Feeds

MS security hole extravaganza

IIS, SQL, MSM, Gopher hole widens....

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

We've got a treat here; it seems MS has been sitting on a number of security holes which it's decided to dump on us all at once. So, what do you want to patch today?

The first, and probably the worst due to the number of systems affected, is a little gremlin in IIS 4 and 5 (Internet Information Server aka 'Inherently Insecure Server') running on NT 4 and 2K, but not XP. This is a buffer overflow vulnerability involving chunked encoding in the ISAPI extension that implements HTR, "an older, largely obsolete scripting technology," MS says. It was discovered by Riley Hassell of eEye Digital Security.

It's similar to the IIS buffer overrun issue with the ASP (Active Server Page) ISAPI filter, which we reported earlier. This can be exploited to crash the machine or run arbitrary code on it. Briefly, in both cases an attacker can cause IIS to miscalculate incoming data and allocate undersized buffers which can easily be exploited.

"Microsoft has long recommended disabling HTR functionality unless there is a business-critical reason for retaining it...Systems on which HTR is disabled would not be at risk from this vulnerability," MS says. Of course the service is running by default when the system is installed, so we might find that somewhat disingenuous.

MS soft-pedals the severity in classic form, labeling this one "Moderate". But the eEye bulletin rightly points out that a target machine can be owned with a single session if the attacker knows what he's doing.

Since exploit tools already exist for the previous hole, and since this one is similar enough to make modifying and adapting them a snap, MS has decided to release a single-issue patch for it (which seems to contradict their "Moderate" threat label). A cumulative patch will be available in a few weeks' time, the company says. The MS advisory and patch are located here.



Next, we bring you a couple of vulnerabilities in SQLXML, which transfers XML data to and from SQL Server 2K and permits server access via HTTP using XML. These were discovered by Matt Moore of

Westpoint Ltd.

The first is an ISAPI extension which contains an unchecked buffer, which in turn can enable an attacker to run arbitrary code on the target machine. This could mean complete ownership of the database server. It's difficult to exploit, MS hastens to point out.

The second allows script injection via an XML tag from a user account. This might be difficult for an outsider to exploit, but an insider with knowledge of the directory structure and the user account naming conventions would have an easy time.

Again, MS bends over backwards to soft-pedal the significance. "The vulnerability is subject to a number of significant mitigating factors," the company insists, and only grudgingly admits that "under a daunting scenario, the vulnerability could provide an attacker with an avenue by which to run script on another user's system." (my emphasis)

So MS gives them both a "Moderate" label because the buffer-overrun isn't easy to exploit and hacking a user account is nearly impossible what with all the amazingly hard passwords in use these days; but we'd give it a "Critical" because anything that can stuff up a database is a bloody serious business. The MS bulletin and patches are located here.



Moving along, we find that the Remote Access Service (RAS) phonebook in NT 4.0, 2K and XP, which stores information about telephone numbers and network settings needed to dial into remote systems, contains a buffer-overrun vulnerability affecting any executable that has a GUI help feature or connects to the Internet. It was discovered by Mark Litchfield of

Next Generation Security Software Ltd.

This flaw would likely appeal first to insiders, as it's necessary to log in as a privileged user, modify the phonebook with "specially malformed data" (MS' preferred euphemism for 'malicious code'), and then initiate a session to a remote machine using RAS. This is not to say that it can't be exploited by an outsider, however. In either case the result could be ownership of the local system.

NT 4.0, NT 4.0 Terminal Server Edition, Win-2K, Win-XP, and MS Routing and Remote Access Server (RRAS) on NT 4.0 Service Pack 6 and NT 4.0 Terminal Server Edition Service Pack 6 are affected.

The MS bulletin and patches are located here. Now that a patch has been developed, Litchfield has released a far more informative bulletin to the BugTraq mailing list.



Finally, we have updates to two previously-reported issues. First, the buffer-overflow vulnerability in the MSN Chat control (an AcriveX control included with MSN Messenger since version 4.5 and Exchange Instant Messenger) needs to be addressed again since we

first reported

it. It seems that the vulnerable control is repeatedly being downloaded onto patched clients, rendering them vulnerable again. Apparently, users had trusted the MS patch to fix their systems properly. Well it didn't; but it does now. According to MS, with

the latest patch

installed, you can now accept MSN's incessant invitations to download their vulnerable component, and it will no longer undo the patching.

Second, MS has re-released its warning about the Gopher hole in IE, which we reported recently. Apparently, the thing is a bit worse than MS had originally thought, and affects not only IE but Proxy Server 2.0 and Internet Security and Acceleration (ISA) Server 2K as well.

And of course MS can't resist pretending that there are monumental obstacles to exploitation. "In the case of IE, code would run in the security context of the user. As a result, any limitations on the user's ability would also restrict the actions an attacker's code could take." Right -- that's a help. Just about every PC on the planet is running with the MS equivalent of root privileges.

There still isn't a patch, but there are workarounds. For PC users, just use a Gopher proxy like localhost with a port like 1 to disable access. For server admins there are several, depending on what kit you're running. Detailed instructions for home users and pros alike are included in the new MS bulletin. ®

Intelligent flash storage arrays

More from The Register

next story
Nexus 7 fandroids tell of salty taste after sucking on Google's Lollipop
Web giant looking into why version 5.0 of Android is crippling older slabs
Be real, Apple: In-app goodie grab games AREN'T FREE – EU
Cupertino stands down after Euro legal threats
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Bada-Bing! Mozilla flips Firefox to YAHOO! for search
Microsoft system will be the default for browser in US until 2020
Facebook, working on Facebook at Work, works on Facebook. At Work
You don't want your cat or drunk pics at the office
prev story

Whitepapers

Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Getting ahead of the compliance curve
Learn about new services that make it easy to discover and manage certificates across the enterprise and how to get ahead of the compliance curve.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.