Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
The botnet world is booming
What’s driving this university to IPv6? Going green
Google takes direct aim at Microsoft
Microsoft promises to stymie hackers next week with new patches
Chrome OS spotlights rapidly changing mobile Web environment
IT pros continue to lose jobs
How ending exclusivity agreements would change the telecom industry
How to use electrical outlets and cheap lasers to steal data
EMC distances rival NetApp
Crime lab saves energy costs by turning up heat in the data center
IBM security software masks confidential info
Google Native Client provides hints on Chrome OS gambit
Ericsson signs deal to run Sprint wireless, wireline networks
Verizon helping companies assess application vulnerabilities
Internet's biggest issue? IPv6 transition, new ARIN CEO says
Security /

Microsoft patches slew of software flaws

Related linksToday's breaking news
Send to a friendFeedback

By Joris Evers and Stephanie Sim
IDG News Service, 02/22/02

Microsoft this week released four software patches, including three that it rates as "critical." The patches plug holes in Internet Explorer, Windows XP, Commerce Server 2000 and SQL Server.

Two of the "critical" patches aim to fix information disclosure flaws in Microsoft's IE Web browser.

The first flaw exists in IE Versions 5.01, 5.5 and 6.0. Through it, malicious Web site operators can read files on users' computers and tap information entered into the Web browser, such as usernames, passwords and credit card details, Microsoft said in a security bulletin.

Advertisement:

The problem lies in the way IE handles scripting across domains within frames, Microsoft said. The flaw allows VBScript, Microsoft's script language, running in one domain - the domain of the attacker - to read data in a frame belonging to another domain, which could be the user's local PC or an online shop.

To be exposed to this VBScript handling flaw, a user would have to go to a Web site that is under the attacker's control or open an HTML e-mail from the attacker, Microsoft said. The patch fixes the vulnerability by instituting domain verification handling for VBScript.

The second information disclosure flaw also requires a user to visit an attacker's Web site and would allow the attacker to read files on users' systems, Microsoft said in a second security bulletin. This flaw requires patching of IE 6.0, the operating system Windows XP and database server SQL Server 2000, as these applications all contain the flawed code.

This vulnerability, dubbed the XMLHTTP bug by security experts because it appears in the XMLHTTP ActiveX control, has been waiting for a plug since it was published on Dec. 15 last year.

The ActiveX control is part of Microsoft's XML Core Services software. Flawed versions of the control ship as part of Windows XP, IE 6.0 and SQL Server 2000. They do not respect the security zone settings in IE, allowing a Web page to specify a file on a user's computer as an XML data source, and thus read the file, Microsoft said. XML Core Services software is used by other applications to parse, generate, validate and transform XML documents so that the information can be displayed, stored or manipulated, Microsoft said.

The third "critical" patch Microsoft issued is to fix a buffer overrun flaw in Commerce Server 2000, software that supports electronic commerce Web sites. The flaw was discovered as part of Microsoft's internal security code review, the company said. An attacker exploiting the flaw could gain full control over the system running the software by sending a malformed request to it, Microsoft said in its security bulletin.

The flaw lies in a software component called AuthFilter, an ISAPI filter that provides support for authentication methods on the system. This filter is installed by default, Microsoft said. All administrators using Commerce Server 2000 are urged to patch their systems.

Installing URLscan, a software tool recommended by Microsoft, will protect Commerce Server 2000 installations from being taken over by an attacker, but the server can still be caused to fail by sending it a malformed request, Microsoft noted. Earlier versions of the software, including Site Server 3.0 and Site Server 3.0 Commerce Edition, are not affected, the software maker said.

In addition to the three critical flaws, Microsoft also announced it has patched a buffer overflow vulnerability in its SQL Server database software. The bug, which Microsoft lists as "moderate" in severity, could have caused the software to fail when establishing ad-hoc data connections to remote data sources.

The flaw affects Microsoft SQL Server 7.0 running on Windows 2000. An error in the checking of names for data providers could cause a buffer overrun error when attempting to establish a connection to less-often used data sources, Microsoft said in a security bulletin dated Feb. 20. A buffer overrun could cause the SQL Server service to fail, or cause code to run in the security context of the SQL Server, thus compromising server security, Microsoft said.

The risk to corporate users is likely to be moderate, according to Microsoft, since SQL Server can be configured to run in a security context chosen by the administrator. If the rule of least privilege is used, that would minimize the amount of damage an attacker could achieve, Microsoft said.

Thor Larholm, a Danish Internet programmer and security expert who maintains a list of security holes Microsoft has yet to patch on his Web site, said Microsoft is on the right track.

"It is nice to see that they have patched most of the holes listed on my site, but it is frightening to witness the amount of time it took and the pressure from the public that was needed," he said. "However, Microsoft's actions are a promising trend and I hope their initiative to put more focus on security will outlive the month."

Microsoft has announced it will take a break of about a month from developing new code to go back to the already written software and check that for security flaws. The now-patched Commerce Server 2000 flaw seems to be the first result of those efforts.

"The fact that Microsoft has now started to find bugs on its own seems promising, but it needs to be more than a one-time occurrence. Microsoft needs to rethink fundamental parts of its security processes, as it is too easy for outsiders, with no access to Microsoft's closed source, to find new security holes," Larholm said.

Notwithstanding the patches, IE remains vulnerable, according to Larholm.

"Internet Explorer remains insecure. In the next month or two, we will probably have about five new vulnerabilities. I have listed three current vulnerabilities that aren't public yet, but were discovered by a software firm. Microsoft is currently investigating these holes that allow an attacker to read local files," he said.

The IDG News Service is a Network World affiliate.

RELATED LINKS

Microsoft security bulletins:
IE versions 5-6 IE 6.0, Windows XP, SQL Server 2000 (XMLHTTP) Commerce Server 2000 SQL Server 7.0


NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.
* HOME    * RESEARCH CENTERS     * NEWS     * EVENTS

Contact us | Terms of Service/Privacy | How to Advertise
Reprints and links | Partnerships | Subscribe to NW
About Network World, Inc.

Copyright, 1994-2006 Network World, Inc. All rights reserved.