Microsoft issues first patches of the year

By Matt Whipp

Posted on 23 Jan 2003 at 12:04

Microsoft has warned customers of a critical flaw in Domain Controller servers running Windows NT 4.0 and 2000.

The flaw resides in an unchecked buffer in the Locator service, which maps names to resources on the network.

A successful exploit of the hole could cause the system to fail or enable an attacker to run code on the system.

Windows operating systems from NT 4.0 to XP are affected, if the Locator service has been activated (only the Domain Controllers have the service switched on by default).

Microsoft also says that a properly configured firewall would block requests to the Locator service from the Internet.

Patches are available at the Windows Update Web site.

Also announced yesterday is a flaw in Content Management Server 2001 that would allow an attacker to spoof a Web page and monitor a user's activities on it - the most obvious example would be to dupe a user into entering personal and financial information on the page. The attacker could also gain access to the legitimate sit's cookies.

Microsoft rates the flaw as 'Important' - a new rating introduced by the company last year to give an incremental step between moderate and critical. Again, a patch is available at the Web site.

Finally, a 'moderate' flaw exists in Outlook 2002 systems using V1 Exchange Server Security certificates for encryption, where mail may not be properly encrypted and sent in plain text - even though the user believed it had been successfully encrypted. Patch available at the Microsoft Update Web site.