Proof Win2K is still insecure by design

Did you ever believe anything else?

  • alert
  • submit to reddit

Security for virtualized datacentres

A day after boasting that Windows 2000 has won Common Criteria security certification, Microsoft was yesterday obliged to warn of two nasty vulnerability affecting, er, Windows 2000.

The timing couldn't be more embarrassing for Redmond but, let's face it, the appearance of more bugs in Win2K (or IE, WinXP etc.) is hardly much of a surprise.

First up and more seriously, a buffer overflow flaw has been unearthed involving Microsoft's implementation of Point-to-Point Tunnelling Protocol (PPTP), a Virtual Private Networking technology natively supported within Windows 2000 and Windows XP. PPTP support is an optional component in Windows NT 4.0, Windows 98, Windows 98SE, and Windows ME.

Although Microsoft reckons the vulnerability would be difficult in practice to exploit, and could only be used to make systems fall - not be taken - over, it still rates the vulnerability as critical. You can find the patch by following the link on Microsoft's advisory here.

Less seriously, at least according to Redmond, is an alert warning that "Windows 2000 Default Permissions Could Allow Trojan Horse Program".

A dramatic title indeed but what we're talking about here is what Microsoft rates as a "moderate risk" that might only be abused by someone logged into the same workstation as an intended victim. This only really affects workstations (not servers) and the risk is from internal miscreants, not mendacious external attackers. Remote Terminal server sessions too would be at little risk, because each user's environment is isolated.

That said, of particular note - given Win2K's hard won Common Criteria certification - is that Microsoft designed this problem into Win2K in the first place.

On Windows 2000, the default permissions provide the Everyone group with Full access on the system root folder. The system root is normally not in the search path, however, during logon or when applications are invoked directly from the Windows desktop (via Start | Run) - it can be.

This means an attacker might be able to mount a Trojan horse attack against other users of the same
system, by creating a program in the system root with the same name as some commonly used program, then waiting for another user to subsequently log onto the system and invoke the program.

The Trojan horse program would execute with the user's own privileges, allowing it to take any action that the user could take.

Fixing the problem requires changes in administrative procedure, not a patch, which Microsoft explains in its advisory here.

It's all about sales - not security

So, you wonder, does this flaw (Microsoft's 64th security alert this year) invalidate its prized Common Criteria certification for Win2K?

The short answer is no, it doesn't work like that.

The longer answer is that the announcement of Win2K's Common Criteria certification doesn't mean its any more secure than it was before it got the certificate, as we've seen, it only means that Microsoft will find it easier to flog to government departments and the like, without having to get special clearance (as we explained in more depth yesterday).

And another thing...
That's about all but before we leave you it'd be remiss of us not to mention Microsoft's 62nd security alert this year - a cumulative patch for its famously buggy Web server software, Internet Information Server, which was also issued yesterday.

This cumulative patch covers four vulnerabilities, the most serious of which could enable applications on a server to gain system-level privileges, so its well worth considering applying (after testing, of course).

The fix is a cumulative patch that includes the functionality of all security patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a, and all security patches released to date for IIS 5.0 and 5.1. ®

Secure remote control for conventional and virtual desktops

More from The Register

next story
NASTY SSL 3.0 vuln to be revealed soon – sources (Update: It's POODLE)
So nasty no one's even whispering until patch is out
Russian hackers exploit 'Sandworm' bug 'to spy on NATO, EU PCs'
Fix imminent from Microsoft for Vista, Server 2008, other stuff
Forget passwords, let's use SELFIES, says Obama's cyber tsar
Michael Daniel wants to kill passwords dead
FBI boss: We don't want a backdoor, we want the front door to phones
Claims it's what the Founding Fathers would have wanted – catching killers and pedos
Kill off SSL 3.0 NOW: HTTPS savaged by vicious POODLE
Pull it out ASAP, it is SWISS CHEESE
Facebook slurps 'paste sites' for STOLEN passwords, sprinkles on hash and salt
Zuck's ad empire DOESN'T see details in plain text. Phew!
Admins! Never mind POODLE, there're NEW OpenSSL bugs to splat
Four new patches for open-source crypto libraries
prev story


Forging a new future with identity relationship management
Learn about ForgeRock's next generation IRM platform and how it is designed to empower CEOS's and enterprises to engage with consumers.
Why cloud backup?
Combining the latest advancements in disk-based backup with secure, integrated, cloud technologies offer organizations fast and assured recovery of their critical enterprise data.
Win a year’s supply of chocolate
There is no techie angle to this competition so we're not going to pretend there is, but everyone loves chocolate so who cares.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Intelligent flash storage arrays
Tegile Intelligent Storage Arrays with IntelliFlash helps IT boost storage utilization and effciency while delivering unmatched storage savings and performance.