Information Security News mailing list archives
The Patch MS Forgot to Apply
From: William Knowles <wk () C4I ORG>
Date: Mon, 6 Nov 2000 17:19:40 -0600
http://www.wired.com/news/culture/0,1284,39984,00.html 7:00 a.m. Nov. 6, 2000 PST Microsoft's network has been cracked again, apparently through a hole it had recently warned its customers to patch immediately. A Dutch hacker going by the name Dimitri told IDG news service he entered Microsoft's network last Friday and was able to upload a text file, download other files, and view the structure of Microsoft's server network. Dimitri entered the Microsoft system through a well-known security hole by using what is commonly known as the Unicode Bug, which Microsoft refers to as the Web Server Folder Traversal Vulnerability. Microsoft released a patch for the hole in August and considered the hole dangerous enough that it specifically reminded its customers to apply the patch several weeks ago. The exploit affects servers running Microsoft Internet Information Services versions 4.0 and 5.0. Microsoft notes in its tech bulletin that "the vulnerability could potentially allow a visitor to a website to take a wide range of destructive actions against it, including running programs on it." It also allows an attacker to gain access to files and folders stored on the server, which could lead to the cracker gaining high-level user login permissions that would, according to Microsoft, enable the "malicious user to add, change or delete data, run code already on the server or upload new code to the server and run it." The patch for the hole was released on Aug. 15, and Microsoft issued a warning bulletin on Oct. 17, alerting users to apply the patch immediately. A source inside Microsoft requesting anonymity said that if the cracker got into Microsoft's network using the company's "Houston" domain as he claims to have done, he would not have had access to the entire server system or to any program code. The source said that, to his knowledge, the server had been "put out to pasture," and was used simply to redirect website visitors to other sections of Microsoft's Internet-based services. But the Microsoft source also noted that he was surprised that the Unicode Bug patch had not been applied. He said he was troubled by the fact that this hole, "which could have been so easily closed" had been left open. "Our network is a prime target for crackers, as you can guess," he said. "Microsoft is a huge company, with thousands of desktops and many servers. We have a security team working 24 hours a day to keep people out of our systems, and I have been told that there are real attempts to enter the systems, on average, hundreds of times a week. "That's serious attempts -- not just someone randomly knocking on the door," he said. "Given that, I'd say the security guys are doing a good job. No, they aren't perfect, but they're human and so we don't expect them to be perfect, either. And frankly, any server can be had." RadWork, a "freelance security consultant," said that this latest Microsoft hack wouldn't have been difficult to pull off. "I haven't spoken to this Dimitri, but I'd be surprised if he's claiming it was a big, sophisticated exploit. What does surprise me is that Microsoft left this server open behind a known hole." RadWork explained that crackers use security bulletins "as sort of updates to tricks they can try." Once a hole is noted, they will start probing networks to see if the patch that fixes it has been applied. "So, for MS to announce this hole, and not patch it themselves, is like issuing an open invitation for people to come on in and root around. They have to know that crackers probably pay better attention to those security bulletins than a lot the heads of many company's technical support departments do." *==============================================================* "Communications without intelligence is noise; Intelligence without communications is irrelevant." Gen Alfred. M. Gray, USMC ================================================================ C4I.org - Computer Security, & Intelligence - http://www.c4i.org *==============================================================* ISN is hosted by SecurityFocus.com --- To unsubscribe email LISTSERV () SecurityFocus com with a message body of "SIGNOFF ISN".
Current thread:
- The Patch MS Forgot to Apply William Knowles (Nov 08)