ET

Microsoft admits hacking flaw in software

By Robert Uhlig, Technology Correspondent

MICROSOFT has been forced to admit that its latest software has a flaw which allows hackers to gain complete control of websites in a matter of seconds.

The flaw affects a Microsoft product called Internet Information Server, part of Windows 2000 and used by tens of thousands of the most prominent e-commerce websites, including Nasdaq.com and Barnesandnoble.com. It was discovered about two weeks ago by the Californian firm, eEye Digital Security.

Mark Maiffret, eEye's chief hacking officer, said: "It affects every installation, no matter what security patches you have installed." Scott Culp, Microsoft's security program manager, said customers running any version of the internet software would be vulnerable unless they had taken certain security steps to disable the component of the programme that has the flaw.

Mr Culp said a fix was available on Microsoft's website, and customers had been notified through subscription lists and technicians. The problem has forced Microsoft to delay the release of Service Pack II, an update to Windows 2000.

-- Anonymous, May 03, 2001

Answers

Complete report from eEye Digital Security here: Wi ndows 2000 IIS 5.0 Remote buffer overflow vulnerability (Remote SYSTEM Level Access)

Some spooky items:

The Log: Actually there is no log because this vulnerability, like most IIS buffer overflows, does not get logged. That means some of the largest Web servers on the Internet running Windows 2000 are vulnerable to this attack and when exploited, there will be no IIS log anywhere that records the attack.

The Fallout:As with our first remote SYSTEM level exploit for IIS 4.0 two years ago, the fallout from this second IIS remote overflow is also rather large. Once again it does not matter what kind of security systems you have in place, Firewalls, IDS's, etc., because all of these systems can be bypassed and your Web server CAN be broken into via this vulnerability.

You can download the Microsoft supplied patch from: You can download the Microsoft supplied patch from: http://www.microsoft.com/technet/security/bulletin/ms01- 023.asp

After all these years, after all these bugs, isn't it odd that MIcrosoft is still designing sloppy software? But hey, the stuff sells anyway, right?

-- Anonymous, May 04, 2001

Yeah, odd as in they should know better by now.

But then, I guess they don't care because, as you stated, it sells anyway.

Maybe if there was a way to sue them for damages....

But they have that covered pretty well in the agreements used for registering and using the software.

-- Anonymous, May 04, 2001