Home
Resources
Training
About Us
eStore
<a href="http://www.isdecisions.com/en/software/userlock/?xtor=SEC-230"><img src="http://www.isdecisions.com/images/pubs/Randy/userlock.gif" alt="UserLock" border="0" /></a>

>

resources > newsletter > archive > issue #12

 

 

 

 

 

 

 

Latest Blog: WinReporter 4.0 Makes It Easy to Assess Attack Surface

  

Ultimate Windows Security Newsletter:

Issue #12, 2/14/06

In this issue:
- New eBook on the Windows Security Log!
- Randy's Independent Insights on This Month's bulletins
- Randy's take on EventTracker v5
- Subscribe, Unsubscribe and Usage Information


This Month’s Security Updates from Microsoft

Although there are 7 security updates this month, organizations running XP SP2, Office 2003 and Windows Server 2003 SP 1 will be able to avoid loading all but one patch assuming administrators refrain from dangerous interactive activities on servers. If you are using some other web browser than IE be sure to check MS06-006. If you have Office 2000 still deployed MS06-010 will be important to you as will MS06-009 if you have Office 2003 Proofing Tools or East Asian language versions of Windows or Office out there on your network.


New eBook on the Windows Security Log!

I am very excited to announce the publication of my new 100+ page eBook, The Windows Server 2003 Security Log Revealed. Almost a year ago I made the Security Log Encyclopedia available as a free Internet-based resource for researching Windows security log events. While the encyclopedia provides important information on an event by event basis there's much more to effective monitoring, analysis and reporting of the security log.

The book provides in-depth explanation of all 9 security log categories and shows you how to interpret events in relation to each other. The book contains screen prints and diagrams on nearly every page to help you relate the information to the real world and maximize comprehension.

You will learn:
- How to interpret Kerberos and NTLM authentication events
- Track file access, including permission changes
- Monitor program execution
- Detect and report changes in administrator authority
- Find out how to centrally monitor logons
- Track changes in system policy including group policy objects and OUs
- Audit file system activity such as changes to critical files and
- Learn which events are worth monitoring what's just "noise"
- Understand the security log and all its arcane codes and event IDs

You can find much more information about the book at http://www.ultimatewindowssecurity.com/ebook including the Table of Contents. You can even read the introduction and the 2nd chapter (Audit Policies and Event Viewer). As a subscriber to this newsletter you can save over 33% when you purchase the book in the next 7 days. Just use coupon code NL323 when you order online at http://www.ultimatewindowssecurity.com/ecom.


MS06-004 - Cumulative Security Update for Internet Explorer (910620)
This is another critical Windows Metafile (WMF) vulnerability but only affects systems running Internet Explorer 5.x. The only *supported* version of Windows vulnerable is Windows 2000 with SP4 running IE 5.01; earlier service packs for Windows 2000 are beyond end of life cycle. You are not vulnerable if you are already running IE 6 SP1 on Windows 2000. For most organizations this is a workstation vulnerability that allows arbitrary code execution through malformed WMF image files. Organizations running Windows 2000 Professional should install this update or upgrade to IE 6 SP1. Details of the vulnerability are public.


MS06-005 - Vulnerability in Windows Media Player Could Allow Remote Code Execution (911565)
This critical remote code execution vulnerability is primarily a workstation vulnerability affecting Windows Media Player on Windows 2000 SP4, XP SP1, XP SP2 and Windows Server 2003 without SP1. The vulnerability would most likely be exploited through end-user activities such as using Windows Media Player, web browsing, reading email or editing office documents with embedded WMP files. The exploit was not public and MS has no reports of attacks. MS does offer a number of workarounds that appear to have minimal functionality impact. The workarounds could be scripted and deployed through group policy or SMS.


Randy's take on EventTracker v5

Earlier this month I visited Prism Microsystems' Columbia headquarters and met with Prism's designers to provide feedback on upcoming enhancements to EventTracker, a log management solution.

I've always been impressed with EventTracker since I initially reviewed it several years ago. One of my key requirements for a security log management solution is rich functionality for dealing with the Description portion of security events since so much of the important information of security events resides there. EventTracker takes the unique approach of allowing you to use regular expressions for defining rules for filtering noise, triggering alerts or selecting records for reports. Regular expressions are a powerful and flexible method for processing text information. If you are intimidated by the cryptic codes used regular expressions you'll like what's coming in upcoming enhancements to EventTracker.

In the coming months you'll see more information from me on selecting the right security log management solution for your needs as well as getting the most out of it. Stay tuned.


MS06-006 - Vulnerability in Windows Media Player Plug-in with Non-Microsoft Internet Browsers Could Allow Remote Code Execution (911564)

Unless you are using a non-IE browser such as Firefox you can ignore this update. This important remote code execution vulnerability is another mostly workstation vulnerability but only affects “alternative” web browsers. The published workaround (deployable through group policy) has minimal impact to functionality, affecting only sites that play multimedia content using EMBED instead of OBJECT elements.


MS06-007 - Vulnerability in TCP/IP Could Allow Denial of Service (913446)
This is a privately reported denial of service vulnerability affecting XP SP1, XP SP2 and all versions of Windows Server 2003. Servers exposed to the IGMP traffic from the Internet should receive this patch to prevent denial of service attacks in which the system “stops responding”. The published workarounds may allow you to defer loading the update but I advise you to verify your server does not depend on IGMP functionality. IGMP pertains to multicast traffic. This update requires a restart.


Benefits of The Windows Server 2003 Security Log Revealed

- Finally get real ROI from your security log management solution
- Comply with SOX, HIPAA, GLBA (et al) monitoring and reporting requirements
- Establish audit trails for change control
- Detect suspicious behavior and intrusion attempts
- Enforce accountability over administrators
- Conduct better investigations and forensic analysis

Use coupon code NL323 at http://www.ultimatewindowssecurity.com/ecom to save $10 off the cost of the book.


MS06-008 - Vulnerability in Web Client Service Could Allow Remote Code Execution (911927)
This interesting vulnerability allows a remote attacker to connect to the Web Client on a target system via TCP ports 139 or 445 and execute arbitrary code on the target system with root authority. What makes this vulnerability surprising is that it involves an incoming connection attack against a client service. Doubly surprising is the fact that while the Web Client implements WebDAV, the attack vector is TCP ports 139 or 445 instead of ports 80 or 443 normally associated with WebDAV. Windows Server 2003 is only vulnerable if the Web Client service is started; the default is disabled. XP is vulnerable if Web Client service is started and incoming connections to port 139 or 445 are allowed. Many organizations that keep Web Client disabled on Windows Server 2003 and use Windows Firewall on XP to block ports 139 and 445 will choose to forego this update.


MS06-009 - Vulnerability in the Korean Input Method Editor Could Allow Elevation of Privilege (901190)
This vulnerability only affects systems with Office 2003 Proofing Toos, Korean language versions of Windows and Office 2003 or any other East Asian language version with the Korean language IME enabled. This privilege escalation vulnerability requires interactive or remote desktop logon. Most organizations will forego this update.


For centralized event management

Prism Microsystems' EventTracker software provides centralized event consolidation, correlation, reporting and monitoring for Windows, UNIX and SNMP systems from a single console. EventTracker helps meet audit compliance and enhances security. It provides unattended enterprise-wide event log management allowing you to consolidate event logs across platforms, correlate event occurrences, and perform in-depth event log analysis and reporting for tens of millions of events a day.


MS06-010 - Vulnerability in PowerPoint 2000 Could Allow Information Disclosure (889167)
This vulnerability only affects PowerPoint 2000 and only allows the attack to access objects in the Temporary Internet Files Folder. The published workarounds configure Windows open web-based PowerPoint presentations in a new PowerPoint window instead of inside Internet Explorer. Most organizations will forego this update.

Until next month, happy patching! Don't forget about the coupon code for saving $10 on The Windows Server 2003 Security Log Revealed. The coupon code expires in 7 days.

Regards,
Randy Franklin Smith
CISA, SSCP, Microsoft Security MVP
CEO, Monterey Technology Group, Inc.


Subscribe, Unsubscribe and Usage Information

- subscribe to this newsletter
- unsubscribe from this newsletter
- usage information

If you've received this message as a forward from a friend, or are reading it online in the archives, you can sign up for your own newsletter subscription.

Also, if you want to unsubscribe, you can do that too (but we'll be sad to see you go). See below for unsubscribe information.

You can use this information as you see fit, but if you're going to copy any portion, please FORWARD THE ENTIRE email.

While Monterey Technology Group, Inc. tries to ensure that all information is technically accurate, we make no warranty with regard to the information within. Please use at your own risk.

Thanks for reading!

List address: MonthlySecurityTip@ultimatewindowssecurity.com
Subscribe: MonthlySecurityTip-subscribe@ultimatewindowssecurity.com
Unsubscribe: MonthlySecurityTip-unsubscribe@ultimatewindowssecurity.com

 

Additional Links

A
D
V

Sick of LimitLogin? Get UserLock for real logon control

NEW! GFI EventsManager 8 Extends Event Management Capabilities. Find Out More.

Get Randy's Security Log Resource Kit


Ultimate Windows Security is a division of Monterey Technology Group, Inc. ©2006-2007 Monterey Technology Group, All rights reserved.
Disclaimer: We do our best to provide quality information and expert commentary but use all information at your own risk.

Site Map