[ISN] Security UPDATE--Security Researchers Vulnerable to Buffer Underflow Attack?--January 5, 2005

InfoSec News isn at c4i.org
Fri Jan 7 07:40:47 EST 2005


This email newsletter comes to you free and is supported by the
following advertisers, which offer products and services in which you
might be interested. Please take a moment to visit these advertisers'
Web sites and show your support for Security UPDATE.

The Key to Stopping Email Attacks: Sender ID Can't Do It

Exchange & Outlook Administrator


1. In Focus: Security Researchers Vulnerable to Buffer Underflow

2. Security News and Features
   - Recent Security Vulnerabilities
   - Exploits on the Loose Against Unpatched Bugs in Windows
   - Netcraft Joins the Anti-Phishing Brigades

3. Security Matters Blog
   - Update Your Netcat Software for Windows

4. Security Toolkit
   - FAQ
   - Security Forum Featured Thread

5. New and Improved
   - Remotely Change Network Passwords


==== Sponsor: Postini ====

The Key to Stopping Email Attacks: Sender ID Can't Do It
   "Going nowhere fast," is how the media described recent efforts to
develop an industry-wide email sender authentication standard. Even if
some form of Sender ID is eventually adopted, spammers and hackers may
be able to exploit the registration of IP addresses with Sender ID to
improve their delivery of junk email. Effective real time IP address
analysis and filtering is necessary — not sender authentication. This
white paper explains why enterprises do not need to rely on Sender ID
and discusses better, proven email intrusion prevention solutions that
already work today to stop spam, viruses and email attacks. Get
answers now!


==== 1. In Focus: Security Researchers Vulnerable to Buffer Underflow
Attack? ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity / net

It's inevitable: Someone posts proof-of-concept code, and almost
immediately someone goes to work developing a malicious exploit. Do
these exploiters have nothing better to do, nothing better to think

Anyway, as you probably know by this time, a series of new Windows
vulnerabilities was recently published in the usual places. And now at
least one exploit, the Phel worm, is on the loose. The worm installs
code on penetrated systems to open back doors and make those systems
part of a Distributed Denial of Service (DDoS) network. The worm
infects systems by using inroads through Microsoft Internet Explorer
(IE), often without the user's knowledge.

On the surface, these vulnerabilities and exploits might seem to come
from opposing forces: On one side are "researchers" who release
proof-of-concept code for their discoveries. On the other side are
people who turn the proven concept into something malicious for their
own nefarious purposes.

The side that puzzles me is the alleged "researchers." Are they
suffering some sort of mental buffer underflow attack (i.e., not
clearly thinking things through)? They're very adept at finding
security vulnerabilities, yet some of them fail to recognize one of
the most obvious security problems of all--their own premature public
revelations of explicit details of security weaknesses. It's possible
that some researchers do see the problem and they simply don't care,
which could mean that those particular researchers and the malicious
coders are, for all intents and purposes, cohorts playing a dastardly

Other researchers make a half-hearted effort to contact a vendor. In
one relatively recent case of vulnerability reporting, a researcher
claimed that he tried to contact a vendor but couldn't, so he thought
it reasonable to release his detailed findings to the public. I happen
to use the product in question, so I decided to try to contact the
vendor myself. After about 60 seconds of clicking around on the vendor
Web site, I found several contacts and emailed them the researcher's
findings. Within 24 hours, the vendor emailed me back a solution. I
then forwarded the vendor-provided solution to the researcher, who
didn't bother to publish it! In this case, a so-called "researcher"
could scour code for vulnerabilities, yet couldn't find any contact
info for the vendor! Obviously, such researchers aren't really
researchers at all. They too play a dastardly game.

On another note, last week I wrote about an incident that involved
Microsoft's release of a critical update for Windows Firewall that
improves the way in which the firewall handles local subnet
restrictions. The update wasn't part of Microsoft's monthly security
bulletins. If you missed last week's newsletter, then you can read
about the reasons why this happened in the December 29, 2004 Security
UPDATE commentary (first URL below) and in the related news story
"Critical Update for Windows Firewall Flies Under the Radar" (second
URL below).

A reader wrote in response to the commentary that, "The [Microsoft
Baseline Security Analyzer (MBSA)] for use with SMS 2003 doesn't
report the firewall update patch." The reader did add that, in his
situation, the lack isn't an issue because he doesn't rely on local
subnet restrictions for defining firewall exceptions. Nevertheless,
the reader does point out another aspect of notifying users about
critical updates that needs better attention from Microsoft.

We posted an Instant Poll question last week that asks, "Do you think
Microsoft should improve its security alerting process?" The possible
answers are "Yes, it should send alerts about all security updates"
and "No, the process works fine for me the way it is." So far, we
haven't had a huge flood of people answer the question, but most of
those who have answered have said "Yes." If you haven't taken 30
seconds to visit our Web site and answer the question, please do--the
poll results will undoubtedly be read by Microsoft and could make a
difference in how the company handles its security update alerting
process in the future.

That said, I hope you all had pleasant holidays. Best wishes to all of
you for the new year, and until next time, have a great week!


==== Sponsor: Exchange & Outlook Administrator ====

Try a Sample Issue of Exchange & Outlook Administrator!
   If you haven't seen Exchange & Outlook Administrator, you're
missing out on key information that will go a long way towards
preventing serious messaging problems and downtime. Request a sample
issue today, and discover tools you won't find anywhere else to help
you migrate, optimize, administer, backup, recover, and secure
Exchange and Outlook. Order now!


==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these discoveries

Exploits on the Loose Against Unpatched Bugs in Windows
   Researchers have posted proof-of-concept code that can take
advantage of vulnerabilities in Windows platforms. The concept code
works against vulnerabilities in the Windows Help subsystem and in
code used to load desktop icons and the Windows Help subsystem.

Netcraft Joins the Anti-Phishing Brigades
   Netcraft, a company known for its statistical analysis of a vast
number of Web sites, has joined those groups who attempt to prevent
phishing scams by releasing a new toolbar for Microsoft Internet
Explorer (IE). The toolbar performs checks on URLs and enforces
behavior changes in the Web browser.


==== Announcements ====
   (from Windows IT Pro and its partners)

Are You a Hacker Target?
   You are if you have an Internet connection faster than 384Kbps. In
this free on-demand Web seminar, Alan Sugano will examine two attacks
(an SMTP Auth Attack and a SQL Attack) that let spammers get into the
network and relay spam. Find out how to keep the hackers out of your
network and what to do if your mail server is blacklisted as an open
relay. Register now!

Get David Chernicoff's Essential Guide to Blade Servers
   The cost of setting up new servers, provisioning them, and managing
their operation is a significant one, and reducing those costs results
in quicker ROI and more easily justifiable initial expenses. Find out
why blade server technology is an attractive methodology for
addressing these concerns and implementing improvements in your server

Is Your Messaging Infrastructure Ready for Tomorrow's Risks?
   In this free Web seminar on February 17, 2005, Randy Franklin Smith
reveals the new security threats as SPIM, spyware, phishing, and
malware evolve and become tools for industrial espionage. You'll learn
which kinds of attacks companies are reporting in increased numbers
and the commonly held misconceptions about Microsoft security patches.
Find out what threats deserve your attention. Register now!

New eBook! Keeping Your Business Safe from Attack: Passwords and
   Master password and permissions basics with our latest free eBook
and discover how to prevent most vulnerabilities and exploits with
Microsoft's new tools. Firewalls, antivirus software, Intrusion
Detection Systems (IDS), and Intrusion Prevention Systems (IPS) can
all fail, but a strong permissions and authentication defense is
priceless. Get the first chapter now!


==== 3. Security Matters Blog ====
   by Mark Joseph Edwards, http://www.windowsitpro.com/securitymatters

Check out these recent entries in the Security Matters blog:

Update Your Netcat Software for Windows
   An unchecked buffer in the popular Netcat tool for Windows could
allow remote code execution. The vulnerability, discovered by Hat
Squad, can be exploited when using the netcat -e option.

==== 4. Security Toolkit ====

FAQ: How can I quickly search for shared folders that are published in
Active Directory (AD)?
   by John Savill, http://www.windowsitpro.com/windowsnt20002003faq

Find the answer at

Security Forum Featured Thread: Fending Off DDoS Attacks
   A forum participant writes that he helps run a major Internet-based
retail operation and wonders if he can make any advance preparations
to mitigate or alleviate the threat of Distributed Denial of Service
(DDoS) attacks. Join the discussion at:


==== Events Central ====
   (A complete Web and live events directory brought to you by Windows
IT Pro at http://www.windowsitpro.com/events )

True High-Availability for Microsoft Exchange Web Seminar--February 3
   Discover solutions that minimize the likelihood of downtime in your
Exchange implementation and help to ensure continuous Exchange
application availability. In this free Web seminar, learn how you can
ensure high-availability through the use of tools that analyze and
proactively monitor the health of your entire Exchange environment.
Register now!


==== 5. New and Improved ====
   by Renee Munshi, products at windowsitpro.com

Remotely Change Network Passwords
   Keroon Software offers Reset Local Password Pro 3.0, a Windows
program that lets administrators change local passwords on one or more
computers from a remote location. New features in this version include
improved IP enumeration, the ability to change passwords on systems
running Windows NT 4.0 without the need for Active Directory (AD)
Client Extensions to be loaded, and a No Enumeration option that lets
you turn off autopopulation of your list of computers. Reset Local
Password Pro runs under Windows XP, Windows 2000, and Windows NT 4.0.
It requires 10MB of RAM and 10MB of free hard disk space. Reset Local
Password Pro costs $99.99, and a 14-day trial version is available.
For more information, go to

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a T-shirt if we write about the product in a future
Windows IT Pro What's Hot column. Send your product suggestions with
information about how the product has helped you to
whatshot at windowsitpro.com.

Editor's note: Share Your Security Discoveries and Get $100
   Share your security-related discoveries, comments, or problems and
solutions in the Security Administrator print newsletter's Reader to
Reader column. Email your contributions (500 words or less) to
r2rsecadmin at windowsitpro.com. If we print your submission, you'll get
$100. We edit submissions for style, grammar, and length.


==== Sponsored Links ====

Data Protection from NSI and Microsoft
   Instant recovery and data protection solutions for Exchange and SQL


==== Contact Us ====

About the newsletter -- letters at windowsitpro.com
About technical questions -- http://www.windowsitpro.com/forums
About product news -- products at windowsitpro.com
About your subscription -- windowsitproupdate at windowsitpro.com
About sponsoring Security UPDATE -- emedia_opps at windowsitpro.com


This email newsletter is brought to you by Security Administrator, the
leading publication for IT professionals securing the Windows
enterprise from external intruders and controlling access for internal

View the Windows IT Pro privacy policy at

Windows IT Pro, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2004, Penton Media, Inc. All rights reserved.

More information about the ISN mailing list