Information Security News mailing list archives

Previous By Date Next
Previous By Thread Next

Patch issued for Windows NT flaw

From: InfoSec News <isn () c4i org>
Date: Thu, 24 Apr 2003 20:46:27 -0500 (CDT)
http://news.com.com/2100-1002-998238.html

By Robert Lemos 
Staff Writer, CNET News.com
April 24, 2003

Microsoft on Thursday released an update for Windows NT that fixes the
critical vulnerability that allowed an intruder to sneak onto a
military server running Windows 2000.

The software giant issued the patch for Windows 2000 in less than a
week after learning of the problem, but decided to do its standard
analysis to check whether the rest of its operating systems were
vulnerable. The advisory and software patch for Windows NT are the
result of the five-week process, said Stephen Toulouse, program
manager for Microsoft's security response center.

"The reason we really didn't have an NT fix is because we had to ship
the bulletin faster than we normally do," Toulouse said. "We turned
around the critical Windows 2000 fix in five or six days. Once we got
the Windows 2000 fix out, we resumed our process."

The flaw could allow an attacker to gain total control of an
Internet-accessible computer running unpatched versions of the Windows
2000 and NT operating systems, according to the revised advisory
posted to Microsoft's site.

The original flaw allowed an online attacker to take control of a
military server last March by using the World Wide Web Distributed
Authoring and Version (WebDAV) component of Microsoft's flagship Web
server software, Internet Information Services (IIS) Server 5.0.

The vulnerability took the software giant's security group by surprise
because a security researcher wasn't the source of information about
the problem. Normally, a researcher or hacker who finds a
vulnerability will announce the details publicly or to the software's
creator. Instead, the attack on the military server was Microsoft's
first notice that the flaw existed.

In a paper published a week after Microsoft released the patch, David
Litchfield, a security researcher at U.K-based Next-Generation
Security Software, stated that the flaw could be exploited using other
operating system components, not just WebDAV.

"The problem is much wider in scope than machines running IIS,"  
Litchfield wrote in the paper.

Both Next Generation Security Software and Microsoft recommend that
all Windows 2000 and NT users apply the patch. Windows XP and Windows
Server 2003 are not affected by the flaw.




-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.
Previous By Date Next
Previous By Thread Next

Current thread: