Microsoft warns of Hallowe'en security issues
By Matt Whipp
Posted on 31 Oct 2002 at 12:23
Microsoft has highlighted new security flaws in the latest Windows platforms - from NT 4.0 to Windows XP.
The most severe, rated critical, poses the possibility of denial of service attacks via an unchecked buffer to 2000 and XP networks set up with PTPP (Point to Point Tunelling Protocol). However, PPTP does not run by default on Windows systems.
Attackers could send deliberately malformed data to a server and cause the system to fail. Client systems would also be under threat, although the attacker would have to know the IP address of the system and that it was connected at the time.
As PPTP is used to allow remote connections to networks, usually from mobile devices, by creating a private channel through the Internet, IP addresses are likely to frequently change and sessions be unpredictable.
A patch is available for the following systems:
Microsoft Windows 2000
Microsoft Windows XP: 32-bit
Microsoft Windows XP: 64-bit
Next up, an issue in Windows 2000, which is rated moderate. This allows attackers to take advantage of situations where the user has full access to the root folder, such as launching applications from Start/Run or logging on.
An attacker could create a program that masquerades as a familiar program or one that launches when a user logs on to the system. When a user logged on, or launched the program from Start/Run, the program would access the system with the same privileges as the user.
However, the attacker would have to log on to the system to initially plant the Trojan program - it couldn't be run on the system from outside the network.
Microsoft recommends that administrators take the default permissions for the root folder in XP and apply them to 2000. These are:
- Administrators: Full (This Folder, Subfolder and Files)
- Creators Owners: Full (Subfolders and Files)
- System: Full (This Folder, Subfolder and Files)
- Everyone: Read and Execute (This Folder Only)
Finally, Microsoft has released a cumulative patch for Internet Information Service (IIS) affecting Web servers running Windows NT 4.0, 200 and XP. Vulnerabilities that could be used by attackers to allow privilege elevation, denial of service attacks and access privileges to upload files as well as a pair of Cross-Site Scripting vulnerabilities.
The most severe of these vulnerabilities is rated as moderate.
Patches are available for download for:
From around the web
advertisement
- Laptop bag reviews: nine tested
- Sony VAIO T Series Ultrabook review: first look
- Revealed: the military standards and robots HP uses to test its laptops
- Windows 8: multi-monitors and double standards?
- Why is TalkTalk's year-old porn filter suddenly big news?
- Why are laptop screens so far behind mobiles?
- HP EliteBook Folio review: first look
- The shoebox-sized all-in-one printer
- Forget the Ultrabook: here comes the HP Sleekbook
- HP Spectre XT review: first look
- Why you have to be left in the dark on OS patches
- Publishing your email address isn't a security disaster
- Why antivirus is fighting a losing battle in your office
- Four year olds used to steal their parents' data
- An acceptable use policy for your kids
- Paying for your crimes with Bitcoin
- Pavement hacking: What it is and how to avoid it
- Google's risky pre-loaded pages
- Mac under attack: how secure is Apple's OS?
- Has your browser been hijacked?
advertisement
