MS security hole extravaganza

IIS, SQL, MSM, Gopher hole widens....

We've got a treat here; it seems MS has been sitting on a number of security holes which it's decided to dump on us all at once. So, what do you want to patch today?

The first, and probably the worst due to the number of systems affected, is a little gremlin in IIS 4 and 5 (Internet Information Server aka 'Inherently Insecure Server') running on NT 4 and 2K, but not XP. This is a buffer overflow vulnerability involving chunked encoding in the ISAPI extension that implements HTR, "an older, largely obsolete scripting technology," MS says. It was discovered by Riley Hassell of eEye Digital Security.

It's similar to the IIS buffer overrun issue with the ASP (Active Server Page) ISAPI filter, which we reported earlier. This can be exploited to crash the machine or run arbitrary code on it. Briefly, in both cases an attacker can cause IIS to miscalculate incoming data and allocate undersized buffers which can easily be exploited.

"Microsoft has long recommended disabling HTR functionality unless there is a business-critical reason for retaining it...Systems on which HTR is disabled would not be at risk from this vulnerability," MS says. Of course the service is running by default when the system is installed, so we might find that somewhat disingenuous.

MS soft-pedals the severity in classic form, labeling this one "Moderate". But the eEye bulletin rightly points out that a target machine can be owned with a single session if the attacker knows what he's doing.

Since exploit tools already exist for the previous hole, and since this one is similar enough to make modifying and adapting them a snap, MS has decided to release a single-issue patch for it (which seems to contradict their "Moderate" threat label). A cumulative patch will be available in a few weeks' time, the company says. The MS advisory and patch are located here.

Next, we bring you a couple of vulnerabilities in SQLXML, which transfers XML data to and from SQL Server 2K and permits server access via HTTP using XML. These were discovered by Matt Moore of

Westpoint Ltd.

The first is an ISAPI extension which contains an unchecked buffer, which in turn can enable an attacker to run arbitrary code on the target machine. This could mean complete ownership of the database server. It's difficult to exploit, MS hastens to point out.

The second allows script injection via an XML tag from a user account. This might be difficult for an outsider to exploit, but an insider with knowledge of the directory structure and the user account naming conventions would have an easy time.

Again, MS bends over backwards to soft-pedal the significance. "The vulnerability is subject to a number of significant mitigating factors," the company insists, and only grudgingly admits that "under a daunting scenario, the vulnerability could provide an attacker with an avenue by which to run script on another user's system." (my emphasis)

So MS gives them both a "Moderate" label because the buffer-overrun isn't easy to exploit and hacking a user account is nearly impossible what with all the amazingly hard passwords in use these days; but we'd give it a "Critical" because anything that can stuff up a database is a bloody serious business. The MS bulletin and patches are located here.

Moving along, we find that the Remote Access Service (RAS) phonebook in NT 4.0, 2K and XP, which stores information about telephone numbers and network settings needed to dial into remote systems, contains a buffer-overrun vulnerability affecting any executable that has a GUI help feature or connects to the Internet. It was discovered by Mark Litchfield of

Next Generation Security Software Ltd.

This flaw would likely appeal first to insiders, as it's necessary to log in as a privileged user, modify the phonebook with "specially malformed data" (MS' preferred euphemism for 'malicious code'), and then initiate a session to a remote machine using RAS. This is not to say that it can't be exploited by an outsider, however. In either case the result could be ownership of the local system.

NT 4.0, NT 4.0 Terminal Server Edition, Win-2K, Win-XP, and MS Routing and Remote Access Server (RRAS) on NT 4.0 Service Pack 6 and NT 4.0 Terminal Server Edition Service Pack 6 are affected.

The MS bulletin and patches are located here. Now that a patch has been developed, Litchfield has released a far more informative bulletin to the BugTraq mailing list.

Finally, we have updates to two previously-reported issues. First, the buffer-overflow vulnerability in the MSN Chat control (an AcriveX control included with MSN Messenger since version 4.5 and Exchange Instant Messenger) needs to be addressed again since we

first reported

it. It seems that the vulnerable control is repeatedly being downloaded onto patched clients, rendering them vulnerable again. Apparently, users had trusted the MS patch to fix their systems properly. Well it didn't; but it does now. According to MS, with

the latest patch

installed, you can now accept MSN's incessant invitations to download their vulnerable component, and it will no longer undo the patching.

Second, MS has re-released its warning about the Gopher hole in IE, which we reported recently. Apparently, the thing is a bit worse than MS had originally thought, and affects not only IE but Proxy Server 2.0 and Internet Security and Acceleration (ISA) Server 2K as well.

And of course MS can't resist pretending that there are monumental obstacles to exploitation. "In the case of IE, code would run in the security context of the user. As a result, any limitations on the user's ability would also restrict the actions an attacker's code could take." Right -- that's a help. Just about every PC on the planet is running with the MS equivalent of root privileges.

There still isn't a patch, but there are workarounds. For PC users, just use a Gopher proxy like localhost with a port like 1 to disable access. For server admins there are several, depending on what kit you're running. Detailed instructions for home users and pros alike are included in the new MS bulletin. ®

Similar topics


Send us news

Other stories you might like