Proof Win2K is still insecure by design

A day after boasting that Windows 2000 has won Common Criteria security certification, Microsoft was yesterday obliged to warn of two nasty vulnerability affecting, er, Windows 2000.

The timing couldn't be more embarrassing for Redmond but, let's face it, the appearance of more bugs in Win2K (or IE, WinXP etc.) is hardly much of a surprise.

First up and more seriously, a buffer overflow flaw has been unearthed involving Microsoft's implementation of Point-to-Point Tunnelling Protocol (PPTP), a Virtual Private Networking technology natively supported within Windows 2000 and Windows XP. PPTP support is an optional component in Windows NT 4.0, Windows 98, Windows 98SE, and Windows ME.

Although Microsoft reckons the vulnerability would be difficult in practice to exploit, and could only be used to make systems fall - not be taken - over, it still rates the vulnerability as critical. You can find the patch by following the link on Microsoft's advisory here.

Less seriously, at least according to Redmond, is an alert warning that "Windows 2000 Default Permissions Could Allow Trojan Horse Program".

A dramatic title indeed but what we're talking about here is what Microsoft rates as a "moderate risk" that might only be abused by someone logged into the same workstation as an intended victim. This only really affects workstations (not servers) and the risk is from internal miscreants, not mendacious external attackers. Remote Terminal server sessions too would be at little risk, because each user's environment is isolated.

That said, of particular note - given Win2K's hard won Common Criteria certification - is that Microsoft designed this problem into Win2K in the first place.

On Windows 2000, the default permissions provide the Everyone group with Full access on the system root folder. The system root is normally not in the search path, however, during logon or when applications are invoked directly from the Windows desktop (via Start | Run) - it can be.

This means an attacker might be able to mount a Trojan horse attack against other users of the same
system, by creating a program in the system root with the same name as some commonly used program, then waiting for another user to subsequently log onto the system and invoke the program.

The Trojan horse program would execute with the user's own privileges, allowing it to take any action that the user could take.

Fixing the problem requires changes in administrative procedure, not a patch, which Microsoft explains in its advisory here.

It's all about sales - not security

So, you wonder, does this flaw (Microsoft's 64th security alert this year) invalidate its prized Common Criteria certification for Win2K?

The short answer is no, it doesn't work like that.

The longer answer is that the announcement of Win2K's Common Criteria certification doesn't mean its any more secure than it was before it got the certificate, as we've seen, it only means that Microsoft will find it easier to flog to government departments and the like, without having to get special clearance (as we explained in more depth yesterday).

And another thing...
That's about all but before we leave you it'd be remiss of us not to mention Microsoft's 62nd security alert this year - a cumulative patch for its famously buggy Web server software, Internet Information Server, which was also issued yesterday.

This cumulative patch covers four vulnerabilities, the most serious of which could enable applications on a server to gain system-level privileges, so its well worth considering applying (after testing, of course).

The fix is a cumulative patch that includes the functionality of all security patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a, and all security patches released to date for IIS 5.0 and 5.1. ®