Microsoft issues fixes for Win 2000 security holes

By Douglas F. Gray
IDG News Service, 01/31/2000

Microsoft Corp. managed to beat itself to the punch last week, issuing the first patches to fix security holes in the much delayed Windows 2000 operating system-several weeks before its official release date.

Two security bugs were detected in Microsoft Index Server, search engine software found in both Windows NT and Windows 2000. The first could allow a malicious user to view, but not change, add or delete, files from a Web server, while the second could reveal the physical location of Web directories on the server, according to a security bulletin issued by Microsoft last week. The bulletin also said that the two glitches were unrelated except for the fact that they both were found in the Index Server.

Windows 2000, Microsoft's new operating system for corporate users, is scheduled to be officially released on Feb. 17. Index Server is a tool designed to allow users to perform full-text, online searches via a Web browser. It was designed to search Word, PowerPoint and Excel documents as well as standard HTML (hypertext markup language) documents, according to information from Microsoft's Web site.

The first bug, or the Malformed Hit-Highlighting Argument "vulnerability," as Microsoft calls it, allows users to request information beyond their security access via a specific type of malformed request.

"It's highly possible that someone could take advantage of the vulnerability," said David Litchfield [CQ], security analyst at U.K.-based Cerberus Information Security Ltd., who originally spotted the bug. "But it depends on what the ultimate end of the attacker is," he noted. "If he's trying to look for sensitive files on the Web server. . . or view the source of active server pages, he can do that."

Microsoft's patch, which he has installed on his system, does eliminate the problem, Litchfield said.

More information regarding both security bugs, including the patches, can be found here.

Microsoft, in Redmond, Washington, can be reached at 425-882-8080, or on the Web at www.microsoft.com/. Cerberus Information Security, in Surrey, U.K., is at 44 181 661 7405, or at www.cerberus-infosec.co.uk/.