Proof Win2K is still insecure by design

Did you ever believe anything else?

  • alert
  • submit to reddit

3 Big data security analytics techniques

A day after boasting that Windows 2000 has won Common Criteria security certification, Microsoft was yesterday obliged to warn of two nasty vulnerability affecting, er, Windows 2000.

The timing couldn't be more embarrassing for Redmond but, let's face it, the appearance of more bugs in Win2K (or IE, WinXP etc.) is hardly much of a surprise.

First up and more seriously, a buffer overflow flaw has been unearthed involving Microsoft's implementation of Point-to-Point Tunnelling Protocol (PPTP), a Virtual Private Networking technology natively supported within Windows 2000 and Windows XP. PPTP support is an optional component in Windows NT 4.0, Windows 98, Windows 98SE, and Windows ME.

Although Microsoft reckons the vulnerability would be difficult in practice to exploit, and could only be used to make systems fall - not be taken - over, it still rates the vulnerability as critical. You can find the patch by following the link on Microsoft's advisory here.

Less seriously, at least according to Redmond, is an alert warning that "Windows 2000 Default Permissions Could Allow Trojan Horse Program".

A dramatic title indeed but what we're talking about here is what Microsoft rates as a "moderate risk" that might only be abused by someone logged into the same workstation as an intended victim. This only really affects workstations (not servers) and the risk is from internal miscreants, not mendacious external attackers. Remote Terminal server sessions too would be at little risk, because each user's environment is isolated.

That said, of particular note - given Win2K's hard won Common Criteria certification - is that Microsoft designed this problem into Win2K in the first place.

On Windows 2000, the default permissions provide the Everyone group with Full access on the system root folder. The system root is normally not in the search path, however, during logon or when applications are invoked directly from the Windows desktop (via Start | Run) - it can be.

This means an attacker might be able to mount a Trojan horse attack against other users of the same
system, by creating a program in the system root with the same name as some commonly used program, then waiting for another user to subsequently log onto the system and invoke the program.

The Trojan horse program would execute with the user's own privileges, allowing it to take any action that the user could take.

Fixing the problem requires changes in administrative procedure, not a patch, which Microsoft explains in its advisory here.

It's all about sales - not security

So, you wonder, does this flaw (Microsoft's 64th security alert this year) invalidate its prized Common Criteria certification for Win2K?

The short answer is no, it doesn't work like that.

The longer answer is that the announcement of Win2K's Common Criteria certification doesn't mean its any more secure than it was before it got the certificate, as we've seen, it only means that Microsoft will find it easier to flog to government departments and the like, without having to get special clearance (as we explained in more depth yesterday).

And another thing...
That's about all but before we leave you it'd be remiss of us not to mention Microsoft's 62nd security alert this year - a cumulative patch for its famously buggy Web server software, Internet Information Server, which was also issued yesterday.

This cumulative patch covers four vulnerabilities, the most serious of which could enable applications on a server to gain system-level privileges, so its well worth considering applying (after testing, of course).

The fix is a cumulative patch that includes the functionality of all security patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a, and all security patches released to date for IIS 5.0 and 5.1. ®

3 Big data security analytics techniques

More from The Register

next story
Obama allows NSA to exploit 0-days: report
If the spooks say they need it, they get it
Samsung Galaxy S5 fingerprint scanner hacked in just 4 DAYS
Sammy's newbie cooked slower than iPhone, also costs more to build
Putin tells Snowden: Russia conducts no US-style mass surveillance
Gov't is too broke for that, Russian prez says
Snowden-inspired crypto-email service Lavaboom launches
German service pays tribute to Lavabit
Mounties always get their man: Heartbleed 'hacker', 19, CUFFED
Canadian teen accused of raiding tax computers using OpenSSL bug
One year on: diplomatic fail as Chinese APT gangs get back to work
Mandiant says past 12 months shows Beijing won't call off its hackers
Call of Duty 'fragged using OpenSSL's Heartbleed exploit'
So it begins ... or maybe not, says one analyst
Heartbleed exploit, inoculation, both released
File under 'this is going to hurt you more than it hurts me'
prev story


Securing web applications made simple and scalable
In this whitepaper learn how automated security testing can provide a simple and scalable way to protect your web applications.
3 Big data security analytics techniques
Applying these Big Data security analytics techniques can help you make your business safer by detecting attacks early, before significant damage is done.
The benefits of software based PBX
Why you should break free from your proprietary PBX and how to leverage your existing server hardware.
Top three mobile application threats
Learn about three of the top mobile application security threats facing businesses today and recommendations on how to mitigate the risk.
Combat fraud and increase customer satisfaction
Based on their experience using HP ArcSight Enterprise Security Manager for IT security operations, Finansbank moved to HP ArcSight ESM for fraud management.