Microsoft races to
plug Web security hole
By Robert
Lemos
Special to CNET News.com
May 1, 2001, 11:25 a.m. PT
http://news.cnet.com/news/0-1003-200-5784437.html?tag=prntfr
Microsoft announced a serious security hole Tuesday in its flagship Web
server software and raced to convince system administrators to patch their
Web servers before online vandals compromise their systems.
The flaw affects
Window 2000 server software running version 5.0 of Internet Information
Server (IIS). The hole is in Windows 2000's Internet printing module but
can only be exploited if IIS is activated.
"It is a serious
vulnerability," said Scott Culp, security product manager for the
software giant. "We are going to some extraordinary steps. We want to
make sure the people know about this vulnerability and apply the fix
now."
The vulnerability
affects servers with Internet printing turned on, the default setting with
the software. By sending a specially formatted string of characters, the
printing module can be made to give the remote user full access to the Web
server.
Marc Maiffret, chief
hacking officer for network protection firm eEye
Digital Security, said the vulnerability is very serious.
"There are at
least a million web servers sitting on the Internet that, within a few
minutes, you can get system level access to them," he said. The Aliso
Viejo, Calif., company discovered the flaw two weeks ago and notified
Microsoft immediately.
The flaw allows
properly written remote commands to overflow the memory for the Internet
printing service's ISAPI (Internet Service Application Programming
Interface).
Web servers using
Microsoft's IIS 4.0 software are not affected by the flaw. Companies that
have set up their Web server with the printing turned off--as outlined in
Microsoft's "IIS Security Checklist" guidelines--or used the IIS
Security Lockdown Tool don't need to worry about the vulnerability,
either.
Microsoft has taken
extraordinary steps to try to convince system administrators to patch the
software.
Microsoft posted a
patch and security
advisory on its site at 10 a.m. PDT describing the vulnerability.
In addition, the
company notified information-sharing and analysis centers, which informed
key sectors, such as the telecommunications industry and the information
technology industry, of critical security holes.
Microsoft has decided
to hold Service Pack 2--a collection of updates and big fixes--for Windows
2000 until it can integrate the patch with the update.
"The update was
in the can, and we delayed it because this fix has to go in," Culp
said.
The announcement of
the vulnerability comes at a bad time, as Chinese and American online
vandals have apparently started cooperating for a weeklong string of attacks
on government and corporate servers to protest the actions of each other's
governments.
Bill Wall, chief
security engineer for technology support firm Harris, said that online
vandals will most likely have an exploit for the new flaw in a matter of
hours.
"This will be the
next vulnerability of choice for breaking into Web servers by
hackers," he said.
|