MS security hole extravaganza

IIS, SQL, MSM, Gopher hole widens....

  • alert
  • submit to reddit

3 Big data security analytics techniques

We've got a treat here; it seems MS has been sitting on a number of security holes which it's decided to dump on us all at once. So, what do you want to patch today?

The first, and probably the worst due to the number of systems affected, is a little gremlin in IIS 4 and 5 (Internet Information Server aka 'Inherently Insecure Server') running on NT 4 and 2K, but not XP. This is a buffer overflow vulnerability involving chunked encoding in the ISAPI extension that implements HTR, "an older, largely obsolete scripting technology," MS says. It was discovered by Riley Hassell of eEye Digital Security.

It's similar to the IIS buffer overrun issue with the ASP (Active Server Page) ISAPI filter, which we reported earlier. This can be exploited to crash the machine or run arbitrary code on it. Briefly, in both cases an attacker can cause IIS to miscalculate incoming data and allocate undersized buffers which can easily be exploited.

"Microsoft has long recommended disabling HTR functionality unless there is a business-critical reason for retaining it...Systems on which HTR is disabled would not be at risk from this vulnerability," MS says. Of course the service is running by default when the system is installed, so we might find that somewhat disingenuous.

MS soft-pedals the severity in classic form, labeling this one "Moderate". But the eEye bulletin rightly points out that a target machine can be owned with a single session if the attacker knows what he's doing.

Since exploit tools already exist for the previous hole, and since this one is similar enough to make modifying and adapting them a snap, MS has decided to release a single-issue patch for it (which seems to contradict their "Moderate" threat label). A cumulative patch will be available in a few weeks' time, the company says. The MS advisory and patch are located here.

Next, we bring you a couple of vulnerabilities in SQLXML, which transfers XML data to and from SQL Server 2K and permits server access via HTTP using XML. These were discovered by Matt Moore of

Westpoint Ltd.

The first is an ISAPI extension which contains an unchecked buffer, which in turn can enable an attacker to run arbitrary code on the target machine. This could mean complete ownership of the database server. It's difficult to exploit, MS hastens to point out.

The second allows script injection via an XML tag from a user account. This might be difficult for an outsider to exploit, but an insider with knowledge of the directory structure and the user account naming conventions would have an easy time.

Again, MS bends over backwards to soft-pedal the significance. "The vulnerability is subject to a number of significant mitigating factors," the company insists, and only grudgingly admits that "under a daunting scenario, the vulnerability could provide an attacker with an avenue by which to run script on another user's system." (my emphasis)

So MS gives them both a "Moderate" label because the buffer-overrun isn't easy to exploit and hacking a user account is nearly impossible what with all the amazingly hard passwords in use these days; but we'd give it a "Critical" because anything that can stuff up a database is a bloody serious business. The MS bulletin and patches are located here.

Moving along, we find that the Remote Access Service (RAS) phonebook in NT 4.0, 2K and XP, which stores information about telephone numbers and network settings needed to dial into remote systems, contains a buffer-overrun vulnerability affecting any executable that has a GUI help feature or connects to the Internet. It was discovered by Mark Litchfield of

Next Generation Security Software Ltd.

This flaw would likely appeal first to insiders, as it's necessary to log in as a privileged user, modify the phonebook with "specially malformed data" (MS' preferred euphemism for 'malicious code'), and then initiate a session to a remote machine using RAS. This is not to say that it can't be exploited by an outsider, however. In either case the result could be ownership of the local system.

NT 4.0, NT 4.0 Terminal Server Edition, Win-2K, Win-XP, and MS Routing and Remote Access Server (RRAS) on NT 4.0 Service Pack 6 and NT 4.0 Terminal Server Edition Service Pack 6 are affected.

The MS bulletin and patches are located here. Now that a patch has been developed, Litchfield has released a far more informative bulletin to the BugTraq mailing list.

Finally, we have updates to two previously-reported issues. First, the buffer-overflow vulnerability in the MSN Chat control (an AcriveX control included with MSN Messenger since version 4.5 and Exchange Instant Messenger) needs to be addressed again since we

first reported

it. It seems that the vulnerable control is repeatedly being downloaded onto patched clients, rendering them vulnerable again. Apparently, users had trusted the MS patch to fix their systems properly. Well it didn't; but it does now. According to MS, with

the latest patch

installed, you can now accept MSN's incessant invitations to download their vulnerable component, and it will no longer undo the patching.

Second, MS has re-released its warning about the Gopher hole in IE, which we reported recently. Apparently, the thing is a bit worse than MS had originally thought, and affects not only IE but Proxy Server 2.0 and Internet Security and Acceleration (ISA) Server 2K as well.

And of course MS can't resist pretending that there are monumental obstacles to exploitation. "In the case of IE, code would run in the security context of the user. As a result, any limitations on the user's ability would also restrict the actions an attacker's code could take." Right -- that's a help. Just about every PC on the planet is running with the MS equivalent of root privileges.

There still isn't a patch, but there are workarounds. For PC users, just use a Gopher proxy like localhost with a port like 1 to disable access. For server admins there are several, depending on what kit you're running. Detailed instructions for home users and pros alike are included in the new MS bulletin. ®

SANS - Survey on application security programs

More from The Register

next story
Android engineer: We DIDN'T copy Apple OR follow Samsung's orders
Veep testifies for Samsung during Apple patent trial
This time it's 'Personal': new Office 365 sub covers just two devices
Redmond also brings Office into Google's back yard
Batten down the hatches, Ubuntu 14.04 LTS due in TWO DAYS
Admins dab straining server brows in advance of Trusty Tahr's long-term support landing
Microsoft lobs pre-release Windows Phone 8.1 at devs who dare
App makers can load it before anyone else, but if they do they're stuck with it
Half of Twitter's 'active users' are SILENT STALKERS
Nearly 50% have NEVER tweeted a word
Windows XP still has 27 per cent market share on its deathbed
Windows 7 making some gains on XP Death Day
Internet-of-stuff startup dumps NoSQL for ... SQL?
NoSQL taste great at first but lacks proper nutrients, says startup cloud whiz
Windows 8.1, which you probably haven't upgraded to yet, ALREADY OBSOLETE
Pre-Update versions of new Windows version will no longer support patches
Microsoft TIER SMEAR changes app prices whether devs ask or not
Some go up, some go down, Redmond goes silent
Red Hat to ship RHEL 7 release candidate with a taste of container tech
Grab 'near-final' version of next Enterprise Linux next week
prev story


Designing a defence for mobile apps
In this whitepaper learn the various considerations for defending mobile applications; from the mobile application architecture itself to the myriad testing technologies needed to properly assess mobile applications risk.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
Five 3D headsets to be won!
We were so impressed by the Durovis Dive headset we’ve asked the company to give some away to Reg readers.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.