Feeds

MS security hole extravaganza

IIS, SQL, MSM, Gopher hole widens....

  • alert
  • submit to reddit

Security for virtualized datacentres

We've got a treat here; it seems MS has been sitting on a number of security holes which it's decided to dump on us all at once. So, what do you want to patch today?

The first, and probably the worst due to the number of systems affected, is a little gremlin in IIS 4 and 5 (Internet Information Server aka 'Inherently Insecure Server') running on NT 4 and 2K, but not XP. This is a buffer overflow vulnerability involving chunked encoding in the ISAPI extension that implements HTR, "an older, largely obsolete scripting technology," MS says. It was discovered by Riley Hassell of eEye Digital Security.

It's similar to the IIS buffer overrun issue with the ASP (Active Server Page) ISAPI filter, which we reported earlier. This can be exploited to crash the machine or run arbitrary code on it. Briefly, in both cases an attacker can cause IIS to miscalculate incoming data and allocate undersized buffers which can easily be exploited.

"Microsoft has long recommended disabling HTR functionality unless there is a business-critical reason for retaining it...Systems on which HTR is disabled would not be at risk from this vulnerability," MS says. Of course the service is running by default when the system is installed, so we might find that somewhat disingenuous.

MS soft-pedals the severity in classic form, labeling this one "Moderate". But the eEye bulletin rightly points out that a target machine can be owned with a single session if the attacker knows what he's doing.

Since exploit tools already exist for the previous hole, and since this one is similar enough to make modifying and adapting them a snap, MS has decided to release a single-issue patch for it (which seems to contradict their "Moderate" threat label). A cumulative patch will be available in a few weeks' time, the company says. The MS advisory and patch are located here.



Next, we bring you a couple of vulnerabilities in SQLXML, which transfers XML data to and from SQL Server 2K and permits server access via HTTP using XML. These were discovered by Matt Moore of

Westpoint Ltd.

The first is an ISAPI extension which contains an unchecked buffer, which in turn can enable an attacker to run arbitrary code on the target machine. This could mean complete ownership of the database server. It's difficult to exploit, MS hastens to point out.

The second allows script injection via an XML tag from a user account. This might be difficult for an outsider to exploit, but an insider with knowledge of the directory structure and the user account naming conventions would have an easy time.

Again, MS bends over backwards to soft-pedal the significance. "The vulnerability is subject to a number of significant mitigating factors," the company insists, and only grudgingly admits that "under a daunting scenario, the vulnerability could provide an attacker with an avenue by which to run script on another user's system." (my emphasis)

So MS gives them both a "Moderate" label because the buffer-overrun isn't easy to exploit and hacking a user account is nearly impossible what with all the amazingly hard passwords in use these days; but we'd give it a "Critical" because anything that can stuff up a database is a bloody serious business. The MS bulletin and patches are located here.



Moving along, we find that the Remote Access Service (RAS) phonebook in NT 4.0, 2K and XP, which stores information about telephone numbers and network settings needed to dial into remote systems, contains a buffer-overrun vulnerability affecting any executable that has a GUI help feature or connects to the Internet. It was discovered by Mark Litchfield of

Next Generation Security Software Ltd.

This flaw would likely appeal first to insiders, as it's necessary to log in as a privileged user, modify the phonebook with "specially malformed data" (MS' preferred euphemism for 'malicious code'), and then initiate a session to a remote machine using RAS. This is not to say that it can't be exploited by an outsider, however. In either case the result could be ownership of the local system.

NT 4.0, NT 4.0 Terminal Server Edition, Win-2K, Win-XP, and MS Routing and Remote Access Server (RRAS) on NT 4.0 Service Pack 6 and NT 4.0 Terminal Server Edition Service Pack 6 are affected.

The MS bulletin and patches are located here. Now that a patch has been developed, Litchfield has released a far more informative bulletin to the BugTraq mailing list.



Finally, we have updates to two previously-reported issues. First, the buffer-overflow vulnerability in the MSN Chat control (an AcriveX control included with MSN Messenger since version 4.5 and Exchange Instant Messenger) needs to be addressed again since we

first reported

it. It seems that the vulnerable control is repeatedly being downloaded onto patched clients, rendering them vulnerable again. Apparently, users had trusted the MS patch to fix their systems properly. Well it didn't; but it does now. According to MS, with

the latest patch

installed, you can now accept MSN's incessant invitations to download their vulnerable component, and it will no longer undo the patching.

Second, MS has re-released its warning about the Gopher hole in IE, which we reported recently. Apparently, the thing is a bit worse than MS had originally thought, and affects not only IE but Proxy Server 2.0 and Internet Security and Acceleration (ISA) Server 2K as well.

And of course MS can't resist pretending that there are monumental obstacles to exploitation. "In the case of IE, code would run in the security context of the user. As a result, any limitations on the user's ability would also restrict the actions an attacker's code could take." Right -- that's a help. Just about every PC on the planet is running with the MS equivalent of root privileges.

There still isn't a patch, but there are workarounds. For PC users, just use a Gopher proxy like localhost with a port like 1 to disable access. For server admins there are several, depending on what kit you're running. Detailed instructions for home users and pros alike are included in the new MS bulletin. ®

Website security in corporate America

More from The Register

next story
New 'Cosmos' browser surfs the net by TXT alone
No data plan? No WiFi? No worries ... except sluggish download speed
'Windows 9' LEAK: Microsoft's playing catchup with Linux
Multiple desktops and live tiles in restored Start button star in new vids
iOS 8 release: WebGL now runs everywhere. Hurrah for 3D graphics!
HTML 5's pretty neat ... when your browser supports it
Mathematica hits the Web
Wolfram embraces the cloud, promies private cloud cut of its number-cruncher
Mozilla shutters Labs, tells nobody it's been dead for five months
Staffer's blog reveals all as projects languish on GitHub
'People have forgotten just how late the first iPhone arrived ...'
Plus: 'Google's IDEALISM is an injudicious justification for inappropriate biz practices'
SUSE Linux owner Attachmate gobbled by Micro Focus for $2.3bn
Merger will lead to mainframe and COBOL powerhouse
iOS 8 Healthkit gets a bug SO Apple KILLS it. That's real healthcare!
Not fit for purpose on day of launch, says Cupertino
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
WIN a very cool portable ZX Spectrum
Win a one-off portable Spectrum built by legendary hardware hacker Ben Heck
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
The next step in data security
With recent increased privacy concerns and computers becoming more powerful, the chance of hackers being able to crack smaller-sized RSA keys increases.