Security Roundup -- Redmondmag.com

Security Roundup

By Scott Bekker
02/02/2001

In late December, Microsoft Corp. posted a patch on its Web site that eliminates a security vulnerability affecting Windows 2000 domain controllers.

Windows 2000 provides several special operating modes that can be chosen at boot time to allow the administrator to troubleshoot and restore a machine with a damaged configuration. One mode, Directory Service Restore Mode, is designed to allow the Active Directory to be repaired and restored on a domain controller. A password is required in order to operate the system in this mode. However, if the “Configure Your Server” tool were used when the machine was originally promoted to domain controller, that password would be blank. This could enable a hacker to log onto the machine in Directory Service Restore Mode. Once logged on the hacker could alter system components or install false ones that would execute when a genuine administrator later logged onto the machine.

Windows 2000 Server and 2000 Advanced Server were affected.

A vulnerability in Microsoft PowerPoint was patched when it was discovered that a hacker could insert specially chosen data into a PowerPoint file and use the file to overrun the buffer. This would either cause PowerPoint to fail, or, more seriously, allow the hacker to cause his own code to run on the user’s machine, granting control of the machine to the hacker.

A similar vulnerability was discovered in Windows NT mutexes, synchronization objects that govern access to resources. One mutex was discovered to have inappropriately loose permissions, which could enable an attacker to run code on a local machine to monopolize the mutex and prevent other processes from using the resource that mutex controlled. This would have the effect of blocking the machine from using the network.

Microsoft also released a patch to eliminate an IIS vulnerability. The vulnerability would have allowed an attacker to request a file in a way that would cause it to be processed by the .HTR ISAPI extension. The result would be that fragments of server-side files such as .ASP files could potentially be sent to the attacker. Microsoft recommended disabling the .HTR functionality or downloading a patch.

Earlier this week, Microsoft released a tool and patch that allow customers to diagnose and eliminate the effects of anomalies in the packaging of hotfixes for English-language versions of Windows 2000. Some of the anomalies could cause the removal of some hotfixes, including security patches, from a Windows 2000 system.

Microsoft also released a patch that eliminates a vulnerability affecting Windows 2000 terminal servers. The vulnerability could allow an attacker to send a series of packets to a terminal server and cause it to fail.

Windows 2000 was determined by the National Computer Security Center (NCSC) of the National Security Agency (NSA) to be a Controlled Access Protection Profile (CAPP)-compliant system. CAPP-conforming products support access controls that are capable of enforcing access limitations on individual users and data objects. CAPP-conforming products also provide an audit capability that records the security-relevant events occurring within the system. The CAPP was written to allow a distributed operating system to be evaluated for compliance with the CAPP. More information on the CAPP is available at www.radium.ncsc.mil/tpep/library/protection_profiles/CAPP-1.d.pdf.

The National Infrastructure Protection Center (NIPC) advised of a high-risk Lotus Domino vulnerability. A directory traversal vulnerability exists which could allow a remote hacker to gain access to systems files, passwords, and other sensitive material. No workaround or patch is currently available. The NIPC also reports on a Windows NT/2000 Server and Advanced Server domain controller vulnerability, in which a hacker could gain administrator privileges. A patch was released on Microsoft’s site.

Finally, in December Microsoft defined a “security vulnerability.”

“A security vulnerability is a flaw in a product that makes it infeasible – even when using the product properly – to prevent an attacker from usurping privileges on the user’s system, regulating its operation, compromising data on it, or assuming ungranted trust,” says the Microsoft site. For more on the definition, see www.microsoft.com/technet/security/vulnrbl.asp. – Isaac Slepner

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

Microsoft Graph 'Activity Logs' Feature Goes Live

Microsoft announced the general availability of the "activity logs" capability in Microsoft Graph, giving administrators more options to track user activity and identify patterns of potential misuse.
Fallout from Microsoft's 'Midnight Blizzard' Saga Hits Feds

When the Russian attack group Midnight Blizzard successfully breached Microsoft corporate e-mail accounts late last year, it apparently managed to steal U.S. government agency e-mails, too.
PowerShell Script Used in Phishing Attack May Be AI-Generated

A PowerShell script being used in a novel malware campaign may have been created by AI, according to security researchers at Proofpoint.
Using Microsoft Office to Build a Network Diagram, Part 1

Keeping documentation is a great way to ease your future hardware refresh and have what you need for insurance purposes.
Microsoft Claims Breakthrough in Quantum Computing Reliability

A new paper details Microsoft's recent progress in quantum computing -- specifically, its development of a system that is both significantly less prone to errors and better at correcting them.