<< Small Business Server news this week October 17, 2004>>

TheMSsForum.com: The Microsoft Software Forum

Kevin's song of the week
news://msnews.microsoft.com/eR9tw76sEHA.1720@TK2MSFTNGP14.phx.gbl

---------------------
The Big news of the week....
SECURITY PATCHES WEEK
And I got my Shavlik patch thrill in this week

Handicappin' the Patches:
http://msmvps.com/bradley/archive/2004/10/12/15669.aspx

----------------------
Alan Billharz posts --

The Windows Small Business Server team would like to make all of our
customers aware of the recently reported ASP.NET vulnerability. The
official site for information about this issue for all Microsoft
products is located here:
http://www.microsoft.com/security/incident/aspnet.mspx.

Some web components of the Windows Small Business Server 2003 product
are ASP.NET applications, including the CompanyWeb site, Remote Web
Workplace, and Outlook Mobile Access. Our investigation into this
matter has not revealed any specific vulnerability in the SBS 2003
ASP.NET applications; however, as a purely precautionary measure, we
recommend that all of our Windows Small Business Server 2003 customers
follow the instructions on the following web site as soon as possible:

http://www.microsoft.com/downloads/details.aspx?familyid=DA77B852-DFA0-4631-AAF9-8BCC6C743026&displaylang=en
Thank you for your patience in this matter.
-Alan Billharz

SBS Program Management
* - *
Installed here... no runs, drips or errors....
--------------------------


Eric F's blog brings a heads up for a XP sp2 patch issue
http://blogs.msdn.com/efleis/archive/2004/10/15/242633.aspx

Earlier today Raymond posted on an issue that I've seen several of
myself, so I thought it wise to link to it from yet another place.
In a nutshell, you receive the error: "Explorer.EXE - Entry Point Not
Found - The procedure entry point SHCreateThreadRef could not be located
in the dynamic link library SHLWAPI.dll"

If you see this one around, Raymond did a good writeup worthy of tucking
away in your pocket for a rainy day.

--------------------------------


Windows Media Center Edition 2005 launches but it does not support being
connected to a domain
Carl in the newsgroup asks.... "Can SBS be used for the home":
http://msmvps.com/bradley/archive/2004/10/16/15982.aspx

-------------------------
Google desktop starts the desktop search engine wars
SeanDaniel.com comments - his take on the Google Desktop
http://seanda.blogspot.com/2004/10/looking-for-something.html

<I don't like that it doesn't like that I haven't updated my proxy
client on my workstation... hmmmm what do YOU care what proxy client I
have? >
Here is the Q&A Page for your reading pleasure:
http://www.desktop.google.com/support/bin/index.py?fulldump=1
Privacy Policy:
http://desktop.google.com/privacypolicy.html
Google Desktop privacy branded 'unacceptable' | The Register:
http://www.theregister.co.uk/2004/10/15/google_desktop_privacy/

------------------------

So totally off topic it's not funny.....
http://www.duranduran.com/ releases new CD - Astronaut
Okay so I had a crush on Simon as a teenager ;-) - cut me some slack
You too can download their latest song as your ringtone
Sony Music Mobile: Browse:
http://www.sonymusicmobile.com/hub/sonymusic/dispatcher/browse?s=Duran%20Duran
[it's a bit cheesy...but it IS the song]

--------------------
http://www.micropersuasion.com/2004/10/msnbc_to_add_rs.html
MSNBC adds RSS feeds

-----------------------


************************************************************

EBay laptop swindler gets 4 years in prison
What federal prosecutors called the nation's marquee
Internet fraud case concluded Tuesday with the
sentencing of eBay laptop swindler John P. Leary
to more than four years in prison.In addition to
a 50-month term to be served at Nellis Federal
Prison Camp, a federal minimum security facility
in North Las Vegas, Nev., Leary, alias Russell
Dana Smith, was ordered by U.S. District Judge
Tena Campbell to pay nearly $885,000 in restitution
to his victims.
http://www.sltrib.com/search/ci_2426531
- - - - - - - - - -
Technology hinders fraud investigations
Increasingly sophisticated technology is making
serious fraud harder to investigate, according
to the Serious Fraud Office (SFO). In an interview
with Computing, SFO Assistant Director Peter
Kiernan, said new remote networked technologies
and storage intense laptops, mean investigators
have to search for more information sources and
locations when tracking down fraudsters.
http://www.vnunet.com/news/1158727
- - - - - - - - - -
Seven critical in MS October patch batch
Microsoft yesterday released 10 new security
bulletins to fix multiple components in its Windows
operating system and applications. Redmond's October
patch batch brings nine security updates (six critical,
three important) for Windows and one critical update
needed to correct a flaw in the Excel component of
Office. Two of the Windows fixes cover critical vulns
for Exchange Server 2003. In addition, there's an update
to last month's notice about a serious flaw involving
Microsoft's processing of jpeg image files, which
only affects Office XP applications for users running
Windows XP SP2.
http://www.theregister.co.uk/2004/10/13/ms_october_patch_batch/
- - - - - - - - - -
Ridge statement sows confusion on cybersecurity chief
The technology industry stands behind its call
for an assistant secretary for cybersecurity
in the Homeland Security Department, even as
confusion grows over what the department is
planning.
http://www.govexec.com/dailyfed/1004/101304tdpm1.htm

Cyber-Security to Get Higher-Profile Leader
http://www.washingtonpost.com/wp-dyn/articles/A28019-2004Oct12.html
DHS mulls shift in cyberczar?s power
http://www.gcn.com/vol1_no1/daily-updates/27625-1.html
Homeland security CIO to gain funds, clout
http://www.gcn.com/vol1_no1/daily-updates/27629-1.html
Defense CIO stresses congressional dialogue
http://www.fcw.com/fcw/articles/2004/1011/web-cio-10-13-04.asp
- - - - - - - - - -
Industry warned to tackle cyber-crime
INDUSTRY must get to grips with the increasing
threat posed by hi-tech crime or face potentially
disastrous consequences, according to the director
of a leading European technology think-tank. Robert
Urry, director of the Cyber Tools On-Line Search
for Evidence (CTOSE), an EU-funded research project
headquartered in Edinburgh, told a conference in
the city yesterday that existing piecemeal defence
against computer crime was making targets out of
legitimate business.
http://business.scotsman.com/archive.cfm?id=1190552004
- - - - - - - - - -
Broadband progress raises security issues
Poor consumer awareness around broadband
security is putting the UK at risk, according
to the director of the government's National
Infrastructure Security Co-ordination Centre.
http://www.vnunet.com/news/1158726
- - - - - - - - - -
UCLA File Swappers in Quarantine
UCLA has developed a new process of identifying
and disciplining copyright infringers on peer-to-
peer networks, providing schools with another tool
to crack down on illegal file sharing. Jim Davis,
the university's associate vice chancellor of
information technology, testified last week about
the UCLA Quarantine project before the House
Subcommittee on Courts, the Internet and
Intellectual Property.
http://www.wired.com/news/digiwood/0,1412,65227,00.html
- - - - - - - - - -
Prosecutor resigns over hacked PC
A leading Dutch prosecuter resigned yesterday
after hackers entered his mail box and revealed
yet another classified letter addressed to the
public prosecutor's office. This was the second
security lapse in recent days for Joost Tonino,
a specialist prosecutor in white collar crime.
Just last week Tonino was left red faced after
it emerged he had put his old PC out with the
trash.
http://www.theregister.co.uk/2004/10/13/dutch_prosecutor_hacked/
- - - - - - - - - -
Security chief quits Microsoft
Stuart Okin, the public face of Microsoft UK's
security work, has resigned from the software
giant. In an email sent by Okin on Wednesday
afternoon and seen by ZDNet UK, he revealed he
was "moving on to pastures new" after eight years
at Microsoft. When contacted by ZDNet UK, he said
that the transition was "just a career move".
http://news.zdnet.co.uk/0,39020330,39170225,00.htm
- - - - - - - - - -
Vonage talks about 911 advancements
Vonage, an Internet phone service provider, and
emergency telecom specialist Intrado say together
they've conducted successful trials of an advanced
means of making emergency phone calls using the
Internet. Details of the work in Rhode Island,
and the two companies' future plans for it, will
be unveiled Thursday in Washington, D.C., where
Vonage will also discuss its participation in
a major industry-led forum to improve the nation's
911 system.
http://news.com.com/Vonage+talks+about+911+advancements/2100-7352_3-5408449.html
- - - - - - - - - -
Locked out--and locked up--on the Net? (series of articles)
Outages put a crimp in access at online payment
site PayPal and the Gawker celebrity-spotting
blog. Also: Microsoft's latest security warnings.
http://news.com.com/Locked+out--and+locked+up--on+the+Net/2009-1002_3-5406354.html

---------------------------------
WARNING THE FOLLOWING SECTIONS INCLUDES LINKS TO PROOF OF CONCEPT WEB
PAGES - CLICK AT YOUR OWN RISK

(1) CRITICAL: Cumulative Security Update for Internet Explorer
Affected:
IE 5.01 SP3/SP4 on Windows 2000 SP3/SP4
IE 5.5 SP2 on Microsoft Windows ME
IE 6 on Windows XP/XP SP2/XP 64-Bit Edition version 2003/XP SP1 64-Bit
Edition
IE 6 on Windows 2003 including 64-Bit Edition
IE 6 SP1 on Windows 98/SE/ME/NT Server 4.0
IE 6 SP1 on Windows 2000 SP3/SP4 or XP/XP SP1

Description: Microsoft security advisory MS04-038 contains a fix for a
number of Internet Explorer vulnerabilities. Most of these flaws have
been discussed in the earlier issues of the @RISK newsletters. All the
following flaws could be exploited by a malicious webpage or an HTML
email to compromise a client system.

(a) An HTML page containing specially crafted STYLE tag such as
"<style>;@/* ;)" can trigger a heap memory corruption in IE. The memory
corruption may be exploited to execute arbitrary code.

(b) IE redirects a script function to another function with a similar
name without checking any security context. This flaw can be exploited
to bypass IE's zone restrictions, and compromise a client system when a
user visits a malicious webpage. No action is required on the user's
part.

(c) IE does not perform sufficient security checks on specially crafted
HTML "style" sheets, which can be exploited to access a local folder on
a client system. By coupling this flaw with a drag and drop event that
moves an image (specified via image tag with its dynamic source
attribute set to an executable file), an attacker can drop a malicious
executable onto the client's system. Multiple exploits have been
publicly posted. The flaw has been exploited in the wild by the Akak
Trojan.

(d) The "window.createpopup" and the "show" methods are used to create
and display a pop-up window respectively. IE's show method
implementation contains a vulnerability that may be exploited to
compromise a client system. The problem occurs because the "show" method
can be used to move the pop-up window when the user clicks a link in a
specially crafted webpage. This emulates the "drag-and-drop" behavior
that can be used to create a malicious file on the client system. This
vulnerability is being actively exploited in the wild.

(e) IE's Active SetUp technology is designed to improve the process of
installing software updates. This technology helps speed up the
installation process by downloading only the files that are necessary.
The Install Engine ActiveX control(inseng.dll), which is part of the
Active SetUp technology, contains a buffer overflow. The flaw can be
exploited to execute arbitrary code on a client system. The discoverers
of the flaw will release the technical details in January 2005.

Status: Apply the patch referenced in the MS04-038 advisory. The patch
also fixes other information disclosure vulnerabilities.

Council Site Actions: All but one of the reporting council sites are
responding to this vulnerability. Most plan to deploy the patches on
an accelerated basis. One site said the majority of their systems have
already obtained the patches through the public Windows Update site.
There is one site that is having some challenges with deploying the
patches. They have an internal software development group that has
refused to QA the patches against their web-based applications and upper
management does not want to risk deploying a patch that may affect user
applications. Until this situation can be resolved, they will rely on
their malicious code protection strategy.

References:
Microsoft Security Advisory
http://www.microsoft.com/technet/security/bulletin/MS04-038.mspx

(a) IE Style Sheet Heap Corruption
Posting by Phuong (on July 23, 2004)
http://marc.theaimsgroup.com/?l=full-disclosure&m=109060455614702&w=2
Posting by Berend-Jan Wever (On July 28, 2004)
http://marc.theaimsgroup.com/?l=bugtraq&m=109107496214572&w=2
http://www.ecqurity.com/adv/IEstyle.html

(b) IE Similar Function Redirection
Posting by Paul (On July 11, 2004)
http://www.securityfocus.com/archive/1/368671/2004-07-05/2004-07-11/0
Posting by http-equiv
http://marc.theaimsgroup.com/?l=full-disclosure&m=108974377110305&w=2
Proof-of-Concept Exploits
Note: Clicking any of these links will launch an exploit
http://www.malware.com/pauls.html
http://freehost07.websamba.com/greyhats/similarmethodnameredir.htm

(c) Drag and Drop Vulnerability
Posting by http-equiv (On August 18, 2004)
http://archives.neohapsis.com/archives/ntbugtraq/2004-q3/0125.html
PoC Exploits
Warning: Clicking these links will launch the PoC Exploits
http://www.malware.com/wottapoop.html
http://www.mikx.de/scrollbar/
CERT Advisory
http://www.kb.cert.org/vuls/id/526089
Akak Trojan
http://www.lurhq.com/akak.html
SecurityFocus BID
http://www.securityfocus.com/bid/10973

(d) Script in Image Tag Download a.k.a Hijackclick3 vulnerability
Posting by Paul (On July 11, 2004)
http://www.securityfocus.com/archive/1/368652/2004-07-05/2004-07-11/0
Postings by http-equiv
http://www.securityfocus.com/archive/1/368666/2004-07-12/2004-07-18/0
http://archives.neohapsis.com/archives/ntbugtraq/2004-q3/0020.html
Proof-of-Concept Exploits
Note: Clicking any of these links will launch an exploit
http://www.malware.com/paul.html
http://freehost07.websamba.com/greyhats/hijackclick3.htm
CERT Advisory
http://www.kb.cert.org/vuls/id/413886
SecurityFocus BID
http://www.securityfocus.com/bid/10690

(e) Internet Explorer Install Engine Control
NGSSoftware Advisory
http://www.nextgenss.com/advisories/msinsengdll.txt
CERT Advisory
http://www.kb.cert.org/vuls/id/637760
SecurityFocus BID
http://www.securityfocus.com/bid/11366

--
http://www.sbslinks.com/really.htm
http://www.msmvps.com/bradley
https://www.ecora.com/ecora/jump/pm99.asp
Top