[ISN] Security UPDATE-- Disabling the ADODB.Stream Object--July 7, 2004

InfoSec News isn at c4i.org
Thu Jul 8 05:36:44 EDT 2004


==== This Issue Sponsored By ====

Free Security White Paper from Postini
   http://list.winnetmag.com/cgi-bin3/DM/y/ega50CJgSH0CBw0BJha0AC

Security Administrator
   http://list.winnetmag.com/cgi-bin3/DM/y/ega50CJgSH0CBw0BFMs0Ax

====================

1. In Focus: Disabling the ADODB.Stream Object

2. Security News and Features
   - Recent Security Vulnerabilities
   - News: Firewall Permissions Code for XP SP2
   - Feature: On the Net, Awareness = Safety
   - Feature: Performing Forensic Analyses, Part 2

3. Security Toolkit
   - FAQ
   - Featured Thread

4. New and Improved
   - New Security Administration Book
   - Intrusion Scanner Eliminates Trojan Horses

====================

==== Sponsor: Free Security White Paper from Postini ====
   How to Preemptively Eliminate the Top 5 Email Security Threats
   Are worries about spam and virus attacks to your enterprise email
system keeping you up at night? See why spam and viruses are only the
"tip of the iceberg" when it comes to email security threats. Learn
how you can eliminate the top 5 security threats to your email system,
including the silent killer -- directory harvest attacks. The good
news is there's an easy and effective way to arm your organization
against all threats, even the latest spam and email attacks. Find out
how to completely and preemptively protect against major threats
including spam, viruses, directory harvest attacks (DHA),
denial-of-service (DoS) attacks, as well as internal policy
violations. Download this free white paper today!
   http://list.winnetmag.com/cgi-bin3/DM/y/ega50CJgSH0CBw0BJha0AC

====================

==== 1. In Focus: Disabling the ADODB.Stream Object ====
   by Mark Joseph Edwards, News Editor, mark at ntsecurity dot net

Last week, I wrote about two ways to quickly and easily work around
problems with Microsoft ADO databases (ADODB). One solution is a
registry script from eEye Digital Security and the other is PivX
Solutions' Qwik-Fix. As far as I know, both of these solutions can
disable parts of ADODB. If you missed last week's newsletter, you can
read about the solutions at
   http://www.winnetmag.com/article/articleid/43131/43131.html

The combined attack method that I wrote about last week involves the
use of the ADODB.Stream object, which Microsoft says is essentially a
memory-based file. Now Microsoft has released an official fix to
disable ADODB.Stream for Windows Server 2003, Windows XP, and Windows
2000. You can download the "Critical Update for Microsoft Data Access
Components - Disable ADODB.Stream object from Internet Explorer" fix
at:
http://www.microsoft.com/downloads/details.aspx?familyid=4d056748-c538-46f6-b7c8-2fbfd0d237e3&displaylang=en

According to the related Microsoft article "How to disable the
ADODB.Stream object from Internet Explorer," the fix makes changes to
the registry that prevent the ADODB.Stream object from accessing the
local disk drives via Microsoft Internet Explorer (IE). However, other
applications that use the object can still access the disk if
necessary.
   http://support.microsoft.com/?kbid=870669

In addition to installing the Microsoft fix, which I think most
security professionals would recommend, you might want to consider
other configuration changes to your IE installations. Another
Microsoft article, "How to strengthen the security settings for the
Local Machine zone in Internet Explorer," describes how to disable
ActiveX controls and Java applets, prompt the user before running
scripts, prompt the user before accessing a database in another zone,
control how zone security is applied (e.g., per user or the same
settings for all users, whether users can change those settings), and
use Group Policy to control IE security zone settings. Be aware that
you might experience unwanted effects (as noted in the article) when
you make some of the recommended changes.
   http://support.microsoft.com/?kbid=833633

Two other articles--"How to Stop an ActiveX Control from Running in
Internet Explorer" and "How to Remove an ActiveX Control in
Windows"--describe how to prevent IE from using particular ActiveX
controls and how to remove ActiveX controls if you need to do that for
whatever reason. By using some or all of the recommended IE security
settings, you can significantly increase browser security.
   http://support.microsoft.com/?kbid=240797
   http://support.microsoft.com/?kbid=154850

Microsoft said that in the coming weeks it will release a series of
security updates for IE that will provide additional protection;
however, the company hasn't said what those updates might actually
entail. The company also said that it's working on a "comprehensive
update for all supported versions of Internet Explorer [which] will be
released once it has been thoroughly tested and found to be effective
across a wide variety of supported versions and configurations of
Internet Explorer."

The company also said that the upcoming XP Service Pack 2 (SP2) will
better protect users against attacks and unwanted content, including
downloads. So in addition to the already-mentioned fixes and
configuration changes, more help is on the way.

====================

==== Sponsor: Security Administrator ====
   Try a Sample Issue of Security Administrator!
   Security Administrator is the monthly newsletter from Windows &
.NET Magazine that shows you how to protect your network from external
intruders and control access for internal users. Sign up now to get a
1-month trial issue--you'll feel more secure just knowing you did.
Click here!
   http://list.winnetmag.com/cgi-bin3/DM/y/ega50CJgSH0CBw0BFMs0Ax

====================

==== 2. Security News and Features ====

Recent Security Vulnerabilities
   If you subscribe to this newsletter, you also receive Security
Alerts, which inform you about recently discovered security
vulnerabilities. You can also find information about these discoveries
at
   http://www.winnetmag.com/departments/departmentid/752/752.html

News: Firewall Permissions Code for XP SP2
   Mitch Denny has written some sample code that lets developers more
easily interact with the new firewall design that's part of Windows XP
Service Pack 2 (SP2). Denny says that his code, FirewallPermission,
"is a custom permission and associated declarative security attribute
which uses the Windows Firewall COM interfaces to check whether a
program has inbound access on a port enabled."
   http://www.winnetmag.com/article/articleid/43096/43096.html

Feature: On the Net, Awareness = Safety
   Given "phishing" (email messages that appear to be from reputable
companies and that ask customers to confirm personal information such
as credit card and bank account numbers), Web-site redirection, and
outright browser hijack attempts, reading email and browsing the Web
is fraught with dangers that passive protections such as firewalls
can't really stop. David Chernicoff explains ways to help your users
protect themselves.
   http://www.winnetmag.com/article/articleid/43067/43067.html

Feature: Performing Forensic Analyses, Part 2
   In "Performing Forensic Analyses, Part 1,"
http://www.winnetmag.com/article/articleid/42445/42445.html , Matt
Lesko shows how to create a bootable CD-ROM that contains the Penguin
Sleuth Kit and how to use that CD-ROM to create a digital copy, or
image, of a compromised hard disk. In this second article, Lesko looks
at how to perform a forensic analysis on that image by using the
Penguin Sleuth Kit on your CD-ROM.
   http://www.winnetmag.com/article/articleid/42810/42810.html

====================

==== Announcements ====
   (from Windows & .NET Magazine and its partners)

Online Resource for SQL Server DBAs and Developers
   Visit the SQL Server Magazine Web site and experience a helpful
resource offering the easy-to-find SQL Server solutions, news,
guidance, and how-to information you're looking for. Reference lists
of active forums, hot topic discussions, keyword searches, free Web
seminars, FAQs, and much more. The site also features Web-exclusive
columns by Itzik Ben-Gan. Check it out:
   http://list.winnetmag.com/cgi-bin3/DM/y/ega50CJgSH0CBw0KQO0AQ

New Free Web Seminar--Securing Your Windows and Exchange Environments
   Everyone has a network-configured firewall and an up-to-date
antivirus scanner, yet malware attacks still happen. In this free Web
seminar, Roger Grimes and Steve Bryant will address Windows Server
2003 and Exchange Server 2003 security challenges and help secure your
systems the right way. Register now!
   http://list.winnetmag.com/cgi-bin3/DM/y/ega50CJgSH0CBw0BJgs0AT

Did You Miss the Live Microsoft Security Strategies Roadshow?
   Microsoft has teamed with Avanade and Network Associates to bring
you the on-demand Webcast from the Microsoft Security Strategies
Roadshow tour. Join industry guru Mark Minasi and learn more about
tips to secure your Windows Server 2003 and Windows 2000 network, plus
more! Register now.
   http://list.winnetmag.com/cgi-bin3/DM/y/ega50CJgSH0CBw0BELe0Ah

====================

==== Hot Release ====

SSL123 - New from thawte
   The full 128-bit capable digital certificate issued within minutes
for US$159.00. Free reissues and experienced 24/5 multi-lingual
support included for the life of the certificate. Click here to read
more:
   http://list.winnetmag.com/cgi-bin3/DM/y/ega50CJgSH0CBw0BJhb0AD

====================

==== 3. Security Toolkit ====

FAQ: How Can I Start the Microsoft Management Console (MMC) Active
Directory Users and Computers Snap-In so That It Points to a Specific
Domain Controller (DC)?
   by John Savill, http://www.winnetmag.com/windowsnt20002003faq

A. When you start the Active Directory Users and Computers snap-in, it
tries to connect to the nearest DC in the current domain. To connect
to a specific DC, run the command:

   dsa.msc /server=<server's IP address or name>

You can also use this command syntax to create a shortcut to a
specific DC on your desktop or on the Start menu.

Featured Thread: Removing a Backdoor IRC Bot
   (Two messages in this thread)
   Mike writes that one of his systems is infected with a Trojan horse
program and he can't remove the Trojan horse's msrll.exe file from the
infected system's %systemroot%\system32\mfm folder. He can delete the
jtram.comf file from the folder, but the file is recreated soon after
he deletes it. Norton AntiVirus corporate edition found the msrll.exe
file but couldn't quarantine or remove it. Mike also tried removing
the msr11.exe file by booting to Safe Mode but wasn't successful. He
wonders if anyone can help him remove the Trojan horse.
http://www.winnetmag.com/forums/messageview.cfm?catid=42&threadid=123027

====================

==== Events Central ====
   (A complete Web and live events directory brought to you by Windows
& .NET Magazine: http://www.winnetmag.com/events )

Free Roadshow in Your City Soon--HP Wireless & Mobility Roadshow 2004
   In this free Roadshow, you'll discover trends in the wireless and
mobility industry and come away with a better understanding of
wireless and mobility solutions. And, talk first hand about your
wireless projects with leaders in the industry. See proven wireless
and mobile solutions in action. Register now!
   http://list.winnetmag.com/cgi-bin3/DM/y/ega50CJgSH0CBw0BJgt0AU

====================

==== 5. New and Improved ====
   by Jason Bovberg, products at winnetmag.com

New Security Administration Book
   Syngress Publishing published "Check Point Next Generation with
Application Intelligence Security Administration" by Chris Tobkin and
Daniel Kligerman. The 600-page book covers Check Point Software
Technologies' Check Point Next Generation product, from simple
firewall setup to advanced VPN and firewall scenarios. The book also
serves as a study tool for the Check Point Certified Security
Administrator (CCSA) exam. This third volume in Syngress's series
about Check Point products costs $59.95. For more information, contact
Syngress on the Web.
   http://www.syngress.com

Intrusion Scanner Eliminates Trojan Horses
   ATShield released Anti-Trojan Shield 1.2, a virus/intrusion scanner
that identifies and eliminates Trojan horses running in memory, as
well as infected system files and registry entries. Anti-Trojan
Shield's resident monitor checks your PC each time you start up and
each time you launch a program. It also checks all new files
downloaded from Microsoft Internet Explorer (IE) 5.0 and 6.0,
Microsoft Outlook Express, and ICQ, ensuring that no malicious code
enters your computer. The software's reports and log files keep track
of all the activities the program performs. Anti-Trojan Shield 1.2
runs on Windows 2003/XP/2000/Me/9x and costs $29.95. For more
information, contact ATShield on the Web.
   http://www.atshield.com

Tell Us About a Hot Product and Get a T-Shirt!
   Have you used a product that changed your IT experience by saving
you time or easing your daily burden? Tell us about the product, and
we'll send you a Windows & .NET Magazine T-shirt if we write about the
product in a future Windows & .NET Magazine What's Hot column. Send
your product suggestions with information about how the product has
helped you to whatshot at winnetmag.com.

====================

==== Sponsored Links ====

Argent
   Comparison Paper: The Argent Guardian Easily Beats Out MOM
   http://list.winnetmag.com/cgi-bin3/DM/y/ega50CJgSH0CBw0BDWV0Ac

====================

==== Contact Us ====

About the newsletter -- letters at winnetmag.com
About technical questions -- http://www.winnetmag.com/forums
About product news -- products at winnetmag.com
About your subscription -- securityupdate at winnetmag.com
About sponsoring Security UPDATE -- emedia_opps at winnetmag.com

====================

==== Contact Our Sponsors ====

Primary Sponsor:
   Postini -- http://www.postini.com -- 1-888-584-3150

Hot Release Sponsor:
   thawte -- http://www.thawte.com -- 1-650-426-7400

====================

This email newsletter is brought to you by Windows & .NET Magazine,
the leading publication for IT professionals deploying Windows and
related technologies. Subscribe today.
   http://www.winnetmag.com/sub.cfm?code=wswi201x1z

You received this email message because you asked to receive
additional information about products and services from the Windows &
.NET Magazine Network. To unsubscribe, send an email message to
mailto:Security-UPDATE_Unsub at list.winnetmag.com. Thank you!

View the Windows & .NET Magazine privacy policy at
http://www.winnetmag.com/AboutUs/Index.cfm?action=privacy

Windows & .NET Magazine, a division of Penton Media, Inc.
221 East 29th Street, Loveland, CO 80538
Attention: Customer Service Department

Copyright 2004, Penton Media, Inc. All rights reserved.





More information about the ISN mailing list