scalability to consolidate MILLIONs of events and Syslog messages a day, display them in custom views, launch critical alerts, and schedule reports. Download your FREE 30 day fully functional evaluation software NOW and start experiencing the benefits of automated log monitoring. http://www.tntsoftware.com/winsec091003

==========

==== 1. In Focus: A Suite Spot for Better Office Security? ==== by Mark Joseph Edwards, News Editor, [email protected] I think all of you know that Microsoft Office is a powerful suite of tools that offers tremendous productivity in any environment. If you haven't heard about the latest security patches for Microsoft Office, which affect Office 2000 through Office 2003, be sure to read about them in this edition of Security UPDATE. The problems are related to Microsoft Word macros, conversion of Corel WordPerfect files, Visual Basic for Applications (VBA), and the Microsoft Access Snapshot viewer. You should definitely consider loading the associated patches because the problems could present unwanted security risks in your environment if left unpatched. In addition to other means, you can check for new Office updates, whether related to security or otherwise, at the Microsoft Web sites listed below. http://www.officeupdate.com/downloads/default.aspx http://www.microsoft.com/office/ork/2003/admin/xp/default.htm Office is the default suite of choice for many companies whose systems run on Windows platforms. You probably also know about alternatives to Office, but have you heard about the OpenOffice.org alternative? OpenOffice.org is an open-source suite of tools similar to Office. As you might expect of an office productivity suite, OpenOffice.org includes a word processor (Writer), a spreadsheet (Calc), a multimedia presentation creator (Impress), a graphics illustration platform (Draw), and database tools. http://www.openoffice.org http://www.openoffice.org/product To learn about the notable differences between OpenOffice.org and Office, study the literature at the associated Web site and download and test a copy on your network. One major difference is that OpenOffice.org uses Java and JavaScript instead of Visual Basic (VB), which could be a security benefit in your environment--because malicious VB scripts embedded in documents won't work against your systems. Another major difference is cross-platform support: OpenOffice.org runs on Windows, Linux variants, Sun Microsystems' Sun Solaris, and Mac OS X. For mixed platform environments, that's quite an attraction. And, of course, a huge difference is in the cost of licensing: OpenOffice.org has no licensing fee. As open source, it's free. You can read about the associated licensing at the URL below. But keep in mind, free doesn't mean poor quality. OpenOffice.org is definitely a quality product. http://www.openoffice.org/license.html When I first heard about OpenOffice.org, I was skeptical. I've used Microsoft Office components for years, and I wondered whether I'd lose any functionality or find OpenOffice.org documents to be incompatible in some way. For example, I create or read a lot of text documents, spreadsheets, and presentation files that Microsoft Office users must be able to open, so compatibility was a cause for concern. My concerns were unwarranted. I downloaded OpenOffice.org (in .iso file format), created an installation CD-ROM by using the .iso file, and "test drove" OpenOffice.org for several months. The ease of use is considerable--it took very little time for me to adjust to the platform. So far, I've encountered only one document with which I had noticeable formatting problems with the onscreen display. (I'm not sure what caused the problem, but the onscreen layout wasn't quite right.) I suspect the Word document I was viewing had been created with a very old version of Word; however, I could be wrong. But other than that, I've found no compatibility concerns to speak of. Aside from the idea that intruders don't target OpenOffice.org platforms nearly as frequently as Microsoft Office, other security considerations could make the software either beneficial or detrimental. On September 25 at the VB2003 conference in Toronto, Sami Rautiainen of F-Secure will give a presentation about OpenOffice.org security (Virus Bulletin hosts the session). Rautiainen will discuss the OpenOffice.org security model, its environment, restrictions for executable content, the native macro language, and XML file format OpenOffice.org uses. In his presentation, he'll discuss whether "OpenOffice developers [have] taken into account the pitfalls shown by the history of the Microsoft Office or is OpenOffice the next victim of the abuse of macro viruses?" You can learn more about the conference, its tracks, and Rautiainen's presentation at the URLs below. https://www.virusbtn.com/conference/vb2003/index.xml https://www.virusbtn.com/conference/vb2003/abstracts/srautiainen03.xml OpenOffice.org might be a good alternative to Microsoft Office for your environment. Because so many intruders target Microsoft software, using an alternative might reduce your risks, so consider taking a closer look at this alternative office suite. If you've used OpenOffice.org and have comments to share, please send me an email messages with your observations and opinion. Correction: Last week's commentary, "Service Pack Maintenance with Scripts," referred to a second script as part of the service pack rollout process. However, the single script discussed performs multiple functions.

==========

==== Sponsor: Ecora Software ==== Perform patch audits in minutes with Ecora Patch Manager How confident are you that all critical security patches are deployed and up-to-date on every single system in your infrastructure? Need some help figuring it all out before the next big worm attack? Try a free copy of Ecora Patch Manager. Designed for IT professionals short on time, Patch Manager completely automates and simplifies the entire patch management cycle in just minutes. See for yourself how automation can save time, reduce costs, and keep your IT infrastructure stable and secure. Download a free, fully-functional trial of Ecora Patch Manager now! https://www.ecora.com/ecora/jump/se1.asp

==========

==== 2. Security Risks ==== contributed by Ken Pfeil, [email protected] Information-Disclosure Vulnerability in Microsoft NetBIOS Mike Price of Foundstone Labs discovered a vulnerability in Microsoft NetBIOS that can result in information disclosure. This vulnerability stems from a flaw in the NetBIOS Name Service (NBNS). An attacker can exploit this vulnerability by sending a NetBIOS over TCP/IP (NetBT) Name Service query to the target system, then examining the response to see whether it includes random data from that system's memory. Microsoft has released Security Bulletin MS03-034 (Flaw in NetBIOS Could Lead to Information Disclosure) to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=40089 Automatic Macro Execution Vulnerability in Microsoft Word Jim Bassett of Practitioners Publishing discovered that a vulnerability in Microsoft Word can result in the automatic execution of a macro. As a result of this vulnerability, an attacker can craft a malicious document that bypasses the macro security model. When a user opens the document, a malicious embedded macro will execute automatically, regardless of the level at which you've set macro security. The malicious macro can take actions that the user has permissions to carry out, such as adding, changing, or deleting data or files; communicating with a Web site; and formatting the hard disk. Microsoft has released Security Bulletin MS03-035 (Flaw in Microsoft Word Could Enable Macros to Run Automatically) to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=40090 Arbitrary Code Execution Vulnerability in Microsoft WordPerfect Converter eEye Digital Security discovered a vulnerability in Microsoft WordPerfect Converter that can result in the execution of arbitrary code on the vulnerable system. This vulnerability stems from a flaw in the way Microsoft's WordPerfect converter handles Corel WordPerfect documents. Because the converter doesn't correctly validate certain parameters when it opens a WordPerfect document, an unchecked buffer occurs. An attacker can therefore craft a malicious WordPerfect document to allow code of his or her choice to execute if an application that used the WordPerfect converter opened the document. Microsoft has released Security Bulletin MS03-036 (Buffer Overrun in WordPerfect Converter Could Allow Code Execution) to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=40091 Arbitrary Code Execution Vulnerability in Microsoft VBA eEye Digital Security discovered that a vulnerability in Visual Basic for Applications (VBA) can result in the execution of arbitrary code on the vulnerable system. This vulnerability stems from a flaw in the way Microsoft checks document properties passed to it when the host application opens a document. The resulting buffer overrun can let an attacker execute code of his or her choice under the logged-on user's security context. Microsoft has released Security Bulletin MS03-037 (Flaw in Visual Basic for Applications Could Allow Arbitrary Code Execution) to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=40092 Arbitrary Code Execution Vulnerability in Microsoft Access Snapshot Viewer Oliver Lavery discovered that a Microsoft Access vulnerability can result in the execution of arbitrary code on the vulnerable system. Because the Snapshot Viewer doesn't correctly validate parameters, a buffer overrun can let an attacker execute code of his or her choice under the logged-on user's security context. Microsoft has released Security Bulletin MS03-038 (Unchecked buffer in Microsoft Access Snapshot Viewer Could Allow Code Execution) to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=40093 ==== Sponsor: Virus Update from Panda Software ==== Check for the latest anti-virus information and tools, including weekly virus reports, virus forecasts, and virus prevention tips, at Panda Software's Center for Virus Control. http://www.secadministrator.com/Panda/Index.cfm Viruses routinely infect "fully protected" networks. Is total protection possible? Find answers in the free guide HOW TO KEEP YOUR COMPANY 100% VIRUS FREE from Panda Software. Learn how viruses enter networks, what they do, and the most effective weapons to combat them. Protect your network effectively and permanently - download today! http://www.pandasecurity.com/virusfree2

==========

==== 3. Announcements ==== (from Windows & .NET Magazine and its partners) Find Your Next Job at Our IT Career Center Check out our new online career center in which you can browse current job openings, post your resume, and create automated notifications to notify you when a job is posted that meets your specifications. It's effective, it's private, and there's no charge. Visit today! http://windows.itcareerpath.com Attend Black Hat Briefings & Training Federal! Running September 29-30, 2003 (Training) and October 1-2, 2003 (Briefings) in Tysons Corner, VA, this is the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! Includes 6 tracks, 12 training sessions, top speakers, and sponsors. Lots of Windows stuff. Register today! http://www.blackhat.com ==== 4. Security Roundup ==== Feature: Windows Server 2003: Secure By Default Microsoft has made security the focal point of its Windows Server 2003 publicity, especially the publicity that targets IT professionals. Windows 2003 marketing materials tout Bill Gates's challenge to Microsoft employees in January 2002 to develop a Trustworthy Computing initiative, and product managers and developers from the Windows 2003 security team are taking center stage to convince IT audiences that Microsoft has radically changed the security philosophy of its Windows OSs. Joe Rudich discusses 10 default changes every administrator should know about. http://www.secadministrator.com/articles/index.cfm?articleid=39808 Feature: Is True Recovery Always Possible? Despite what some advertisements lead you to believe, when a disaster strikes, you need more than just a large insurance policy to get things back to "business as usual." And in some cases, you simply can't bring a business back to where it was before the disaster. Kalen Delaney discusses this situation further in her article on our Web site. http://www.secadministrator.com/articles/index.cfm?articleid=39648 ==== Hot Release ==== Thawte Get Thawte's New Step-by-Step SSL Guide for MSIIS In this guide you will find out how to test, purchase, install and use a Thawte Digital Certificate on your MSIIS web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. Get your copy of this new guide now: http://ad.doubleclick.net/clk;6078274;8369298;e ==== 5. Security Toolkit ==== Virus Center Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda FAQ: How Do I Restrict Access to Some or All of the Control Panel Applets on NT Systems? contributed by Jan De Clercq, [email protected] The Windows NT System Policy Editor (SPE) contains two Control Panel-related settings that appear in the properties of user and group system-policy objects. The first setting--Restrict display--lets you restrict user access to the tabs of the Control Panel Display applet. The other setting--Remove folders from Settings on Start menu--lets you hide the Control Panel folder from a user's Start menu. Selecting this check box also hides the Printers folder on the Start menu. If you want to restrict access to specific Control Panel applets, you can change the access control entries (ACEs) on the corresponding Control Panel extension file. All such files reside in the %systemroot%system32 folder and have a .cpl extension. To get a clear overview of these files, sort the content of the system32 folder by file type, then locate the files of type Control Panel extension. To change the ACEs, right-click the .cpl file and select Properties. Select the Security tab and adjust the permissions as needed. Make sure that the System account keeps Full Control access. To automate this process, you can run cacls.exe from a logon or .bat script. For an overview of which .cpl file corresponds to which Control Panel applet, see the Microsoft article "HOWTO: Start a Control Panel Applet in Windows 95 or Later." http://support.microsoft.com/? kbid=135068 ==== 6. Event ==== New--Mobile & Wireless Road Show! Learn more about the wireless and mobility solutions that are available today! Register now for this free event! http://www.winnetmag.com/roadshows/wireless ==== 7. New and Improved ==== by Sue Cooper, [email protected] Stop Suspicious Downloads GFI Software released GFI DownloadSecurity for ISA Server 6, which provides content security for file downloads. Its new Trojan horse and executable scanner analyzes what an executable does--and quarantines those that perform suspicious activities. If an attempted file download triggers a rule you set according to file type or user, the file download is quarantined for approval. GFI DownloadSecurity includes multiple antivirus engines, networkwide blocking of Java applets and ActiveX controls, and seamless integration with Microsoft Internet Security and Acceleration (ISA) Server 2000. New features include support for Windows Server 2003, a decompression engine, and downloading of updates through HTTP. Prices start at $295 for 25 users. You can find more information and a trial version at http://www.gfi.com/dsec. http://www.gfi.com Ease Sign-On Pain Passlogix announced v-GO Single Sign-On (SSO) 4.0, a client-based security application that enables SSO by taking any form of authentication and seamlessly connecting to any mainframe, Windows, Web, or homegrown application. Even if computers are connected to a network, users need only one password to connect to all their applications. v-GO SSO 4.0 offers Federal Information Processing Standard (FIPS) 140-2-compliant, on-the-fly encryption and constant resource protection to meet stringent security regulations for vertical applications. Its directorycentric architecture and wizard-based administrative console let you quickly set up thousands of users. Contact Passlogix at 866-727-7564, 212-825-9100, or [email protected]. http://www.passlogix.com Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected]. ==== 8. Hot Thread ==== Windows & .NET Magazine Online Forums http://www.winnetmag.com/forums Featured Thread: Can't Log On (Two messages in this thread) A user has two Windows 2000 Advanced Server domain controllers (DCs) on his network. When he tries to log on to one of them (even with the Network Administrator account), he receives the message "The Local policy of this system does not permit you to log on interactively." He doesn't know what causes this condition. He has moved the server to a new organizational unit (OU) and created a group policy to permit everyone local logons, but he still can't log on locally to the particular DC. Does anyone have a solution? Lend a hand or read the responses: http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=62788 ==== Sponsored Links ==== Aelita Software Free message-level Exchange recovery web seminar October 9th http://ad.doubleclick.net/clk;6098474;8214395;v?http://www.aelita.com/090103updatelink CrossTec Free Download - NEW NetOp 7.6 - faster, more secure, remote support http://ad.doubleclick.net/clk;5930423;8214395;j?http://www.crossteccorp.com/tryit/w2k.html MailFrontier Eliminate spam once and for all. MailFrontier Anti-Spam Gateway. http://ad.doubleclick.net/clk;6080289;8214395;q?http://altfarm.mediaplex.com/ad/ck/2848-15512-3892-1

=========

==== 9. Contact Us ==== About the newsletter -- [email protected] About technical questions -- http://www.winnetmag.com/forums About product news -- [email protected] About your subscription -- [email protected] About sponsoring Security UPDATE -- [email protected]

==========

This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing Windows and related technologies. Subscribe today. http://www.secadministrator.com/sub.cfm?code=saei25xxup Thank you! __________________________________________________________ Copyright 2003, Penton Media, Inc. Security UPDATE, September 10, 2003 Windows & .NET Magazine Security UPDATE--September 10, 2003

==========

==== This Issue Sponsored By ==== TNT Software http://www.tntsoftware.com/winsec091003 Ecora Software https://www.ecora.com/ecora/jump/se1.asp

==========

1. In Focus: A Suite Spot for Better Office Security? 2. Security Risks - Information Disclosure Vulnerability in Microsoft NetBIOS - Automatic Macro Execution Vulnerability in Microsoft Word - Arbitrary Code Execution Vulnerability in Microsoft WordPerfect Converter - Arbitrary Code Execution Vulnerability in Microsoft VBA - Arbitrary Code Execution Vulnerability in Microsoft Access Snapshot Viewer 3. Announcements - Find Your Next Job at Our IT Career Center - Attend Black Hat Briefings & Training Federal! 4. Security Roundup - Feature: Windows Server 2003: Secure By Default - Feature: Is True Recovery Always Possible? 5. Security Toolkit - Virus Center - FAQ: How Do I Restrict Access to Some or All of the Control Panel Applets on NT Systems? 6. Event - New--Mobile & Wireless Road Show! 7. New and Improved - Stop Suspicious Downloads - Ease Sign-On Pain - Tell Us About a Hot Product and Get a T-Shirt! 8. Hot Thread - Windows & .NET Magazine Online Forums - Featured Thread: Can't Log On 9. Contact Us See this section for a list of ways to contact us.

==========

==== Sponsor: TNT Software ==== FREE Download: Automate Event Log Monitoring Automate event log monitoring, provide real-time intrusion detection, and satisfy mandated auditing requirements all with TNT Software's ELM Log Manager. Preferred by small businesses because of its ease of use and Fortune 500 companies because of its reliability, ELM 3.1 is the affordable solution with the scalability to consolidate MILLIONs of events and Syslog messages a day, display them in custom views, launch critical alerts, and schedule reports. Download your FREE 30 day fully functional evaluation software NOW and start experiencing the benefits of automated log monitoring. http://www.tntsoftware.com/winsec091003

==========

==== 1. In Focus: A Suite Spot for Better Office Security? ==== by Mark Joseph Edwards, News Editor, [email protected] I think all of you know that Microsoft Office is a powerful suite of tools that offers tremendous productivity in any environment. If you haven't heard about the latest security patches for Microsoft Office, which affect Office 2000 through Office 2003, be sure to read about them in this edition of Security UPDATE. The problems are related to Microsoft Word macros, conversion of Corel WordPerfect files, Visual Basic for Applications (VBA), and the Microsoft Access Snapshot viewer. You should definitely consider loading the associated patches because the problems could present unwanted security risks in your environment if left unpatched. In addition to other means, you can check for new Office updates, whether related to security or otherwise, at the Microsoft Web sites listed below. http://www.officeupdate.com/downloads/default.aspx http://www.microsoft.com/office/ork/2003/admin/xp/default.htm Office is the default suite of choice for many companies whose systems run on Windows platforms. You probably also know about alternatives to Office, but have you heard about the OpenOffice.org alternative? OpenOffice.org is an open-source suite of tools similar to Office. As you might expect of an office productivity suite, OpenOffice.org includes a word processor (Writer), a spreadsheet (Calc), a multimedia presentation creator (Impress), a graphics illustration platform (Draw), and database tools. http://www.openoffice.org http://www.openoffice.org/product To learn about the notable differences between OpenOffice.org and Office, study the literature at the associated Web site and download and test a copy on your network. One major difference is that OpenOffice.org uses Java and JavaScript instead of Visual Basic (VB), which could be a security benefit in your environment--because malicious VB scripts embedded in documents won't work against your systems. Another major difference is cross-platform support: OpenOffice.org runs on Windows, Linux variants, Sun Microsystems' Sun Solaris, and Mac OS X. For mixed platform environments, that's quite an attraction. And, of course, a huge difference is in the cost of licensing: OpenOffice.org has no licensing fee. As open source, it's free. You can read about the associated licensing at the URL below. But keep in mind, free doesn't mean poor quality. OpenOffice.org is definitely a quality product. http://www.openoffice.org/license.html When I first heard about OpenOffice.org, I was skeptical. I've used Microsoft Office components for years, and I wondered whether I'd lose any functionality or find OpenOffice.org documents to be incompatible in some way. For example, I create or read a lot of text documents, spreadsheets, and presentation files that Microsoft Office users must be able to open, so compatibility was a cause for concern. My concerns were unwarranted. I downloaded OpenOffice.org (in .iso file format), created an installation CD-ROM by using the .iso file, and "test drove" OpenOffice.org for several months. The ease of use is considerable--it took very little time for me to adjust to the platform. So far, I've encountered only one document with which I had noticeable formatting problems with the onscreen display. (I'm not sure what caused the problem, but the onscreen layout wasn't quite right.) I suspect the Word document I was viewing had been created with a very old version of Word; however, I could be wrong. But other than that, I've found no compatibility concerns to speak of. Aside from the idea that intruders don't target OpenOffice.org platforms nearly as frequently as Microsoft Office, other security considerations could make the software either beneficial or detrimental. On September 25 at the VB2003 conference in Toronto, Sami Rautiainen of F-Secure will give a presentation about OpenOffice.org security (Virus Bulletin hosts the session). Rautiainen will discuss the OpenOffice.org security model, its environment, restrictions for executable content, the native macro language, and XML file format OpenOffice.org uses. In his presentation, he'll discuss whether "OpenOffice developers [have] taken into account the pitfalls shown by the history of the Microsoft Office or is OpenOffice the next victim of the abuse of macro viruses?" You can learn more about the conference, its tracks, and Rautiainen's presentation at the URLs below. https://www.virusbtn.com/conference/vb2003/index.xml https://www.virusbtn.com/conference/vb2003/abstracts/srautiainen03.xml OpenOffice.org might be a good alternative to Microsoft Office for your environment. Because so many intruders target Microsoft software, using an alternative might reduce your risks, so consider taking a closer look at this alternative office suite. If you've used OpenOffice.org and have comments to share, please send me an email messages with your observations and opinion. Correction: Last week's commentary, "Service Pack Maintenance with Scripts," referred to a second script as part of the service pack rollout process. However, the single script discussed performs multiple functions.

==========

==== Sponsor: Ecora Software ==== Perform patch audits in minutes with Ecora Patch Manager How confident are you that all critical security patches are deployed and up-to-date on every single system in your infrastructure? Need some help figuring it all out before the next big worm attack? Try a free copy of Ecora Patch Manager. Designed for IT professionals short on time, Patch Manager completely automates and simplifies the entire patch management cycle in just minutes. See for yourself how automation can save time, reduce costs, and keep your IT infrastructure stable and secure. Download a free, fully-functional trial of Ecora Patch Manager now! https://www.ecora.com/ecora/jump/se1.asp

==========

==== 2. Security Risks ==== contributed by Ken Pfeil, [email protected] Information-Disclosure Vulnerability in Microsoft NetBIOS Mike Price of Foundstone Labs discovered a vulnerability in Microsoft NetBIOS that can result in information disclosure. This vulnerability stems from a flaw in the NetBIOS Name Service (NBNS). An attacker can exploit this vulnerability by sending a NetBIOS over TCP/IP (NetBT) Name Service query to the target system, then examining the response to see whether it includes random data from that system's memory. Microsoft has released Security Bulletin MS03-034 (Flaw in NetBIOS Could Lead to Information Disclosure) to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=40089 Automatic Macro Execution Vulnerability in Microsoft Word Jim Bassett of Practitioners Publishing discovered that a vulnerability in Microsoft Word can result in the automatic execution of a macro. As a result of this vulnerability, an attacker can craft a malicious document that bypasses the macro security model. When a user opens the document, a malicious embedded macro will execute automatically, regardless of the level at which you've set macro security. The malicious macro can take actions that the user has permissions to carry out, such as adding, changing, or deleting data or files; communicating with a Web site; and formatting the hard disk. Microsoft has released Security Bulletin MS03-035 (Flaw in Microsoft Word Could Enable Macros to Run Automatically) to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=40090 Arbitrary Code Execution Vulnerability in Microsoft WordPerfect Converter eEye Digital Security discovered a vulnerability in Microsoft WordPerfect Converter that can result in the execution of arbitrary code on the vulnerable system. This vulnerability stems from a flaw in the way Microsoft's WordPerfect converter handles Corel WordPerfect documents. Because the converter doesn't correctly validate certain parameters when it opens a WordPerfect document, an unchecked buffer occurs. An attacker can therefore craft a malicious WordPerfect document to allow code of his or her choice to execute if an application that used the WordPerfect converter opened the document. Microsoft has released Security Bulletin MS03-036 (Buffer Overrun in WordPerfect Converter Could Allow Code Execution) to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=40091 Arbitrary Code Execution Vulnerability in Microsoft VBA eEye Digital Security discovered that a vulnerability in Visual Basic for Applications (VBA) can result in the execution of arbitrary code on the vulnerable system. This vulnerability stems from a flaw in the way Microsoft checks document properties passed to it when the host application opens a document. The resulting buffer overrun can let an attacker execute code of his or her choice under the logged-on user's security context. Microsoft has released Security Bulletin MS03-037 (Flaw in Visual Basic for Applications Could Allow Arbitrary Code Execution) to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=40092 Arbitrary Code Execution Vulnerability in Microsoft Access Snapshot Viewer Oliver Lavery discovered that a Microsoft Access vulnerability can result in the execution of arbitrary code on the vulnerable system. Because the Snapshot Viewer doesn't correctly validate parameters, a buffer overrun can let an attacker execute code of his or her choice under the logged-on user's security context. Microsoft has released Security Bulletin MS03-038 (Unchecked buffer in Microsoft Access Snapshot Viewer Could Allow Code Execution) to address this vulnerability and recommends that affected users apply the appropriate patch mentioned in the bulletin. http://www.secadministrator.com/articles/index.cfm?articleid=40093 ==== Sponsor: Virus Update from Panda Software ==== Check for the latest anti-virus information and tools, including weekly virus reports, virus forecasts, and virus prevention tips, at Panda Software's Center for Virus Control. http://www.secadministrator.com/Panda/Index.cfm Viruses routinely infect "fully protected" networks. Is total protection possible? Find answers in the free guide HOW TO KEEP YOUR COMPANY 100% VIRUS FREE from Panda Software. Learn how viruses enter networks, what they do, and the most effective weapons to combat them. Protect your network effectively and permanently - download today! http://www.pandasecurity.com/virusfree2

==========

==== 3. Announcements ==== (from Windows & .NET Magazine and its partners) Find Your Next Job at Our IT Career Center Check out our new online career center in which you can browse current job openings, post your resume, and create automated notifications to notify you when a job is posted that meets your specifications. It's effective, it's private, and there's no charge. Visit today! http://windows.itcareerpath.com Attend Black Hat Briefings & Training Federal! Running September 29-30, 2003 (Training) and October 1-2, 2003 (Briefings) in Tysons Corner, VA, this is the world's premier technical IT security event. Modeled after the famous Black Hat event in Las Vegas! Includes 6 tracks, 12 training sessions, top speakers, and sponsors. Lots of Windows stuff. Register today! http://www.blackhat.com ==== 4. Security Roundup ==== Feature: Windows Server 2003: Secure By Default Microsoft has made security the focal point of its Windows Server 2003 publicity, especially the publicity that targets IT professionals. Windows 2003 marketing materials tout Bill Gates's challenge to Microsoft employees in January 2002 to develop a Trustworthy Computing initiative, and product managers and developers from the Windows 2003 security team are taking center stage to convince IT audiences that Microsoft has radically changed the security philosophy of its Windows OSs. Joe Rudich discusses 10 default changes every administrator should know about. http://www.secadministrator.com/articles/index.cfm?articleid=39808 Feature: Is True Recovery Always Possible? Despite what some advertisements lead you to believe, when a disaster strikes, you need more than just a large insurance policy to get things back to "business as usual." And in some cases, you simply can't bring a business back to where it was before the disaster. Kalen Delaney discusses this situation further in her article on our Web site. http://www.secadministrator.com/articles/index.cfm?articleid=39648 ==== Hot Release ==== Thawte Get Thawte's New Step-by-Step SSL Guide for MSIIS In this guide you will find out how to test, purchase, install and use a Thawte Digital Certificate on your MSIIS web server. Throughout, best practices for set-up are highlighted to help you ensure efficient ongoing management of your encryption keys and digital certificates. Get your copy of this new guide now: http://ad.doubleclick.net/clk;6078274;8369298;e ==== 5. Security Toolkit ==== Virus Center Panda Software and the Windows & .NET Magazine Network have teamed to bring you the Center for Virus Control. Visit the site often to remain informed about the latest threats to your system security. http://www.secadministrator.com/panda FAQ: How Do I Restrict Access to Some or All of the Control Panel Applets on NT Systems? contributed by Jan De Clercq, [email protected] The Windows NT System Policy Editor (SPE) contains two Control Panel-related settings that appear in the properties of user and group system-policy objects. The first setting--Restrict display--lets you restrict user access to the tabs of the Control Panel Display applet. The other setting--Remove folders from Settings on Start menu--lets you hide the Control Panel folder from a user's Start menu. Selecting this check box also hides the Printers folder on the Start menu. If you want to restrict access to specific Control Panel applets, you can change the access control entries (ACEs) on the corresponding Control Panel extension file. All such files reside in the %systemroot%system32 folder and have a .cpl extension. To get a clear overview of these files, sort the content of the system32 folder by file type, then locate the files of type Control Panel extension. To change the ACEs, right-click the .cpl file and select Properties. Select the Security tab and adjust the permissions as needed. Make sure that the System account keeps Full Control access. To automate this process, you can run cacls.exe from a logon or .bat script. For an overview of which .cpl file corresponds to which Control Panel applet, see the Microsoft article "HOWTO: Start a Control Panel Applet in Windows 95 or Later." http://support.microsoft.com/? kbid=135068 ==== 6. Event ==== New--Mobile & Wireless Road Show! Learn more about the wireless and mobility solutions that are available today! Register now for this free event! http://www.winnetmag.com/roadshows/wireless ==== 7. New and Improved ==== by Sue Cooper, [email protected] Stop Suspicious Downloads GFI Software released GFI DownloadSecurity for ISA Server 6, which provides content security for file downloads. Its new Trojan horse and executable scanner analyzes what an executable does--and quarantines those that perform suspicious activities. If an attempted file download triggers a rule you set according to file type or user, the file download is quarantined for approval. GFI DownloadSecurity includes multiple antivirus engines, networkwide blocking of Java applets and ActiveX controls, and seamless integration with Microsoft Internet Security and Acceleration (ISA) Server 2000. New features include support for Windows Server 2003, a decompression engine, and downloading of updates through HTTP. Prices start at $295 for 25 users. You can find more information and a trial version at http://www.gfi.com/dsec. http://www.gfi.com Ease Sign-On Pain Passlogix announced v-GO Single Sign-On (SSO) 4.0, a client-based security application that enables SSO by taking any form of authentication and seamlessly connecting to any mainframe, Windows, Web, or homegrown application. Even if computers are connected to a network, users need only one password to connect to all their applications. v-GO SSO 4.0 offers Federal Information Processing Standard (FIPS) 140-2-compliant, on-the-fly encryption and constant resource protection to meet stringent security regulations for vertical applications. Its directorycentric architecture and wizard-based administrative console let you quickly set up thousands of users. Contact Passlogix at 866-727-7564, 212-825-9100, or [email protected]. http://www.passlogix.com Tell Us About a Hot Product and Get a T-Shirt! Have you used a product that changed your IT experience by saving you time or easing your daily burden? Tell us about the product, and we'll send you a Windows & .NET Magazine T-shirt if we write about the product in a future Windows & .NET Magazine What's Hot column. Send your product suggestions with information about how the product has helped you to [email protected]. ==== 8. Hot Thread ==== Windows & .NET Magazine Online Forums http://www.winnetmag.com/forums Featured Thread: Can't Log On (Two messages in this thread) A user has two Windows 2000 Advanced Server domain controllers (DCs) on his network. When he tries to log on to one of them (even with the Network Administrator account), he receives the message "The Local policy of this system does not permit you to log on interactively." He doesn't know what causes this condition. He has moved the server to a new organizational unit (OU) and created a group policy to permit everyone local logons, but he still can't log on locally to the particular DC. Does anyone have a solution? Lend a hand or read the responses: http://www.winnetmag.com/forums/rd.cfm?cid=42&tid=62788 ==== Sponsored Links ==== Aelita Software Free message-level Exchange recovery web seminar October 9th http://ad.doubleclick.net/clk;6098474;8214395;v?http://www.aelita.com/090103updatelink CrossTec Free Download - NEW NetOp 7.6 - faster, more secure, remote support http://ad.doubleclick.net/clk;5930423;8214395;j?http://www.crossteccorp.com/tryit/w2k.html MailFrontier Eliminate spam once and for all. MailFrontier Anti-Spam Gateway. http://ad.doubleclick.net/clk;6080289;8214395;q?http://altfarm.mediaplex.com/ad/ck/2848-15512-3892-1

=========

==== 9. Contact Us ==== About the newsletter -- [email protected] About technical questions -- http://www.winnetmag.com/forums About product news -- [email protected] About your subscription -- [email protected] About sponsoring Security UPDATE -- [email protected]

=============== This email newsletter is brought to you by Security Administrator, the print newsletter with independent, impartial advice for IT administrators securing Windows and related technologies. Subscribe today. http://www.secadministrator.com/sub.cfm?code=saei25xxup

Thank you! __________________________________________________________ Copyright 2003, Penton Media, Inc.