[ISN] Windows & .NET Magazine Security UPDATE--New Worms Target Unpatched Web Servers--May 5, 2004

InfoSec News isn at c4i.org
Thu May 6 06:08:36 EDT 2004


==== This Issue Sponsored By ====

Ecora Software

Exchange & Outlook Administrator


1. In Focus: New Worms Target Unpatched Web Servers

2. Security News and Features
   - Recent Security Vulnerabilities
   - News: Problems with Microsoft's Patch MS04-011
   - News: Need ISC Bind DNS Support?
   - News: Network Associates to Consolidate and Change Name
   - News: Microsoft Presents Antispyware Strategy

3. Instant Poll

4. Security Toolkit
   - FAQ
   - Featured Thread

5. New and Improved
   - All-in-One ADSL Modem, Firewall Router, and Switch


==== Sponsor: Ecora Software ====
   Rely on our great reports to make your patch management headaches
go away! Start automating your backlog of security patches today!
Network Computing magazine has just named our previous version as the
"Editor's Choice" tool for Patch Management. Our newest version is
loaded with even more high-performance benefits such as 500% faster
scanning and analysis loading, cross-platform support, enhanced user
interfaces, policy compliance features, and our great admin and
management reports. Go directly to our free trial page and see for
yourself, first-hand, what our automated patch solution is all about.
Special Bonus: The first 100 people to trial Patch Manager 3.1 from
the link below will receive a FREE T-Shirt. Try us now-


==== 1. In Focus: New Worms Target Unpatched Web Servers ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net

Last week, I wrote about the most recent security patches from
Microsoft as well as new exploits that take advantage of related
problems. I also mentioned that if you haven't loaded the Microsoft
Security Bulletin MS04-011 (Security Update for Microsoft Windows)
patch, then your systems are sitting ducks. As it turns out, duck
hunting season just opened.

Several worms are now spreading and taking advantage of problems that
can be remedied by the MS04-011 patch. According to the SANS
Institute's Internet Storm Center, variants of the Gaobot worm target
systems that don't have the MS04-011 patch. In addition, at least
three variants of the Sasser worm target the same vulnerabilities.

Of course, all the companies that provide preventive measures,
including makers of antivirus software and Intrusion Detection
Systems, are updating their tools to provide protection. Some have
also provided removal tools in case your systems have become infected
by the Sasser worm variants. If your systems have become infected and
you need quick help removing worms, check with your antivirus vendor
to determine whether it's released Sasser removal tools.

Microsoft has released a bulletin regarding the Sasser worm as well as
a tool that helps with worm removal. You can find it at the first URL
below. If you need help with worm removal, remember that Microsoft
provides free support for security matters. United States and Canadian
residents can reach the company toll free at 866-727-2338, or anyone
can go to the second URL below and click the "Send us an online
request for support" link.

If you've loaded the patch already and have experienced problems or if
you're considering loading the patch soon, be aware that known
problems with the patch might affect your network environment. For
more information, see the first News item below.


==== Sponsor: Exchange & Outlook Administrator ====
   Try a Sample Issue of Exchange & Outlook Administrator!
   If you haven't seen Exchange & Outlook Administrator, you're
missing out on key information that will go a long way towards
preventing serious messaging problems and downtime. Request a sample
issue today, and discover tools you won't find anywhere else to help
you migrate, optimize, administer, and secure Exchange and Outlook.
Order now!


==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these discoveries

News: Problems with Microsoft's Patch MS04-011
   The Microsoft article "Your computer stops responding, you cannot
log on to Windows, or your CPU usage for the System process approaches
100 percent after you install the security update that is described in
Microsoft Security Bulletin MS04-011,"
http://support.microsoft.com/?kbid=841382 , released on April 28,
discusses problems that have been discovered in the recently released
Microsoft Security Bulletin MS04-011 (Security Update for Microsoft
Windows). According to the article, problems can arise on Windows 2000
OSs if any of three drivers (ipsecw2k.sys, imcide.sys, or dlttape.sys)
are loaded. People might experience lockups at boot time, the
inability to log on, or 100 percent CPU utilization.

News: Need ISC Bind DNS Support?
   Nonprofit company Internet Software Consortium (ISC), makers of ISC
Bind DNS software, have announced the availability of support
contracts. You can choose 24 x 7 support, 12 x 7 support (from 8 A.M.
to 8 P.M., Eastern Standard Time--EST), or 9 x 5 support (from 9 A.M.
to 6 P.M., EST, Monday through Friday).

News: Network Associates to Consolidate and Change Name
   Network Associates announced that the company will sell its Sniffer
product line, focus exclusively on security solutions, and change its
name to McAfee. Silver Lake Partners and Texas Pacific Group will buy
the Sniffer technology for $275 million.

News: Microsoft Presents Antispyware Strategy
   Deceptive software, also known as spyware, now accounts for more
than 50 percent of the Windows failures reported to Microsoft and is
becoming an important industry concern. Microsoft's partners report
that spyware is the number-one support problem and is costing the
industry millions of dollars a year in support costs. Microsoft and
other companies detailed to the US Federal Trade Commission (FTC) the
steps they're taking to reduce the threat and problems spyware causes.


==== Announcements ====
   (from Windows & .NET Magazine and its partners)

The Conference on Securing and Auditing Windows Technologies, July
   New for 2004, The Conference on Securing and Auditing Windows
Technologies will be held July 20-21, 2004, at the Fairmont Copley
Plaza in Boston, MA. In vendor-neutral sessions on today's hottest
topics, you'll get practical strategies for mitigating risk and
safeguarding your systems. For more information, call 508-879-7999 or
go to:

Register Today for Microsoft Tech Ed 2004
   Dont miss Tech Ed 2004 -- May 23-28, 2004 in San Diego, CA -- the
definitive Microsoft conference for building, deploying, securing and
managing connected solutions. You'll find 11 conference tracks and
over 400 sessions. Get answers to your technical questions, meet
industry experts, evaluate new products, and take advantage of
extensive networking opportunities. Register today.

Small Servers for Small Businesses Web Seminar
   Today a small business can be as agile as a large business by
understanding which technology can be leveraged to create a
centralized server environment. In this free Web seminar, you'll learn
the perils of peer-to-peer file sharing, backup and recovery,
migration from desktop to servers, and Small Business Server basics.
Register now!


==== 3. Instant Poll ====

Results of Previous Poll
   The voting has closed in the Windows & .NET Magazine Network
Security Web page nonscientific Instant Poll for the question, "As a
security administrator, what's your most important task?" Here are the
results from the 77 votes.
   - 43% Security monitoring and auditing
   - 13% Policy management and enforcement
   - 23% Patch management
   - 19% End-user education
   - 1% Other
(Deviations from 100 percent are due to rounding.)

New Instant Poll
   The next Instant Poll question is, "Has your company become
infected by the Sasser or Gaobot worm?" Go to the Security Web page
and submit your vote for
   - Yes
   - No
   - I'm not sure

==== 4. Security Toolkit ====

FAQ: Password-Change Web Page
   by John Savill, http://www.winnetmag.com/windowsnt20002003faq

Q: How can I create a Web page at which users can change their

A. You can write an Active Server Pages (ASP) script that creates a
password-change Web page. ASP gives you complete access to Microsoft
Active Directory Service Interfaces (ADSI), which lets you perform a
variety of functions, such as changing passwords or creating accounts.
When you write such a script, you must consider factors such as the
user account under which the script will run and the permissions you
want to use when the script runs. To see a script and further
explanation, go to this FAQ on our Web site.

Featured Thread: Group Membership Issue (findgrp error 234)
   (Three messages in this thread)
   A reader writes that he has a problem with the membership of user
accounts in global groups. One symptom is that some applications are
not aware of local or domain administrator rights and those
applications don't allow installation or configuration. When the
reader executes the findgrp command (from the Microsoft Windows 2000
Resource Kit) he receives error 234, "finding global groups: Unknown
Error: 234." However, the local groups are listed correctly.

The reader is using Windows XP Professional Service Pack 1 (SP1) and
all patches in a Windows 2000 Server Active Directory (AD)
environment. As far as he can determine, only XP systems have this
problem. He thinks a particular patch might be causing the behavior
and would like advice. Lend a hand or read the responses:


==== Events Central ====
   (A complete Web and live events directory brought to you by Windows
& .NET Magazine: http://www.winnetmag.com/events )

Popular Web Seminar--The Spam Problem Solved: Hensel Phelps
Construction Company Case Study
   Find out how Hensel Phelps Construction, a multibillion-dollar
national contractor, has implemented a multilayered antispam solution
to increase user productivity and decrease the burden on IT staff
resources, infrastructure, and budget. Sign up now for this free Web


==== 5. New and Improved ====
   by Jason Bovberg, products at winnetmag.com

All-in-One ADSL Modem, Firewall Router, and Switch
   TRENDware International announced TEW-435BRM and TW100-BRM504,
all-in-one ADSL modem, firewall router, and four-port switch packages
for the small office/home office (SOHO) environment. TW100-BRM504 is
designed for wired networks, whereas TEW-435BRM supports both wired
and 802.11g wireless networks. Advanced security features include
Stateful Packet Inspection (SPI) and a Rules-Based Firewall. You can
control users' Internet access by URL, time, and MAC address, and you
can use the product's logs and reports to monitor intrusion attempts
and traffic. For more information, contact TRENDware International at
310-891-1100 or on the Web.

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a Windows & .NET Magazine T-shirt if we write about the
product in a future Windows & .NET Magazine What's Hot column. Send
your product suggestions with information about how the product has
helped you to whatshot at winnetmag.com.


==== Sponsored Links ====

   Comparison Paper: The Argent Guardian Easily Beats Out MOM

Microsoft(R) TechNet
   Microsoft(R) TechNet Webcasts: essential guidance, industry experts


==== Contact Us ====

About the newsletter -- letters at winnetmag.com
About technical questions -- http://www.winnetmag.com/forums
About product news -- products at winnetmag.com
About your subscription -- securityupdate at winnetmag.com
About sponsoring Security UPDATE -- emedia_opps at winnetmag.com


==== Contact Our Sponsors ====

Primary Sponsor:
   Ecora Software -- http://www.ecora.com -- 1-877-92-ECORA


This email newsletter is brought to you by Windows & .NET Magazine,
the leading publication for IT professionals deploying Windows and
related technologies. Subscribe today.

You received this email message because you asked to receive
additional information about products and services from the Windows &
.NET Magazine Network. To unsubscribe, send an email message to
mailto:Security-UPDATE_Unsub at list.winnetmag.com. Thank you!

View the Windows & .NET Magazine privacy policy at

Windows & .NET Magazine, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2004, Penton Media, Inc. All rights reserved.

More information about the ISN mailing list