[ISN] MS warns of 'critical' flaws

From: InfoSec News (isnat_private)
Date: Mon Feb 25 2002 - 23:14:44 PST

  • Next message: InfoSec News: "[ISN] Hackers accessed more than 100,000 systems at home and abroad"

    http://zdnet.com.com/2100-1105-844318.html
    
    [Go to the link above for links to the fixes.  - WK]  
    
    By Matthew Broersma 
    ZDNet (UK)
    February 25, 2002, 9:50 AM PT
    
    Microsoft has released patches for two security holes in its Internet
    software that could allow hackers to read files off a user's computer
    or information in Web pages that they visit.
    
    The company also patched server glitches that could let attackers
    crash Web servers or take over computer networks attached to Microsoft
    Web servers. Three of the four alerts were classified by Microsoft as
    'critical.'
    
    The new warnings come as Microsoft continues to strongly publicize its
    efforts to make its software more secure. Microsoft is promoting its
    .Net strategy for making its software as central to Internet-based
    services as it is on the desktop, but many have doubts about whether
    Microsoft products are secure enough to do the job.
    
    The security glitches have been discovered in the Internet Explorer
    Web browser, Microsoft's XML Core Services 2.6 and later, Microsoft
    SQL Server and Microsoft Commerce Server 2000. They are repaired by
    several separate new patches, which Microsoft recommends affected
    users to install immediately.
    
    XML Core Services is shipped with all copies of Windows XP, the new
    version of Microsoft's dominant PC operating system.
    
    The Internet Explorer VBScript bug
    
    In Internet Explorer, a flaw exists in the way VBScripts--pieces of
    code that can be embedded into Web pages--in one browser frame can
    access the content of other browser frames. An attacker could create a
    Web page or HTML e-mail that would let him either read files from the
    user's local drive, or read information from pages subsequently
    visited by the user. The second scenario could mean, for example, that
    the attacker could read credit card numbers and passwords typed by the
    user into third-party Web sites.
    
    The attacker could only read local files that can be displayed in a
    browser, such as text or HTML files, and would have to know the exact
    path to the file in order to read it. However, system files in Windows
    are often stored in default locations.
    
    The vulnerability arises because of a problem with the way IE handles
    security for VBScripts attempting to read data from another browser
    frame that originates from a different domain. Scripts normally
    shouldn't be allowed to do this, but the flaw allows them to do so.
    
    The bug affects IE versions 5.01 SP2, 5.5 SP1, 5.5 SP2 and 6.0.
    
    The IE patch is here, and is also available through Windows Update.
    
    
    The XML Core Services bug
    
    XML Core Services 2.6 and later--shipped with Internet Explorer 6.0,
    SQL Servier 2000 and all copies of Windows XP--contains a similar bug
    that could let a hacker read data from the user's computer.
    
    The flaw occurs in an ActiveX control called XMLHTTP, which allows Web
    pages in the browser to send and receive XML data via HTTP, the
    standard Web transfer protocol. XML is an Internet language for
    describing just about any sort of data.
    
    XMLHTTP doesn't properly check the security settings for some types of
    data requests in a Web page, allowing them, if properly disguised, to
    request data from the user's hard drive.
    
    An attacker could fashion a Web page to secretly read files from the
    user's computer, but would first have to cause the user to visit the
    page. The attack couldn't be carried out in an HTML e-mail. As with
    the IE bug, the attacker would have to know the full path name to the
    file he or she wanted to read.
    
    The patch is available here, or through Windows Update.
    
    
    Commerce Server open to attacks
    
    The Commerce Server 2000 glitch is different, allowing attackers to
    launch what's known as a Denial of Service (DoS) attack, crashing the
    server, or to run the code of his choice on the server. Commerce
    Server is based on Microsoft's Internet Information Services server,
    but IIS itself isn't vulnerable.
    
    The fault occurs with a default Commerce Server file called
    AuthFilter, which handles some authentication procedures. An attacker
    could send authentication data that overran an unchecked buffer in
    AuthFilter, causing the AuthFilter process to fail or causing it to
    run code of the attacker's choice. The process in question runs with
    advanced privileges, which would give the attacker complete control of
    the server.
    
    In some cases the attacker could extend his control of the compromised
    server onto other computers on the network, depending on the security
    access given to the Commerce Server, according to Microsoft.
    
    A patch for the bug is available here, and will be included with
    Commerce Server 2000 Service Pack 3, Microsoft said.
    
    
    SQL Server denial-of-service risk
    
    Finally, SQL Server includes a similar unchecked buffer glitch that
    leaves it open to DoS attacks.
    
    SQL Server 7.0 and 2000 include an unchecked buffer in a function
    designed to let the server create an "ad hoc" connection to remote
    data sources. A hacker could create a buffer overflow by sending a
    specially formed database query through a Web site, or by attempting
    to load and execute a query.
    
    The buffer overflow would crash the server, or give the attacker the
    ability to run code with the same system privileges as the server. The
    exploit wouldn't always be available, however, depending on the way
    the server is configured.
    
    The patch for SQL Server 2000 is here, and the patch for SQL Server
    7.0 is here.
    
    The security alerts were all released late last week.
    
     
    
    
    -
    ISN is currently hosted by Attrition.org
    
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.
    



    This archive was generated by hypermail 2b30 : Tue Feb 26 2002 - 03:37:28 PST