Microsoft Repairs Major Security Flaw

greenspun.com : LUSENET : Grassroots Information Coordination Center (GICC) : One Thread
Canoe

Wednesday, May 2, 2001

Microsoft repairs major security flaw

SEATTLE (AP) -- Microsoft Corp. has released a patch to repair a security flaw that could allow a hacker to gain complete control, in a matter of seconds, of a Web site running its flagship server software.

The hole in Windows 2000 Server's Internet Information Server was discovered about two weeks ago in the software's Internet printing component by eEye Digital Security Inc. of Aliso Viejo, Calif.

"The thing that's different about this flaw compared to some other flaws is that it basically affects every installation, no matter what security patches you have installed," said Mark Maiffret, eEye's chief hacking officer.

Microsoft security program manager Scott Culp said customers running any version of the Internet server software would be vulnerable to an attack unless they had disabled the flawed Internet printing component.

"It is certainly a serious vulnerability," Culp said.

A repair is available on the company Web site, and customers have been notified through subscription lists and by Microsoft technicians, Culp said.

The problem is serious enough to delay the release of Windows 2000 Service Pack II, a Windows 2000 operating system update that was almost ready to ship but must now be reworked to allow a fix for the flaw.

Culp said Microsoft does not know when this product would be released, or how much the delay will cost.

Richard Reiner, head of security operations for FSC Internet Corp. in Toronto, said the flaw is especially nasty because most firewall programs will not protect against this type of attack.

He said the biggest concern now is that the flaw has been made public but not all companies using the software may know of it.

"It's going to be a long window of vulnerability," he said.

On April 16, Microsoft offered a fix for its first major Internet security software, a product called Internet Security and Acceleration, which was released with a defect that could allow a so-called denial of service attack.

That problem had been discovered two weeks previously by FSC Internet Corp. after 15 minutes of routine testing.

-- Rachel Gibson (rgibson@hotmail.com), May 02, 2001

Moderation questions? read the FAQ