- Sign-up Now!
 - Current Issue
 - Edit Your Profile/Unsubscribe

Subscribe | Media Kit | About Us | All Issues | Subscriber Feedback | Contact Us | Privacy Statement
Sunbelt W2Knews™ Electronic Newsletter
The secret of those "who always seem to know" - Over 500,000 Readers!
Wed, Nov 10, 1999
25 NEW VULNERABILITIES
  This issue of W2Knews™ contains:
------------------------SPONSOR-------------------------------
Do you need to ensure the availability, connectivity, and 
performance of your Windows NT-based servers and applications 
like Exchange, SQL Server and IIS? Do you need to monitor and 
report on service level agreements, server performance and 
Exchange email traffic? Find out why companies like Microsoft, 
NASDAQ and Southern Company chose AppManager to get a grip 
on centrally monitoring their Windows NT environments. For 
more about AppManager and to request your *FREE* AppManager 
Eval kit visit: http://www.netiq.com/go.asp?ID=31 
---------------------------------------------------------------

This NTools E-NewsFlash contains:

1) 25 NEW VULNERABILITIES SOLVED BY STAT
2) ACTIVE DIRECTORY: YOUR 5 MINUTE 'HAT' (*)
3) WINDOWS 2000 IMPLEMENTATION PLANS GRAPHED

(*) A 'hat' is training or a job, as in 'I'm wearing many hats'.
----------------------------------------------------------------

Hi NT-ers,

Here are 3 short items that are respectively important, next
interesting and third cleared up with graphs! Oh yeah, and a
little book news. Windows NT Power Toolkit was chosen this 
week as Windows NT Magazine's 'Pick Of The Week' and they
have a deal with fatbrain that sells it with a discount. And
believe it or not, the second print is also sold out and it
goes into its third print already. I'm amAzed!
OK, here goes with the items for today:


1) 25 NEW VULNERABILITIES SOLVED BY STAT

Many thousands of you have now downloaded STAT and bought the
product. This is for everyone that already owns STAT but also
for everyone interested in NT Security. They keep on finding 
these holes in NT and related stuff like Internet Explorer. 
If there is one security related product you basically cannot 
afford NOT to run it's STAT. If you own STAT, go here and
download the new update with the following 25 vulnerabilities
and go scan your domains!! http://www.statonline.com/

This is the content of the new Update with 25 vulnerabilities:

648 - IE 5.0 - Download Behavior Vulnerability - Internet 
Explorer 5 has a feature in Dynamic HTML (DHTML) called 
"Download Behavior" that allows web pages to download files 
for use in client-side script (Visual Basic or JavaScript). 
Client-side script cannot access files but a server-side 
redirect could allow a web site to read files on the computer 
of a user who visited it. For more information, see Microsoft 
Knowledge Base Article Q242542 and Microsoft Security Bulletin 
MS99-040

649 - Office ODBC Driver Vulnerability - It is possible that 
a malicious coder could create an Office document that exploits 
a security vulnerability in the ODBC driver to delete files 
and perform other malicious acts. This could be done by opening 
a document attached to an email message or linked from a Web 
site. For more information, see Microsoft Security bulletin 
MS99-030.

650 - RogueX Detected - RogueX is a network portscanner that 
can be used for information gathering.

651 - Registry Unrestricted Explorer - This registry needs to 
be protected from possible Trojan Horses.

652 - Registry Unrestricted - User Shell Folders - This registry 
needs to be protected from possible Trojan Horses. This registry 
can be manipulated by a user to become a member of the 
Administrators group.

653 - RAS Logging Not Enabled - Remote Access Services (RAS) 
are not enabled by default. If you are in a highly secure 
environment, RAS logging should be enabled. RAS should write 
to the DEVICE.LOG file in the \%SystemRoot%\system32\ras folder.

654 - PPP Logging Not Enabled - Point to Point Protocol (PPP) 
services are not enabled by default. If you are in a highly 
secure environment, PPP logging should be enabled. The PPP log 
file should write to the PPP.LOG file in the 
\%SystemRoot%\system32\ras folder.

655 - RasMan Image Path Altered - The RasMan Image Path should 
point to rasman.exe in the registry. If this registry entry 
has been altered, a malicious user may be trying to obtain full 
access to the RasMan service. A malicious service could be run 
with System privileges, gaining administrative privileges.

656 - Winhlpadd.exe Detected - Winhlpadd.exe is a program that 
exploits a buffer overrun in winhlp32.exe. A buffer overrun in 
winhlp32.exe occurs when it attempts to read a *.cnt contents 
file with a long heading string. The program creates a trojanized 
wordpad.cnt file and an add.bat file that attempts to create a 
user account and add it to the Administrators group.

657 - Registry Unrestricted AppID - The default configuration 
permissions of the HKEY_CLASSES_ROOT\AppID allows a user to 
make modifications that could lead to increased privileges, 
including Administrative rights.

658 - IE 5.0 - IFRAME ExecCommand Vulnerability - Internet 
Explorer normally restricts the Document.ExecCommand method 
to prevent it from taking inappropriate action on a user's 
computer. This restriction is not present if the method is 
invoked on an IFRAME. This could allow someone to read files 
on the computer of a visiting user. For more information, 
see Microsoft Knowledge Base Article Q243638 and Microsoft 
Security Bulletin MS99-042.

659 - AOL Instant Messenger Older versions of AOL Instant 
Messenger (AIM) contain a buffer overflow that can be exploited 
through a "man-in-the-middle" attack. A malicious user may 
be able to run arbitrary software on the system, including 
installing a Trojan Horse in order to control the system.

660 - MSN Messenger Service - Older versions of Microsoft 
MSN Messenger Service can reveal the user's password if 
the password is saved.

661 - Registry Unrestricted RasMan - The RasMan registry 
could enable a user to execute arbitrary code if he/she has 
Write access. An unprivileged user could change the location 
and name of the executable code for the Remote Access 
Connection Manager (RASMAN.EXE). Arbitrary code could 
substitute the legitimate rasman service, which could run 
in a System context. For more information, see Microsoft 
Security Bulletin MS99-041 and Knowledge Base Article Q242294.

662 - Data Factory Security Features Disabled - Disabling 
the Data Factory HandlerInfo setting may open the host to 
exploit via the Microsoft Data Access Components Remote Data 
Services (MDAC RDS) exploit. RDS allows remote access via 
the Internet to database objects through Internet Information 
Server (IIS). If the Data Factory security features are 
disabled, one could obtain unauthorized access to files on 
the IIS server. A malicious user could also user MDAC to 
tunnel ODBC requests through, thereby obtaining access 
to a server.

663 - Registry Unrestricted HandlerInfo - The HandlerInfo 
registry can be modified by any user, including the ability 
to disable the security features that protect someone from 
tunneling ODBC requests through a server, thus gaining access 
to a non-public server.

664 - Excel 97 Macro Interpreter Disabled - When you open a 
workbook in Microsoft Excel 97, a macro (such as Lotus 1-2-3 
or Quattro Pro) from a non-trusted source may be run 
automatically. When such a macro is imported, Excel 97 
runs it without asking for the user's permission. These 
macros could be used to delete files. The Excel 97 Macro 
Interpreter should be enabled. For more information, see 
Microsoft Knowledge Base Article Q241900.

665 - Excel 97 Symbolic Link Vulnerability - Excel Symbolic 
Link (SYLK) files can contain macros. If such a file were 
opened, the macro would run without asking for the user's 
permission. These macros could take any action on the 
computer that the user could take, including deleting files. 
For more information, see Microsoft Security Bulletin MS99-044 
and Knowledge Base Article Q241902.

666 - Excel 2000 Symbolic Link Vulnerability - Excel Symbolic 
Link (SYLK) files can contain macros. If such a file were 
opened, the macro would run without asking for the user's 
permission. These macros could take any action on the computer 
that the user could take, including deleting files. For more 
information, see Microsoft Security Bulletin MS99-044 and 
Knowledge Base Article Q241901.

667 - RASMAN Security Descriptor Vulnerability - The security 
descriptor that secures the Remote Access Connection Manager 
(RASMAN), contains an inappropriate Access Control Entry (ACE) 
in its Discretionary Access Control List (DACL). The vulnerability 
could enable a user to execute arbitrary code in a highly-
privileged security context. For more information, see Microsoft 
Security Bulletin MS99-041 and Knowledge Base Article Q242294.

668 - Registry Unrestricted Engines - The KLM\SOFTWAREMicrosoft\Jet\3.5\Engines registry contains keys such as 
SandboxMode that could allow remote access to database 
engines if altered.

669- Virtual Machine Verifier Vulnerability - There is a 
security vulnerability in the Microsoft virtual machine (VM) 
that could allow a Java applet to take unauthorized actions 
on the computer of a web site visitor. A malicious java applet 
could run and take virtually any action on the computer that 
the user would be capable of taking. For more information see 
Microsoft Security Bulletin MS99-045 and Knowledge Base Article 
Q244283.

670 - TCP/IP Initial Sequence Numbers - The Initial Sequence 
Numbers (ISN) used in TCP/IP sessions should be as random as 
possible to prevent IP address spoofing and session hijacking. 
For more information see Microsoft Security Bulletin MS99-046 
and Knowledge Base Article Q243835.

671 - Netscape Browser - Latest Not Installed - Earlier versions 
of Netscape browsers had many security vulnerabilties and buffer 
overrun problems.

672 - Files Have No Restrictions - SP2 - Installation of Service 
Pack 2 (SP2) replaces the file permissions with only the 'Everyone'
(Full Control) Access Control List (ACL) applied. Files prior to 
SP2 that had tighter restrictions no longer have any restrictions 
on them on NTFS partitions. The SP2 Setup API did not retain the 
attributes or security of the files.
---------------------------------------

2) ACTIVE DIRECTORY: YOUR 5 MINUTE 'HAT'

Microsoft has a very useful little training session on their
website that gets you a good conceptual overview of what AD 
really is and how it can be used. Warmly recommended. Check out:
http://www.microsoft.com/directaccess/feature/99/1108.asp
---------------------------------------

3) WINDOWS 2000 IMPLEMENTATION PLANS GRAPHED

Last weekend we gave you the raw data about Windows 2000 
implementation and Laura Didio of the Giga Group will go into
more detail with her analysis. But here are the figures graphed
and much clearer as we recalculated the percentages the way
they should be.

Here is how your colleagues think about Windows 2000: 

http://www.sunbelt-software.com/win2k/
---------------------------------------

And that is all for this NewsFlash.

Warm regards,

Stu Sjouwerman

(email me with feedback: [email protected])