Feeds

Critical Win2K flaw yields multiple attack vectors

Get patching

  • alert
  • submit to reddit

Providing a secure and efficient Helpdesk

Last week's very serious Windows 2000 vulnerability is far from limited to exploitation through IIS alone.

This flaw, the root cause of which is a buffer overflow vulnerability in a core Microsoft Windows DLL (ntdll.dll), could allow attackers to gain complete control of a vulnerable system and execute arbitrary code.

As we said in our article about a minor glitch with the patch last week, ISS WebDAV (World Wide Web Distributed Authoring and Versioning) is one of many Windows components which uses the problematic ntdll.dll component. So Microsoft's patch needs to be applied to all potentially vulnerable Windows 2000 boxes.

Microsoft's advice on the problem has been revised to take into account potential conflicts with hot fixes which gave rise to the minor glitch. This is just as well because the problem gets worse the closer you look at it.

David Litchfield, of NGSSoftware, the security firm which rose to prominence on the back of discovery of the vulnerability exploited by the Slammer worm, has dissected the myriad risks arising from the flaw. You can read his paper (PDF) here.

Along with malformed WebDAV requests to Microsoft's IIS 5 Web Server (which ships with Win2K) other attack vectors including Java-based Web servers and non-WebDAV related issues in IIS exist, NGSSoftware notes. And that's just the tip of a dangerous iceberg.

"Security researchers at NGSSoftware have already discovered several new attack vectors and believe that there will be many that come to light over the next few weeks," Litchfield writes.

"There are too many ways for an attacker to access the vulnerability. Likely areas will be non-MS Web and FTP servers, IMAP servers, anti-virus solutions and other MS Windows Services."

In light of this, NGSSoftware strongly advises that every Windows 2000 workstation and server needs to be patched - and patched soon - regardless of whether it is running IIS or not. ®

Related Stories

Win2K Web Server software brown alert goes out
Minor glitch in Win2K patch
Open and closed security are roughly equivalent
The MS 'friendly' security alert service - just say D'Oh

Choosing a cloud hosting partner with confidence

More from The Register

next story
SMASH the Bash bug! Apple and Red Hat scramble for patch batches
'Applying multiple security updates is extremely difficult'
Apple's new iPhone 6 vulnerable to last year's TouchID fingerprint hack
But unsophisticated thieves need not attempt this trick
Hackers thrash Bash Shellshock bug: World races to cover hole
Update your gear now to avoid early attacks hitting the web
Oracle SHELLSHOCKER - data titan lists unpatchables
Database kingpin lists 32 products that can't be patched (yet) as GNU fixes second vuln
Who.is does the Harlem Shake
Blame it on LOLing XSS terroristas
Researchers tell black hats: 'YOU'RE SOOO PREDICTABLE'
Want to register that domain? We're way ahead of you.
Stunned by Shellshock Bash bug? Patch all you can – or be punished
UK data watchdog rolls up its sleeves, polishes truncheon
Ello? ello? ello?: Facebook challenger in DDoS KNOCKOUT
Gets back up again after half an hour though
prev story

Whitepapers

A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Storage capacity and performance optimization at Mizuno USA
Mizuno USA turn to Tegile storage technology to solve both their SAN and backup issues.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Beginner's guide to SSL certificates
De-mystify the technology involved and give you the information you need to make the best decision when considering your online security options.
Security for virtualized datacentres
Legacy security solutions are inefficient due to the architectural differences between physical and virtual environments.