Proof Win2K is still insecure by design

Did you ever believe anything else?

  • alert
  • submit to reddit

Protecting users from Firesheep and other Sidejacking attacks with SSL

A day after boasting that Windows 2000 has won Common Criteria security certification, Microsoft was yesterday obliged to warn of two nasty vulnerability affecting, er, Windows 2000.

The timing couldn't be more embarrassing for Redmond but, let's face it, the appearance of more bugs in Win2K (or IE, WinXP etc.) is hardly much of a surprise.

First up and more seriously, a buffer overflow flaw has been unearthed involving Microsoft's implementation of Point-to-Point Tunnelling Protocol (PPTP), a Virtual Private Networking technology natively supported within Windows 2000 and Windows XP. PPTP support is an optional component in Windows NT 4.0, Windows 98, Windows 98SE, and Windows ME.

Although Microsoft reckons the vulnerability would be difficult in practice to exploit, and could only be used to make systems fall - not be taken - over, it still rates the vulnerability as critical. You can find the patch by following the link on Microsoft's advisory here.

Less seriously, at least according to Redmond, is an alert warning that "Windows 2000 Default Permissions Could Allow Trojan Horse Program".

A dramatic title indeed but what we're talking about here is what Microsoft rates as a "moderate risk" that might only be abused by someone logged into the same workstation as an intended victim. This only really affects workstations (not servers) and the risk is from internal miscreants, not mendacious external attackers. Remote Terminal server sessions too would be at little risk, because each user's environment is isolated.

That said, of particular note - given Win2K's hard won Common Criteria certification - is that Microsoft designed this problem into Win2K in the first place.

On Windows 2000, the default permissions provide the Everyone group with Full access on the system root folder. The system root is normally not in the search path, however, during logon or when applications are invoked directly from the Windows desktop (via Start | Run) - it can be.

This means an attacker might be able to mount a Trojan horse attack against other users of the same
system, by creating a program in the system root with the same name as some commonly used program, then waiting for another user to subsequently log onto the system and invoke the program.

The Trojan horse program would execute with the user's own privileges, allowing it to take any action that the user could take.

Fixing the problem requires changes in administrative procedure, not a patch, which Microsoft explains in its advisory here.

It's all about sales - not security

So, you wonder, does this flaw (Microsoft's 64th security alert this year) invalidate its prized Common Criteria certification for Win2K?

The short answer is no, it doesn't work like that.

The longer answer is that the announcement of Win2K's Common Criteria certification doesn't mean its any more secure than it was before it got the certificate, as we've seen, it only means that Microsoft will find it easier to flog to government departments and the like, without having to get special clearance (as we explained in more depth yesterday).

And another thing...
That's about all but before we leave you it'd be remiss of us not to mention Microsoft's 62nd security alert this year - a cumulative patch for its famously buggy Web server software, Internet Information Server, which was also issued yesterday.

This cumulative patch covers four vulnerabilities, the most serious of which could enable applications on a server to gain system-level privileges, so its well worth considering applying (after testing, of course).

The fix is a cumulative patch that includes the functionality of all security patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a, and all security patches released to date for IIS 5.0 and 5.1. ®

The next step in data security

More from The Register

next story
Israeli spies rebel over mass-snooping on innocent Palestinians
'Disciplinary treatment will be sharp and clear' vow spy-chiefs
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
'Speargun' program is fantasy, says cable operator
We just might notice if you cut our cables
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
Hackers pop Brazil newspaper to root home routers
Step One: try default passwords. Step Two: Repeat Step One until success
Greater dev access to iOS 8 will put us AT RISK from HACKERS
Knocking holes in Apple's walled garden could backfire, says securo-chap
Microsoft to patch ASP.NET mess even if you don't
We know what's good for you, because we made the mess says Redmond
prev story


Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
Security and trust: The backbone of doing business over the internet
Explores the current state of website security and the contributions Symantec is making to help organizations protect critical data and build trust with customers.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.