MS warns of 'critical' flaws

[InfoSec News <isn () c4i org>]

http://zdnet.com.com/2100-1105-844318.html

[Go to the link above for links to the fixes.  - WK]  

By Matthew Broersma 
ZDNet (UK)
February 25, 2002, 9:50 AM PT

Microsoft has released patches for two security holes in its Internet
software that could allow hackers to read files off a user's computer
or information in Web pages that they visit.

The company also patched server glitches that could let attackers
crash Web servers or take over computer networks attached to Microsoft
Web servers. Three of the four alerts were classified by Microsoft as
'critical.'

The new warnings come as Microsoft continues to strongly publicize its
efforts to make its software more secure. Microsoft is promoting its
.Net strategy for making its software as central to Internet-based
services as it is on the desktop, but many have doubts about whether
Microsoft products are secure enough to do the job.

The security glitches have been discovered in the Internet Explorer
Web browser, Microsoft's XML Core Services 2.6 and later, Microsoft
SQL Server and Microsoft Commerce Server 2000. They are repaired by
several separate new patches, which Microsoft recommends affected
users to install immediately.

XML Core Services is shipped with all copies of Windows XP, the new
version of Microsoft's dominant PC operating system.

The Internet Explorer VBScript bug

In Internet Explorer, a flaw exists in the way VBScripts--pieces of
code that can be embedded into Web pages--in one browser frame can
access the content of other browser frames. An attacker could create a
Web page or HTML e-mail that would let him either read files from the
user's local drive, or read information from pages subsequently
visited by the user. The second scenario could mean, for example, that
the attacker could read credit card numbers and passwords typed by the
user into third-party Web sites.

The attacker could only read local files that can be displayed in a
browser, such as text or HTML files, and would have to know the exact
path to the file in order to read it. However, system files in Windows
are often stored in default locations.

The vulnerability arises because of a problem with the way IE handles
security for VBScripts attempting to read data from another browser
frame that originates from a different domain. Scripts normally
shouldn't be allowed to do this, but the flaw allows them to do so.

The bug affects IE versions 5.01 SP2, 5.5 SP1, 5.5 SP2 and 6.0.

The IE patch is here, and is also available through Windows Update.


The XML Core Services bug

XML Core Services 2.6 and later--shipped with Internet Explorer 6.0,
SQL Servier 2000 and all copies of Windows XP--contains a similar bug
that could let a hacker read data from the user's computer.

The flaw occurs in an ActiveX control called XMLHTTP, which allows Web
pages in the browser to send and receive XML data via HTTP, the
standard Web transfer protocol. XML is an Internet language for
describing just about any sort of data.

XMLHTTP doesn't properly check the security settings for some types of
data requests in a Web page, allowing them, if properly disguised, to
request data from the user's hard drive.

An attacker could fashion a Web page to secretly read files from the
user's computer, but would first have to cause the user to visit the
page. The attack couldn't be carried out in an HTML e-mail. As with
the IE bug, the attacker would have to know the full path name to the
file he or she wanted to read.

The patch is available here, or through Windows Update.


Commerce Server open to attacks

The Commerce Server 2000 glitch is different, allowing attackers to
launch what's known as a Denial of Service (DoS) attack, crashing the
server, or to run the code of his choice on the server. Commerce
Server is based on Microsoft's Internet Information Services server,
but IIS itself isn't vulnerable.

The fault occurs with a default Commerce Server file called
AuthFilter, which handles some authentication procedures. An attacker
could send authentication data that overran an unchecked buffer in
AuthFilter, causing the AuthFilter process to fail or causing it to
run code of the attacker's choice. The process in question runs with
advanced privileges, which would give the attacker complete control of
the server.

In some cases the attacker could extend his control of the compromised
server onto other computers on the network, depending on the security
access given to the Commerce Server, according to Microsoft.

A patch for the bug is available here, and will be included with
Commerce Server 2000 Service Pack 3, Microsoft said.


SQL Server denial-of-service risk

Finally, SQL Server includes a similar unchecked buffer glitch that
leaves it open to DoS attacks.

SQL Server 7.0 and 2000 include an unchecked buffer in a function
designed to let the server create an "ad hoc" connection to remote
data sources. A hacker could create a buffer overflow by sending a
specially formed database query through a Web site, or by attempting
to load and execute a query.

The buffer overflow would crash the server, or give the attacker the
ability to run code with the same system privileges as the server. The
exploit wouldn't always be available, however, depending on the way
the server is configured.

The patch for SQL Server 2000 is here, and the patch for SQL Server
7.0 is here.

The security alerts were all released late last week.

 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.