Proof Win2K is still insecure by design

Did you ever believe anything else?

  • alert
  • submit to reddit

Securing Web Applications Made Simple and Scalable

A day after boasting that Windows 2000 has won Common Criteria security certification, Microsoft was yesterday obliged to warn of two nasty vulnerability affecting, er, Windows 2000.

The timing couldn't be more embarrassing for Redmond but, let's face it, the appearance of more bugs in Win2K (or IE, WinXP etc.) is hardly much of a surprise.

First up and more seriously, a buffer overflow flaw has been unearthed involving Microsoft's implementation of Point-to-Point Tunnelling Protocol (PPTP), a Virtual Private Networking technology natively supported within Windows 2000 and Windows XP. PPTP support is an optional component in Windows NT 4.0, Windows 98, Windows 98SE, and Windows ME.

Although Microsoft reckons the vulnerability would be difficult in practice to exploit, and could only be used to make systems fall - not be taken - over, it still rates the vulnerability as critical. You can find the patch by following the link on Microsoft's advisory here.

Less seriously, at least according to Redmond, is an alert warning that "Windows 2000 Default Permissions Could Allow Trojan Horse Program".

A dramatic title indeed but what we're talking about here is what Microsoft rates as a "moderate risk" that might only be abused by someone logged into the same workstation as an intended victim. This only really affects workstations (not servers) and the risk is from internal miscreants, not mendacious external attackers. Remote Terminal server sessions too would be at little risk, because each user's environment is isolated.

That said, of particular note - given Win2K's hard won Common Criteria certification - is that Microsoft designed this problem into Win2K in the first place.

On Windows 2000, the default permissions provide the Everyone group with Full access on the system root folder. The system root is normally not in the search path, however, during logon or when applications are invoked directly from the Windows desktop (via Start | Run) - it can be.

This means an attacker might be able to mount a Trojan horse attack against other users of the same
system, by creating a program in the system root with the same name as some commonly used program, then waiting for another user to subsequently log onto the system and invoke the program.

The Trojan horse program would execute with the user's own privileges, allowing it to take any action that the user could take.

Fixing the problem requires changes in administrative procedure, not a patch, which Microsoft explains in its advisory here.

It's all about sales - not security

So, you wonder, does this flaw (Microsoft's 64th security alert this year) invalidate its prized Common Criteria certification for Win2K?

The short answer is no, it doesn't work like that.

The longer answer is that the announcement of Win2K's Common Criteria certification doesn't mean its any more secure than it was before it got the certificate, as we've seen, it only means that Microsoft will find it easier to flog to government departments and the like, without having to get special clearance (as we explained in more depth yesterday).

And another thing...
That's about all but before we leave you it'd be remiss of us not to mention Microsoft's 62nd security alert this year - a cumulative patch for its famously buggy Web server software, Internet Information Server, which was also issued yesterday.

This cumulative patch covers four vulnerabilities, the most serious of which could enable applications on a server to gain system-level privileges, so its well worth considering applying (after testing, of course).

The fix is a cumulative patch that includes the functionality of all security patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a, and all security patches released to date for IIS 5.0 and 5.1. ®

The smart choice: opportunity from uncertainty

More from The Register

next story
Mozilla fixes CRITICAL security holes in Firefox, urges v31 upgrade
Misc memory hazards 'could be exploited' - and guess what, one's a Javascript vuln
Manic malware Mayhem spreads through Linux, FreeBSD web servers
And how Google could cripple infection rate in a second
How long is too long to wait for a security fix?
Synology finally patches OpenSSL bugs in Trevor's NAS
Don't look, Snowden: Security biz chases Tails with zero-day flaws alert
Exodus vows not to sell secrets of whistleblower's favorite OS
Roll out the welcome mat to hackers and crackers
Security chap pens guide to bug bounty programs that won't fail like Yahoo!'s
HIDDEN packet sniffer spy tech in MILLIONS of iPhones, iPads – expert
Don't panic though – Apple's backdoor is not wide open to all, guru tells us
Researcher sat on critical IE bugs for THREE YEARS
VUPEN waited for Pwn2Own cash while IE's sandbox leaked
prev story


Top three mobile application threats
Prevent sensitive data leakage over insecure channels or stolen mobile devices.
Implementing global e-invoicing with guaranteed legal certainty
Explaining the role local tax compliance plays in successful supply chain management and e-business and how leading global brands are addressing this.
Boost IT visibility and business value
How building a great service catalog relieves pressure points and demonstrates the value of IT service management.
Designing a Defense for Mobile Applications
Learn about the various considerations for defending mobile applications - from the application architecture itself to the myriad testing technologies.
Build a business case: developing custom apps
Learn how to maximize the value of custom applications by accelerating and simplifying their development.