what you don't know can hurt you
Home Files News &[SERVICES_TAB]About Contact Add New

winsd.032200.txt

winsd.032200.txt
Posted Apr 13, 2000
Authored by winsd | Site win2000mag.com

Windows Security Update March 22 - In this issue: Oracle Web Listener May Run Arbitrary Commands, Microsoft Media License Manager Denial of Service, Internet Information Server Chunked Encoding Post, Security Scripting Language, Email Security Product, Book Highlight: Windows 2000 Security Little Black Book.

tags | web, denial of service, arbitrary, magazine
systems | windows
SHA-256 | 2ddfba52a1a064304c5ee29fe2023ce75365f6be3ee5723c52409bf7eaf256f7

winsd.032200.txt

Change Mirror Download



**********************************************************
WINDOWS 2000 MAGAZINE SECURITY UPDATE
**Watching the Watchers**
The weekly Windows NT and Windows 2000 security update newsletter
brought to you by Windows 2000 Magazine and NTSecurity.net
https://www.win2000mag.com/update/
**********************************************************

This week's issue sponsored by

UltraBac.com
https://www.ultrabac.com/counter/winnt003s.htm

Symantec
https://www.symantec.com/specprog/sym/11200e.html
(Below Announcements)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-
March 22, 2000 - In this issue:

1. IN FOCUS
- New Precedents About To Be Set?

2. SECURITY RISKS
- Oracle Web Listener May Run Arbitrary Commands
- Microsoft Media License Manager Denial of Service
- Internet Information Server Chunked Encoding Post

3. ANNOUNCEMENTS
- Windows 2000 Magazine Affiliate Program

4. NEW AND IMPROVED
- Security Scripting Language
- Email Security Product

5. HOT RELEASE (ADVERTISEMENT)
- VeriSign - The Internet Trust Company

6. SECURITY TOOLKIT
- Book Highlight: Windows 2000 Security Little Black Book

7. HOT THREADS
- Windows 2000 Magazine Online Forums:
PST Files as Offline Folders
- Win2KSecAdvice Mailing List:
Help for Relentless Port Scanning
Win2K's Default High Security Policy
- HowTo Mailing List:
Legal Question Regarding Security
Windows 2000 Desktop Lockdown

~~~~ SPONSOR: ULTRABAC.COM ~~~~
UltraBac backup and disaster recovery software for NT3.51/NT4/Win2000
announces the release of Version 5.5. UltraBac v5.5 offers a new Oracle
agent based on API's, enhanced Disaster Recovery features, enhanced SQL
7.0 database restore options; and a new proprietary Locked File Backup
(LFB) agent. Disaster recovery enhancements for image backups include
tape spanning with software compression, a new GUI for creating
disaster recovery boot floppies, and support for Hewlett Packard's new
One Button Disaster Recovery (OBDR) functionality that was recently
added to HP's tape drive products. For more information and to
download your FREE 45-day copy, click here:
https://www.ultrabac.com/counter/winnt003s.htm

~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Want to sponsor Windows 2000 Magazine Security UPDATE? Contact Jim
Langone (Western Advertising Sales Manager) at 800-593-8268 or
jim@win2000mag.com, OR Tanya T. TateWik (Eastern Advertising and
International Advertising Sales Manager) at 877-217-1823 or
ttatewik@win2000mag.com.
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

1. ========== IN FOCUS ==========

Hello everyone,

Piracy is a big concern for a lot of development companies. The amount
of money reportedly lost each year at the hands of pirates is
staggering. Naturally, developers take the matter seriously and guard
the security of their code-based assets as fiercely as they can.
One progressive way to guard software assets is to place the code
into the public domain under some form of open-source licensing scheme.
Thus, piracy becomes a moot point, and development takes more of a
front seat to profits.
However, many firms develop code that could not feasibly be
protected under an open-source scheme. Instead, their products'
protection must rely on honesty or secrecy. Take, for example, the DVD-
based Content Scrambling System (CSS) software technology, which relies
on secrecy for protection. Developers use CSS to encrypt DVD-based
media so that only DVD players can decrypt and play that media. This
approach minimizes unauthorized duplication. But in November 1999,
someone posted a program called DeCSS that can decrypt media that is
copy protected with CSS.
The release of DeCSS has caused quite a ruckus in the computer
industry as well as in the motion picture industry. Naturally,
Hollywood wants to protect its movies from unauthorized duplication and
is going to extremes to do so. In late December 1999, the DVD Copy
Protection Association filed a lawsuit in California suing Web site
operators who had posted copies of the DeCSS program. The association
also sued Web site operators who merely posted links to sites that had
the program online for download. The courts handed down an injunction
prohibiting US sites from posting the code.
But hackers and supporters have struck back hard. Attorneys for the
defendants wanted the CSS code submitted as evidence in the case, which
would make the code a matter of public record because civil lawsuits
are public information. In addition, hackers from Australia will soon
air the source code on Australian television. Australian law does not
prohibit such action.
I think Hollywood has the right to sue the developers of DeCSS and
people who distribute the program, but I also think the developers of
DeCSS have the right to tell the world what they discovered. After all,
the developers of DeCSS weren't the people who said the CSS technology
was secure--they only proved that it wasn't.
That statement leads me to an interesting thought: What about the
people who developed and promoted CSS as a secure technology in the
first place? Aren't they to blame, too? If a company claims its
technology is secure, but it turns out that the product is not, could
the company be sued for fraud?
The case raises so many questions that it likely will set more than
one precedent for the computer industry and the Internet. I think those
precedents will include new legal views on antipiracy and reverse
engineering, which could dramatically impact the way security-related
problems are discovered and reported in the future. If you're a
developer or a company that sells security-related solutions (whether
software, hardware, or services), be sure to keep an eye on the DeCSS
case. It might change the way you do business.
Before I sign off this week, I want to inform you all that the
NTSecurity.net Web site may be offline until Friday morning. We have
encountered some unexpected difficulties while moving the site from one
data center to another. Thanks for your patience while we work to
quickly bring the site back online. Until next time, have a great week.

Sincerely,
Mark Joseph Edwards, News Editor
mark@ntsecurity.net

2. ========== SECURITY RISKS =========
(contributed by Mark Joseph Edwards, mark@ntsecurity.net)

* ORACLE WEB LISTENER MAY RUN ARBITRARY COMMANDS
Oracle Application Server ships with a component called Oracle Web
Listener. Cerebus Information Security reported a problem with the
component that could let an intruder run arbitrary commands on the
server.
https://listserv.ntsecurity.net/scripts/wa-ntsecurity.exe?A2=ind0003b&L=win2ksecadvice&F=&S=&P=4178

* MICROSOFT MEDIA LICENSE MANAGER DENIAL OF SERVICE
According to Microsoft's documentation, Windows Media License Manager
is part of a technology set that enables distribution of copyrighted
digital media. When Media Player opens a protected medium, it contacts
the media provider to receive a license key. A malformed license key
request can cause the License Manager to halt.
For details, see Microsoft Support Online article Q257200
(https://support.microsoft.com/support/kb/articles/Q257/2/00.ASP?LNG=ENG&SA=ALLKB&FR=0).

* INTERNET INFORMATION SERVER CHUNKED ENCODING POST
Internet Information Server (IIS) supports chunked encoding transfers
for PUT and POST operations; however, the server does not limit the
amount of memory that can be requested for such a transfer during a
given user session. Therefore an attacker can request large amounts of
memory from the server and cause a Denial of Service (DoS) attack for
the duration of that user's session. According to Microsoft's report,
when the attacker closes the Web browser, IIS resumes normal operation.
For more information, see Microsoft Support Online article Q252693
(https://support.microsoft.com/support/kb/articles/q252/6/93.asp?LNG=ENG&SA=ALLKB&FR=0).

3. ========== ANNOUNCEMENTS ==========

* WINDOWS 2000 MAGAZINE AFFILIATE PROGRAM
Windows 2000 Magazine, in cooperation with LinkShare, announces a new
Web affiliate program. By simply placing a text or banner link on your
Web site, you can earn up to $10 for each customer who clicks through
from your site to ours and orders a subscription to either Windows 2000
Magazine or SQL Server Magazine. For more information, visit
https://www.win2000mag.com/AboutUs/Index.cfm?Action=affiliate or
https://www.sqlmag.com/Info/affiliate.cfm.

~~~~ SPONSOR: SYMANTEC ~~~~
Norton Ghost? 6.0 is the premier tool for Windows 2000 migration, PC
deployment, cloning, and PC recovery. It dramatically reduces IT costs
by streamlining the configuration of networked workstations.
Administrators can restore a system image onto a failed PC in as little
as seven minutes, and reduce PC deployment and upgrade times by 90
percent or more. Click here to order your free trialware!
https://www.symantec.com/specprog/sym/11200e.html

4. ========== NEW AND IMPROVED ==========
(contributed by Judy Drennen, products@win2000mag.com)

* SECURITY SCRIPTING LANGUAGE
Trusted Systems Services (TSS) announces AdvancedChecker 2.0, a
security scripting language for Windows 2000 (Win2K) and Windows NT
that installs, checks, sets, and fixes network security for large and
small sites. AdvancedChecker is available as a beta. New features
include user-defined macros, functions to query the Security log and
System and Application Event logs, and the ability to compile several
source files into one object file. Contact TSS, 217-344-0996.
https://www.trustedsystems.com

* EMAIL SECURITY PRODUCT
TurnSafe Technologies announced SafeWrite, an email security product
featuring advanced encryption technology. SafeWrite is easy to use--
just type in the recipient's address and send your message. SafeWrite
lets you send secure messages without having to worry about the
receiver's software, without having to keep track of any public keys,
and without forcing the receiver to install SafeWrite or other special
viewing software. You can use your existing POP, IMAP4, Web-based, or
AOL email account. SafeWrite is compatible with most OSs, including
Windows, MacOs, Linux, OS/2, and UNIX. SafeWrite sends messages with
dissolving keys, so that after a user reads a message, it cannot be re-
opened. SafeWrite secure email service is available by subscription to
individuals for 2 years at a cost of $39.95, and includes product
updates during the subscription period. Multiuser and domain rates are
also available.
https://www.turnsafe.com

5. ========== HOT RELEASE (ADVERTISEMENT) ==========

* VERISIGN - THE INTERNET TRUST COMPANY
Protect your servers with 128-bit SSL encryption! Get a FREE guide,
"Securing Your Web Site for Business." You'll learn how to use SSL
encryption for serious online security.
https://www.verisign.com/cgi-bin/go.cgi?a=n016005190008000

6. ========== SECURITY TOOLKIT ==========

* BOOK HIGHLIGHT: WINDOWS 2000 SECURITY LITTLE BLACK BOOK
By Ian Mclean
Online Price: $19.95
Softcover; 400 pages
Published by Coriolis, February 2000
ISBN: 1576103870

"Windows 2000 Security Little Black Book" is an indispensable tool for
the security professional working in the Windows 2000 (Win2K)
environment. This book is packed with methods and tips for implementing
secure, but useable, network policies.
Whether you work in a small organization with a few hundred users or
a large multinational group working across WANs and the Internet,
you'll find the information you need presented in an accessible, user-
friendly format. Using this book, you can unlock the secrets of Win2K's
Active Directory (AD), Group Policy, security protocols, encryption,
public key security, security certificates, smart cards, IP security,
VPNs, and the security toolset.

For Windows 2000 Magazine Security UPDATE readers only--Receive an
additional 10 PERCENT off the online price by typing WIN2000MAG in the
referral field on the Shopping Basket Checkout page. To order this
book, go to https://www.fatbrain.com/shop/info/1576103870?from=SUT864.

7. ========== HOT THREADS ==========

* WINDOWS 2000 MAGAZINE ONLINE FORUMS

The following text is from a recent threaded discussion on the Windows
2000 Magazine online forums (https://www.win2000mag.com/support).

March 17, 2000, 07:09 A.M.
PST Files as Offline Folders
When selecting my network-based PST Folders as Offline Folders, I get a
synchronization error and it fails. The rest of the folders can be set
as offline. I have already shut down Outlook and checked that there are
no file locks or anything. I did successfully select them in RC2, but
since upgrading, I can't do it. Anyone know if there is a fix or is
this a "feature?"

Thread continues at
https://www.win2000mag.com/support/Forums/Application/Index.cfm?CFApp=70&Message_ID=95536

* WIN2KSECADVICE MAILING LIST
Each week we offer a quick recap of some of the highlights from the
Win2KSecAdvice mailing list. The following threads are in the spotlight
this week:

1. Help for Relentless Port Scanning
https://listserv.ntsecurity.net/scripts/wa-ntsecurity.exe?A2=ind0003c&L=win2ksecadvice&P=1614

2. Win2K's Default High Security Policy
https://listserv.ntsecurity.net/scripts/wa-ntsecurity.exe?A2=ind0003c&L=win2ksecadvice&P=861

* HOWTO MAILING LIST
Each week we offer a quick recap of some of the highlights from the
HowTo for Security mailing list. The following threads are in the
spotlight this week:

1. Legal Question Regarding Security
https://listserv.ntsecurity.net/scripts/wa-ntsecurity.exe?A2=ind0003c&L=howto&P=2783

2. Windows 2000 Desktop Lockdown
https://listserv.ntsecurity.net/scripts/wa-ntsecurity.exe?A2=ind0003c&L=howto&P=12148

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

WINDOWS 2000 MAGAZINE SECURITY UPDATE STAFF
News Editor - Mark Joseph Edwards (mje@win2000mag.com)
Ad Sales Manager (Western) - Jim Langone (jim@win2000mag.com)
Ad Sales Manager (Eastern) - Tanya T. TateWik (ttatewik@win2000mag.com)
Associate Publisher/Network - Martha Schwartz (mschwartz@win2000mag.com)
Editor - Gayle Rodcay (gayle@win2000mag.com)
New and Improved Judy Drennen (products@win2000mag.com)
Copy Editor Judy Drennen (jdrennen@win2000mag.com)

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-

Thank you for reading Windows 2000 Magazine Security UPDATE.


To subscribe, go to the UPDATE home page at
https://www.win2000mag.com/update or send an email to join-securityupdate@list.win2000mag.net.

To remove yourself from the list, send a blank email to leave-securityupdate@list.win2000mag.net.

To change your email address, send a message with the content below to securityupdate@list.win2000mag.net.
set securityupdate email="new email address"
Replace "new email address" (including quotes)
with your new email address.


If you have questions or problems with your UPDATE subscription, please contact
owner-securityupdate@list.win2000mag.net.


========== GET UPDATED! ==========
Receive the latest information on the Windows 2000 and Windows NT topics of your choice. Subscribe to these other FREE email newsletters at https://www.win200
0mag.com/sub.cfm?code=up99inxsup.

Windows 2000 Magazine UPDATE
Windows 2000 Magazine Thin-Client UPDATE
Windows 2000 Magazine Exchange Server UPDATE
Windows 2000 Magazine Enterprise Storage UPDATE
Windows 2000 Pro UPDATE
ASP Review UPDATE
SQL Server Magazine UPDATE
SQL Server Magazine XML UPDATE
IIS Administrator UPDATE
WinInfo UPDATE

|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|-+-|

Copyright 2000, Windows 2000 Magazine



Login or Register to add favorites

File Archive:

November 2024

  • Su
  • Mo
  • Tu
  • We
  • Th
  • Fr
  • Sa
  • 1
    Nov 1st
    30 Files
  • 2
    Nov 2nd
    0 Files
  • 3
    Nov 3rd
    0 Files
  • 4
    Nov 4th
    12 Files
  • 5
    Nov 5th
    44 Files
  • 6
    Nov 6th
    18 Files
  • 7
    Nov 7th
    9 Files
  • 8
    Nov 8th
    8 Files
  • 9
    Nov 9th
    3 Files
  • 10
    Nov 10th
    0 Files
  • 11
    Nov 11th
    14 Files
  • 12
    Nov 12th
    20 Files
  • 13
    Nov 13th
    63 Files
  • 14
    Nov 14th
    18 Files
  • 15
    Nov 15th
    8 Files
  • 16
    Nov 16th
    0 Files
  • 17
    Nov 17th
    0 Files
  • 18
    Nov 18th
    0 Files
  • 19
    Nov 19th
    0 Files
  • 20
    Nov 20th
    0 Files
  • 21
    Nov 21st
    0 Files
  • 22
    Nov 22nd
    0 Files
  • 23
    Nov 23rd
    0 Files
  • 24
    Nov 24th
    0 Files
  • 25
    Nov 25th
    0 Files
  • 26
    Nov 26th
    0 Files
  • 27
    Nov 27th
    0 Files
  • 28
    Nov 28th
    0 Files
  • 29
    Nov 29th
    0 Files
  • 30
    Nov 30th
    0 Files

Top Authors In Last 30 Days

File Tags

Systems

packet storm

© 2024 Packet Storm. All rights reserved.

Services
Security Services
Hosting By
Rokasec
close