Feeds

Win2K Web Server software brown alert goes out

This time it's serious

  • alert
  • submit to reddit

Secure remote control for conventional and virtual desktops

An unchecked buffer in a Windows component could cause web server compromise, Microsoft warns today.

According to Microsoft, the flaw affects Windows 2000 only (i.e. not XP or NT). It revolves around Microsoft's flawed implementation of the World Wide Web Distributed Authoring and Versioning (WebDAV) protocol in IIS. WebDAV is a set of extensions to the Hyper Text Transfer Protocol (HTTP) which provides a standard for editing and file management between computers on the Internet.

On vulnerable Windows 2000 boxes running IIS, the vulnerability can have dire consequences.

"An attacker could exploit the vulnerability by sending a specially formed HTTP request to a machine running Internet Information Server (IIS)," Microsoft's advisory warns. "The request could cause the server to fail or to execute code of the attacker's choice. The code would run in the security context of the IIS service (which, by default, runs in the LocalSystem context)."

Microsoft describes the vulnerability as critical and has released a patch along with advice on workarounds for customers who are not immediately able to apply the fix.

The vulnerability is reminiscent of the flaw which was infamously exploited by the Code Red and Nimda worms.

Microsoft is clearly taking the problem seriously.

Stuart Okin, chief security officer of Microsoft UK, phoned us gives us a heads up on the patch - a first, in our experience. We understand he has spent the day notifying Microsoft's largest UK customers of the problem.

Security tools firm ISS has published an advisory which explains the vulnerability more clearly than the Redmond advisory. According to ISS, versions of IIS 5.0 on Windows 2000 up to and including Service Pack 3 are vulnerable to the flaw. ®

External Links

Microsoft's advisory
ISS alert

New hybrid storage solutions

More from The Register

next story
Google recommends pronounceable passwords
Super Chrome goes into battle with Mr Mxyzptlk
Infosec geniuses hack a Canon PRINTER and install DOOM
Internet of Stuff securo-cockups strike yet again
Snowden, Dotcom, throw bombs into NZ election campaign
Claim of tapped undersea cable refuted by Kiwi PM as Kim claims extradition plot
Reddit wipes clean leaked celeb nudie pics, tells users to zip it
Now we've had all THAT TRAFFIC, we 'deplore' this theft
Apple Pay is a tidy payday for Apple with 0.15% cut, sources say
Cupertino slurps 15 cents from every $100 purchase
YouTube, Amazon and Yahoo! caught in malvertising mess
Cisco says 'Kyle and Stan' attack is spreading through compromised ad networks
TorrentLocker unpicked: Crypto coding shocker defeats extortionists
Lousy XOR opens door into which victims can shove a foot
prev story

Whitepapers

Secure remote control for conventional and virtual desktops
Balancing user privacy and privileged access, in accordance with compliance frameworks and legislation. Evaluating any potential remote control choice.
Saudi Petroleum chooses Tegile storage solution
A storage solution that addresses company growth and performance for business-critical applications of caseware archive and search along with other key operational systems.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.
Providing a secure and efficient Helpdesk
A single remote control platform for user support is be key to providing an efficient helpdesk. Retain full control over the way in which screen and keystroke data is transmitted.