WordType Designs
Driven To Distractions©
The Sound of One Hand Clapping©

A rchive Date
[ 10-06-2000 ]
Category
[ Information Technologies ]
sub-Categoy
[ Microsoft ]
      [Win2000 Hole a 'Major Threat'
      Six banks and three major PC makers affected by bug that lets attackers view files stored on Microsoft Index Server. Microsoft issues patch.
      David Raikow
      01/28/00

      It's not scheduled for release until Feb. 17, but Microsoft has already released the first patch affecting Windows 2000.

      The patch, released by Microsoft on Wednesday, repairs two different security bugs in Microsoft Index Server, the more egregious of which allows hackers to view files stored on a target Web server. Index Server is an add-on to Windows NT 4.0 and is built into Windows 2000 (in the form of Indexing Services). Index Server provides developers with Active Scripting and query management capabilities.

      The more dangerous of the two problems, dubbed the "Malformed Hit-Highlighting Argument Vulnerability" by Microsoft (Nasdaq: MSFT), was spotted by David Litchfield of Cerberus Information Security on Jan. 17 and immediately reported to Microsoft security. The bug allows attackers to view files stored on a target Web server and represents a major threat, according to Litchfield.

      "Of course, ideally you make sure there's no sensitive data on your Web server, but this can be incredibly difficult," Litchfield said.

      "A lot of servers have account passwords and user names on them. Even under the best of circumstances you can end up with account information and sometimes credit card numbers stored in temporary files on the server. You should clear those files out regularly, but you still end up with a 'race condition' where attackers can try to grab them before they're erased."

      Microsoft: It's all serious
      "It's not for us to assess the seriousness of this problem, because we take all security risks seriously," said Microsoft Security Manager Scott Culp. "The important thing now is that the patch is out, and that it fixes the problem. All of our customers should check out our security site."

      However, Litchfield's investigation of the bug suggests that the majority of Windows-based servers are at risk. He confirmed that at least six banks and three major computer manufacturers were affected by the bug.

      "The problem is that Index Server is active by default, so most people don't even realize they've got it on. Even if they see an MS alert, they're probably not going to realize that it applies to them," Litchfield said. Culp acknowledged that many users may have the Index server active without realizing it.

      "Of course, from a security perspective, you shouldn't offer any services you don't use," Culp said. "We want to make sure our customers are educated about this, and that they are aware of which services they have active and how to disable what they don't need. We've also given Windows 2000 tighter defaults and made it much easier to configure."

      Second bug relatively minor The second of the two bugs allows an intruder to access information about the targeted network, but it is considered relatively minor. Although several specialists assert that this problem has been publicly discussed for several months, Culp stated that Microsoft only became aware of it within the past two weeks. According to Culp, both of these problems were discovered too late to be fixed in the shipping version of Windows 2000.

      "These came to our attention in mid-January, and Windows 2000 went out to OEMs and many customers Dec. 15. It's a shipping product, and we're supporting as any other shipping product." ]
      Cross-Indexed:

      New document Icon


Some pages may require Adobe Acrobat Reader


Copyright and Fair Use Information: The contents of this web site is protected by international copyright laws and may not be reproduced in any form or manner whatsoever, if for the purpose of resale or solicitation of a donation. The essays included here, may be reproduced only if: 1)They are not altered in any way; 2) reproductions must be accompanied by this copyright page ; and 3) it is given freely and without charge.
Fair use: The fair use of copyrighted work, including such use by reproduction in copies or phonorecords or by any other means specified in above sections, for purposes such as criticism, comment, news reporting, teaching (including multiple copies for classroom use), scholarship, or research, is not an infringement of copyright. In determining whether the use made of a work in any particular case is fair use the factors to be considered include : (1) the purpose and character of the use, including whether the use is of a commercial nature or is for nonprofit educational purposes; (2) the nature of the copyrighted work; (3) the amount and substantiality of the portion used in relation to the copyrighted work as a whole, and; (4) the effect of the use upon the potential market value of the copyrighted work.
Home | About Narrative? |Contact
Copyright © 2025. All Rights Reserved
HAG122125 (1998 -2026)