The Patch MS Forgot to Apply

[William Knowles <wk () C4I ORG>]

http://www.wired.com/news/culture/0,1284,39984,00.html

7:00 a.m. Nov. 6, 2000 PST

Microsoft's network has been cracked again, apparently through a hole
it had recently warned its customers to patch immediately.

A Dutch hacker going by the name Dimitri told IDG news service he
entered Microsoft's network last Friday and was able to upload a text
file, download other files, and view the structure of Microsoft's
server network.

Dimitri entered the Microsoft system through a well-known security
hole by using what is commonly known as the Unicode Bug, which
Microsoft refers to as the Web Server Folder Traversal Vulnerability.

Microsoft released a patch for the hole in August and considered the
hole dangerous enough that it specifically reminded its customers to
apply the patch several weeks ago.

The exploit affects servers running Microsoft Internet Information
Services versions 4.0 and 5.0. Microsoft notes in its tech bulletin
that "the vulnerability could potentially allow a visitor to a website
to take a wide range of destructive actions against it, including
running programs on it."

It also allows an attacker to gain access to files and folders stored
on the server, which could lead to the cracker gaining high-level user
login permissions that would, according to Microsoft, enable the
"malicious user to add, change or delete data, run code already on the
server or upload new code to the server and run it."

The patch for the hole was released on Aug. 15, and Microsoft issued a
warning bulletin on Oct. 17, alerting users to apply the patch
immediately.

A source inside Microsoft requesting anonymity said that if the
cracker got into Microsoft's network using the company's "Houston"
domain as he claims to have done, he would not have had access to the
entire server system or to any program code.

The source said that, to his knowledge, the server had been "put out
to pasture," and was used simply to redirect website visitors to other
sections of Microsoft's Internet-based services.

But the Microsoft source also noted that he was surprised that the
Unicode Bug patch had not been applied. He said he was troubled by the
fact that this hole, "which could have been so easily closed" had been
left open.

"Our network is a prime target for crackers, as you can guess," he
said. "Microsoft is a huge company, with thousands of desktops and
many servers. We have a security team working 24 hours a day to keep
people out of our systems, and I have been told that there are real
attempts to enter the systems, on average, hundreds of times a week.

"That's serious attempts -- not just someone randomly knocking on the
door," he said. "Given that, I'd say the security guys are doing a
good job. No, they aren't perfect, but they're human and so we don't
expect them to be perfect, either. And frankly, any server can be
had."

RadWork, a "freelance security consultant," said that this latest
Microsoft hack wouldn't have been difficult to pull off.

"I haven't spoken to this Dimitri, but I'd be surprised if he's
claiming it was a big, sophisticated exploit. What does surprise me is
that Microsoft left this server open behind a known hole."

RadWork explained that crackers use security bulletins "as sort of
updates to tricks they can try." Once a hole is noted, they will start
probing networks to see if the patch that fixes it has been applied.

"So, for MS to announce this hole, and not patch it themselves, is
like issuing an open invitation for people to come on in and root
around. They have to know that crackers probably pay better attention
to those security bulletins than a lot the heads of many company's
technical support departments do."


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".