News
Security Roundup
- By Scott Bekker
- 02/02/2001
In late December, Microsoft Corp. posted a patch on its Web
site that eliminates a security vulnerability affecting Windows 2000 domain
controllers.
Windows 2000 provides several special operating modes that
can be chosen at boot time to allow the administrator to troubleshoot and
restore a machine with a damaged configuration. One mode, Directory Service Restore Mode, is designed to allow
the Active Directory to be repaired and restored on a domain controller. A
password is required in order to operate the system in this mode. However, if
the “Configure Your Server” tool were used when the machine was originally
promoted to domain controller, that password would be blank. This could enable
a hacker to log onto the machine in Directory Service Restore Mode. Once logged
on the hacker could alter system components or install false ones that would
execute when a genuine administrator later logged onto the machine.
Windows 2000 Server and 2000 Advanced Server were affected.
A vulnerability in Microsoft PowerPoint was patched when it
was discovered that a hacker could insert specially chosen data into a
PowerPoint file and use the file to overrun the buffer. This would either cause
PowerPoint to fail, or, more seriously, allow the hacker to cause his own code
to run on the user’s machine, granting control of the machine to the hacker.
A similar vulnerability was discovered in Windows NT
mutexes, synchronization objects that govern access to resources. One mutex was
discovered to have inappropriately loose permissions, which could enable an
attacker to run code on a local machine to monopolize the mutex and prevent
other processes from using the resource that mutex controlled. This would have
the effect of blocking the machine from using the network.
Microsoft also released a patch to eliminate an IIS
vulnerability. The vulnerability would have allowed an attacker to request a
file in a way that would cause it to be processed by the .HTR ISAPI extension.
The result would be that fragments of server-side files such as .ASP files
could potentially be sent to the attacker. Microsoft recommended disabling the
.HTR functionality or downloading a patch.
Earlier this week, Microsoft released a tool and patch that
allow customers to diagnose and eliminate the effects of anomalies in the
packaging of hotfixes for English-language versions of Windows 2000. Some of
the anomalies could cause the removal of some hotfixes, including security
patches, from a Windows 2000 system.
Microsoft also released a patch that eliminates a
vulnerability affecting Windows 2000 terminal servers. The vulnerability could
allow an attacker to send a series of packets to a terminal server and cause it
to fail.
Windows 2000 was determined by the National Computer
Security Center (NCSC) of the National Security Agency (NSA) to be a Controlled
Access Protection Profile (CAPP)-compliant system. CAPP-conforming products
support access controls that are capable of enforcing access limitations on
individual users and data objects. CAPP-conforming products also provide an
audit capability that records the security-relevant events occurring within the
system. The CAPP was written to allow a distributed operating system to be
evaluated for compliance with the CAPP. More information on the CAPP is
available at www.radium.ncsc.mil/tpep/library/protection_profiles/CAPP-1.d.pdf.
The National Infrastructure
Protection Center (NIPC) advised of a high-risk Lotus Domino vulnerability.
A directory traversal vulnerability exists which could allow a remote hacker to
gain access to systems files, passwords, and other sensitive material. No
workaround or patch is currently available. The NIPC also reports on a Windows
NT/2000 Server and Advanced Server domain controller vulnerability, in which a
hacker could gain administrator privileges. A patch was released on Microsoft’s
site.
Finally, in December Microsoft defined a “security
vulnerability.”
“A security vulnerability is a flaw in a product that makes
it infeasible – even when using the product properly – to prevent an attacker
from usurping privileges on the user’s system, regulating its operation,
compromising data on it, or assuming ungranted trust,” says the Microsoft site.
For more on the definition, see www.microsoft.com/technet/security/vulnrbl.asp.
– Isaac Slepner
About the Author
Scott Bekker is editor in chief of Redmond Channel Partner magazine.