**********************************************************
WINDOWS 2000 MAGAZINE SECURITY UPDATE 
**Watching the Watchers**
The weekly Windows 2000 and Windows NT security update newsletter brought 
to you by Windows 2000 Magazine and NTSecurity.net
http://www.win2000mag.com/update/ 
**********************************************************

This week's issue sponsored by
Network-1 - CyberwallPLUS - Packet Filtering Firewalls
http://www.network-1.com/products/index.htm

Sunbelt Software - STAT: NT/2000 Vulnerability Scanner
http://www.sunbelt-software.com/product.cfm?id=899
(Below SECURITY ROUNDUP) 

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
April 19, 2000 - In this issue:

1. IN FOCUS
     - Buffer Overflows: The Developer's Bane

2. SECURITY RISKS
     - Buffer Overflow Condition in Microsoft Web Component
     - Registry Permissions Could Expose Cryptographic Keys
     - Excessive Escape Characters Can Slow IIS

3. ANNOUNCEMENTS
     - Put Your Knowledge of Microsoft Products to the Test!
     - Are You One in a Million?

4. SECURITY ROUNDUP
     - News: F5 Networks Release SSL-Accelerator
     - News: Software Pirates Thrive on Auction Sites 

5. NEW AND IMPROVED
     - Simplify Access to Private Data and Applications
     - Next Generation E-Business Virus Security Solution

6. HOT RELEASES (ADVERTISEMENT)
     - Windows Security Issues?
     - VeriSign - The Internet Trust Company

7. SECURITY TOOLKIT
     - Book Highlight: Hacking Exposed: Network Security Secrets and 
Solutions
     - Tip: How to Restore Default File Permission Settings
     - Windows 2000 Security: Advances in Administrative Authority
     - Writing Secure Code: Avoid Buffer Overruns with String Safety
     - Ultimate Security Toolkit: NetRecon 3.0

8. HOT THREADS 
     - Windows 2000 Magazine Online Forums
         NTFS Permissions
     - Win2KSecAdvice Mailing List
         DVWSSR.DLL Buffer Overflow Vulnerability IIS Web Servers 
     - HowTo Mailing List
         How to Wipe Disks
         Single Sign-on

~~~~ SPONSOR: NETWORK-1 - CYBERWALLPLUS--PACKET FILTERING FIREWALLS ~~~~
CyberwallPLUS – the world’s best packet filtering firewall – provides 
network and system managers with the network access control and intrusion 
detection needed to secure today’s "electronically open" networks.  Now 
administrators can deploy a complete end-to-end network security solution, 
including Internet firewalls, LAN-based firewalls and even the World’s 
first embedded firewall for Windows NT/2000 severs. All of your 
CyberwallPLUS firewalls can be remotely administered with the Cyberwall 
Central utility. Through its fine grain access control and active intrusion 
detection, Network-1’s CyberwallPLUS firewalls prevent network attacks and 
stops hackers cold. Visit http://www.network-1.com/products/index.htm to 
learn more about CyberwallPLUS and request a free network security 
whitepaper.

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Jim Langone 
(Western Advertising Sales Manager) at 800-593-8268 or jim@win2000mag.com, 
OR Tanya T. TateWik (Eastern and International Advertising Sales Manager) 
at 877-217-1823 or ttatewik@win2000mag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. ========== IN FOCUS ==========

Hello everyone,

For a brief moment last week, it appeared as though someone had discovered 
a genuine back door in a Microsoft Web product. As it turns out, the 
product has no back door, but it does have some interesting code and a 
nasty buffer overflow condition.
   The story broke last Thursday night when a researcher informed Microsoft 
that he thought a particular component that ships with various Web 
platforms had a back door. Apparently, someone found a suspicious string of 
words inside a file (dvwssr.dll, part of Visual InterDev 1.0), thought that 
it might represent telltale signs of a back door, and tipped off the 
researcher. The hacker investigated the code and reported his findings to 
Microsoft. The string inside the DLL clearly read, "Netscape engineers are 
weenies!" and after some investigation, the researcher learned that the 
string obscured a URL-based file request sent to the DLL in question.
   According to Microsoft, barely an hour after it received the initial bug 
report, a reporter from the Wall Street Journal called to ask for a denial 
or confirmation of the alleged back door. By Friday afternoon, Microsoft 
had openly confirmed that a bug did exist in the DLL file. In Security 
Bulletin MS00-025 (released Friday), the company said that the DLL in 
question might let a Web author access certain files of other Web sites on 
the same server, if the relevant server files had incorrect permission 
settings.
   As it turns out, the embedded phrase is not a true back door, only a key 
string used to obscure part of a URL. Someone with knowledge of the 
obscuring routine still needs specific file access permission to exploit 
the routine. No risk exists until an administrator sets file access 
permissions in a particular way. But that isn't the end of the story.
   Researchers began looking for other problems with the dvwssr.dll file 
and quickly found them. By late Friday afternoon, a message was circulating 
on various mailing lists that stated a buffer overflow condition exists in 
the dvwssr.dll file. Apparently, an attacker can launch a Denial of Service 
(DoS) attack against the server by sending the DLL a URL parameter string 
of 5000 characters. Furthermore, under certain circumstances, the buffer 
overflow can let an attacker run code on a remote system.
   After news of the overflow condition reached Microsoft, the company 
revised its original security bulletin with the new risk details. In 
addition, the company recommended that because Visual InterDev 1.0 is so 
old and probably not widely used, administrators should delete the 
dvwssr.dll file from servers to eliminate associated risks.
   The entire scenario flushed out arguments for and against two old sore 
spots in the security community: full and immediate vulnerability 
information disclosure, and the potential benefits of open source projects 
when it comes to secure coding practices. As soon as this story hit the 
news outlets Friday morning, the debates began on several public forums.
   People cried foul because they felt the initial vulnerability report was 
misleading and confusing. They used the incident to claim that full and 
immediate vulnerability disclosure is detrimental. Yet proponents said that 
without such disclosure, researchers wouldn't have found the buffer 
overflow condition in the first place. I think both sides have valid 
arguments. Sometimes a risk needs to be held in confidence for a period of 
time for a good reason; in other incidents, the best course is to release 
full risk information immediately. Both approaches depend on the 
circumstances involved, so no static rule applies across the board.
   On the open source issue, supporters believe that making source code 
available for review reduces the number of security risks in that code 
because more eyes will find more problems. But is this really true?
   Elias Levy, CTO, SecurityFocus, pointed out in a recent commentary about 
open source projects that there is no guarantee that people will review 
open source code from a security perspective. Nor is there any guarantee 
that people will report any security problems they find. Keep in mind that 
black hats review code to exploit bugs, not report them. The bottom line is 
that peer review of source code is only as valuable as the skill set and 
morals of the peer performing the review.
   The real priority with developing solid code is to educate developers 
about the finer points of secure programming so that they avoid common 
programming pitfalls, such as buffer overflows. This approach stops basic 
security problems before they originate instead of depending on peer review 
to discover them. Providing developers with better knowledge and improved 
tool sets will quickly decrease the number of security-related problems we 
encounter, which means that everyone can enjoy a safer network. Until next 
time, have a great week.

Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net

2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

* BUFFER OVERFLOW CONDITION IN MICROSOFT WEB COMPONENT
Core SDI reported a buffer overflow condition in a component of Microsoft's 
Visual InterDev 1.0. The component, dvwssr.dll, provides support for Visual 
InterDev's Link View feature. Because of an unchecked buffer, an intruder 
can crash the Microsoft IIS Web service or cause arbitrary code to execute 
on the server by sending the component an abnormally long URL. The problem 
affects any IIS system that has the Windows NT 4.0 Option Kit installed, 
Windows 9x Personal Web Servers, and any system with FrontPage 98 Server 
Extensions installed.
   http://www.ntsecurity.net/go/load.asp?iD=/security/iis4-9.htm

* REGISTRY PERMISSIONS COULD EXPOSE CRYPTOGRAHPIC KEYS
Sergio Tabanelli discovered that loose permissions on a particular Registry 
key let a user compromise the cryptographic keys of other users on the same 
system. The Registry key is used to indicate an external DLL-based driver 
definition for a hardware-based encryption accelerator. The drivers have 
access to cryptographic keys stored on the system, and an intruder could 
develop a Trojan driver because the Registry key is not protected against 
manipulation by regular users. The problem affects all editions of Windows 
NT 4.0. Microsoft has issued a patch for Intel and Alpha, as well as 
Support Online article Q259496.
   http://www.ntsecurity.net/go/load.asp?iD=/security/reg1.htm

* EXCESSIVE ESCAPE CHARACTERS CAN SLOW IIS
Vanja Hrustic reported a problem with IIS where an intruder can use a 
malformed URL that contains a large number of escape characters to increase 
Web service overhead. When parsing a URL with an excessive number of escape 
character sequences, IIS consumes most all of the available CPU cycles on 
the server. Microsoft has released a patch for IIS 4.0 and IIS 5.0 as well 
as Support Online article Q254142.
   http://www.ntsecurity.net/go/load.asp?iD=/security/iis4-8.htm

3. ========== ANNOUNCEMENTS ==========

* PUT YOUR KNOWLEDGE OF MICROSOFT PRODUCTS TO THE TEST!
Play the Microsoft TechNet Puzzler and use your expertise to win a trip 
to the Tech-Ed 2000 Conference in Orlando and a BMW Z3 Roadster!
http://www.microsoft.com/technet/puzzler/default.asp

* ARE YOU ONE IN A MILLION?
Last month, Microsoft announced that shipments of Windows 2000 have jumped 
beyond the 1-million-unit mark. If you're a recent purchaser, be sure to 
visit our Windows 2000 Experience Web site. You'll find news, articles, a 
technical forum, vendors--everything you need to migrate intelligently.
http://www.windows2000experience.com

4. ========== SECURITY ROUNDUP ==========

* NEWS: F5 NETWORKS RELEASE SSL-ACCELERATOR
F5 Networks has released a Secure Sockets Layer (SSL) accelerator feature 
for its BIG-IP product. BIG-IP is a load-balancing tool that helps maximize 
throughput and service uptime. With SSL-Accelerator, BIG-IP can help 
increase speed and manageability for secure online transactions that use 
SSL technology.
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=119&TB=news

* NEWS: SOFTWARE PIRATES THRIVE ON AUCTION SITES
The Software & Information Industry Association (SIIA) recently conducted a 
survey to determine how much software sold at online auction sites was 
pirated. A review of sale items at auction sites on Amazon.com, eBay, 
Yahoo, and Excite@Home between March 31 and April 3 determined that 91 
percent of the packages were not legal to sell. The figure represents a 31 
percent increase over the previous survey conducted in August 1999.
   http://www.ntsecurity.net/go/2c.asp?f=/news.asp?IDF=120&TB=news

~~~~ SPONSOR: SUNBELT SOFTWARE--STAT: NT/2000 VULNERABILITY SCANNER ~~~~
Ever had that feeling of ACUTE PANIC that a hacker has invaded your 
network? Plug NT/2000's over 850 holes before they plug you. You _have_ to 
protect your LAN _before_ it gets attacked. STAT comes with a responsive 
web-update service and a dedicated Pro SWAT team that helps you to hunt 
down and kill Security holes. Built by anti-hackers for DOD sites. Download 
a demo copy before you become a statistic.
http://www.sunbelt-software.com/product.cfm?id=899

5. ========== NEW AND IMPROVED ==========
(contributed by Judy Drennen, products@win2000mag.com)

* SIMPLIFY ACCESS TO PRIVATE DATA AND APPLICATIONS
Jela Company released OnlyYou 1.1, software that lets users on Windows NT 
and Windows 9x platforms use and protect their IDs and passwords. Press the 
OnlyYou hot key and identify yourself to extract your password from 128-bit 
encrypted storage. By eliminating the need to remember your passwords, you 
don't compromise security.
   OnlyYou 1.1 costs $23.50 for a single-user license. Network and volume 
licenses are available. For more information contact Jela Company, 
800-275-0097 or go to the Web site.
   http://www.jelaco.com/

* NEXT-GENERATION E-BUSINESS VIRUS SECURITY SOLUTION
McAfee announced McAfee ActiveVirus Defense, a next-generation e-business 
virus security solution that integrates a suite of antivirus products. 
ActiveVirus Defense delivers centralized policy management, enforcement, 
and reporting capabilities with virus analysis and fixes and faster 
updating capabilities to the McAfee product line. McAfee Active Virus 
Defense runs on Windows 2000, Windows NT, and Windows 9x. For more 
information, contact McAfee, 800-338-8754 or go to the Web site.
   http://www.mcafee.com/ 

6. ========== HOT RELEASES (ADVERTISEMENT) ==========

* WINDOWS SECURITY ISSUES? 
Internet Security Systems delivers years of Windows security experience in 
a comprehensive, easily understood service. Windows security issues that 
normally take hours or days to research and repair are easily available 
through SAVANT.
http://www.iss.net/securing_e-business/sec_management_sol/customer_life_cycle/savant.php

* VERISIGN - THE INTERNET TRUST COMPANY 
Protect your servers with 128-bit SSL encryption! Get VeriSign's FREE 
guide, "Securing Your Web Site for Business." You will learn everything you 
need to know about using SSL to encrypt your e-commerce transactions for 
serious online security. Click here!
http://www.verisign.com/cgi-bin/go.cgi?a=n016007870003000

7. ========== SECURITY TOOLKIT ==========

* BOOK HIGHLIGHT: HACKING EXPOSED: NETWORK SECURITY SECRETS AND SOLUTIONS
By Stuart McClure, Joel Scambray, et al.
Online Price: $39.99
Softcover; 484 Pages
Published by McGraw-Hill, September 1999
ISBN 0072121270

Defend your network against the sneakiest hacks and latest attacks. In 
"Hacking Exposed: Network Security Secrets and Solutions," security experts 
Stuart McClure, Joel Scambray, and George Kurtz give you the full scoop on 
some of the most highly publicized and insidious break-ins and show you how 
to implement bulletproof security on your system. The handbook covers 
security, auditing, and intrusion-detection procedures for Windows NT, 
Windows 9x, UNIX (including Linux), and Novell networks. The companion Web 
site contains custom scanning scripts and links to security tools.

For Windows 2000 Magazine Security UPATE readers only--Receive an 
additional 10 percent off the online price by typing WIN2000MAG in the 
discount field on the Shopping Basket Checkout page. To order this book, go 
to

http://www.fatbrain.com/shop/info/0072121270?fromwin=2000mag

Or visit the Windows 2000 Magazine Network Bookstore at
http://www1.fatbrain.com/store.cl?p=win2000mag&s=97772

* TIP: HOW TO RESTORE DEFAULT FILE PERMISSION SETTINGS
(contributed by http://www.ntfaq.com)

A user wants to know how to restore the default security settings for files 
and directories. Restoring security settings is easy if you have a copy of 
the Windows NT Resource Kit. The Resource Kit contains a file called 
fixacls.exe that will reset file and directory permissions based on the 
definitions in the perms.inf file in the %SYSTEMROOT%\INF\ directory.

* WINDOWS 2000 SECURITY: ADVANCES IN ADMINISTRATIVE AUTHORITY
In his latest Web exclusive column, Randy Franklin Smith points out that 
one of the worst problems with Windows NT security turns out to be one of 
the best enhancements in Windows 2000. The enhancement involves how Win2K 
handles administrative authority. When you understand how NT handles 
administrative authority and the changes Microsoft made in Win2K, you'll 
begin to see the opportunities you have for improving security in your 
network. Be sure to read Smith's new column on our Web site.
   http://www.ntsecurity.net/go/win2ksec.asp

* WRITING SECURE CODE: AVOID BUFFER OVERRUNS WITH STRING SAFETY
In his latest column, David LeBlanc says that string handling is one of the 
most error-prone aspects of C and C++ programming. String-handling errors 
account for most of the buffer overruns that result in security problems. 
LeBlanc has lots of good advice for developers who want to avoid pitfalls 
in writing Win32-based code. Be sure to stop by and read LeBlanc's latest 
column.
   http://www.ntsecurity.net/go/seccode.asp

* ULTIMATE SECURITY TOOLKIT: NETRECON 3.0
In his latest review, Steve Manzuik looks at NetRecon 3.0. NetRecon lets 
security administrators quickly scan their networks for a variety of 
security risks, including weak passwords and Denial of Service (DoS) 
vulnerabilities. Stop by and read the entire review today!
   http://www.ntsecurity.net/go/ultimate.asp

8. ========== HOT THREADS ==========

* WINDOWS 2000 MAGAZINE ONLINE FORUMS

The following text is from a recent threaded discussion on the Windows 
2000 Magazine online forums (http://www.win2000mag.com/support). 

April 14, 2000, 04:04 A.M. 
NTFS Permissions 
How can I add a new NTFS permission on a top-level folder and its 
subfolders/files without replacing the existing NTFS permissions 
(groups/permissions are not the same on subfolders/files).

Thread continues at
http://www.win2000mag.com/support/Forums/Application/Index.cfm?CFApp=69&Message_ID=99309

* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following thread is in the spotlight this 
week:

Dvwssr.dll Buffer Overflow Vulnerability in IIS Web Servers
We've been playing a little more, trying to exploit this buffer overflow, 
and because we don't have InterDev installed on our system, we copied the 
.dll to the /msadc directory. With this configuration, we have been able to 
make the code jump to our buffer. Under these circumstances, the actual 
buffer overflow will allow us to execute arbitrary code in the target 
machine.
http://www.ntsecurity.net/go/w.asp?A2=IND0004C&L=WIN2KSECADVICE&P=218

Follow this link to read all threads for April, Week 3:
   http://www.ntsecurity.net/go/w.asp?A1=ind0004b&L=win2ksecadvice

* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
HowTo for Security mailing list. The following threads are in the
spotlight this week:

1. How to Wipe Disks
I work for a government agency that is about to get rid of a bunch of old 
PCs. We now have a new security policy stating that the content of the 
disks has to be wiped out before the PCs leave the agency. Does anybody 
know a good utility that could do this job?
   http://www.ntsecurity.net/go/L.asp?A2=IND0004B&L=HOWTO&P=3133

2. Single Sign-on
I have a hybrid network (Windows NT with some Novell and HP-UX), and I was 
wondering if anyone is familiar with a way (or third-party product) to 
synchronize a password change across all platforms? I'm concerned only 
about OS-level passwords and unconcerned with the application level.
   http://www.ntsecurity.net/go/L.asp?A2=IND0004B&L=HOWTO&P=4248

Follow this link to read all threads for April, Week 3:
   http://www.ntsecurity.net/go/l.asp?A1=ind0004b&L=howto

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@win2000mag.com)
Ad Sales Manager (Western) - Jim Langone (jim@win2000mag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com)
Associate Publisher/Network - Martha Schwartz (mschwartz@win2000mag.com)
Editor - Gayle Rodcay (gayle@win2000mag.com)
New and Improved – Judy Drennen (products@win2000mag.com)
Copy Editor – Judy Drennen (jdrennen@win2000mag.com)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

========== GET UPDATED! ==========
Receive the latest information about the Windows 2000 and Windows NT topics 
of your choice. Subscribe to these other FREE email newsletters at 
http://www.win2000mag.com/sub.cfm?code=up99inxsup.

Windows 2000 Magazine UPDATE
Windows 2000 Magazine Thin-Client UPDATE
Windows 2000 Magazine Exchange Server UPDATE
Windows 2000 Magazine Storage UPDATE
Windows 2000 Magazine Training & Certification UPDATE
Windows 2000 Pro UPDATE
Application Service Provider UPDATE
SQL Server Magazine UPDATE
SQL Server Magazine XML UPDATE
IIS Administrator UPDATE
WinInfo UPDATE




SUBSCRIBE/UNSUBSCRIBE/CHANGE ADDRESS

Thank you for reading Windows 2000 Magazine Security UPDATE.

You are currently subscribed to securityupdate as: packet@PACKETSTORM.SECURIFY.COM

To subscribe, go to the UPDATE home page at
http://www.win2000mag.com/update
or send a blank email to join-securityupdate@list.win2000mag.net.

To remove yourself from the list, send a blank email to
leave-securityupdate-120275L@list.win2000mag.net.

To change your email address, send a message with the sentence

set securityupdate email="new email address"

as the message text to lyris@list.win2000mag.net. Replace the words "new email address" with your new email address (include the quotes).

If you have questions or problems with your UPDATE subscription, please contact securityupdate@win2000mag.com. We will address your questions or problems as quickly as we can, but please allow 2 issues for resolution.

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|

Copyright 2000, Windows 2000 Magazine