A Bad Week for Security

By Larry Seltzer  |  Posted 2003-03-20 Email Print this article Print

IIS may have laid the biggest security egg over the past week, writes Security Supersite Editor Larry Seltzer, but we've got a full carton of Grade AAA security holes for you.

Its been a heck of a week for security vulnerabilities. The most attention, deservedly so, went to another buffer overflow in Microsofts IIS Web server, but there were many more. The IIS hole was unusual in that, unlike most vulnerabilities, it appears to have been exploited before it was discovered and patched. Even worse, it was the U.S. Armys Web server that was attacked. Microsoft put out a patch in relative hurry and there are several workarounds that should block the exploit. However, they come at the expense of functionality in IIS support for WebDAV, which allows file I/O-style access to web sites. This is one of those problems for which administrators should drop everything and deal.
After reports of server crashes introduced with the patch Microsoft modified the security advisory for this problem to warn that certain specific versions of Windows 2000 were incompatible with the patch and that it would cause these systems to blue-screen. Security patches from Microsoft are usually issued before there are any real-world exploits, and Microsoft puts them through extensive testing. No such luck in this case, and they had to write and issue the patch post-haste. This is what happens when youre in a hurry.
And it didnt end there. A second, less serious problem was found in the JScript engine. This one is a more run-of-the-mill problem with important mitigating factors, and patches are available through Windows Update and other locations. Finally, a minor denial-of-service (DOS) attack is possible through ISA Server. The service denied is actually DNS servers on the other side of the ISA server, so this is nothing too much to worry about. Those of you using a Version 4 implementation of Kerberos, the network-authentication system developed at MIT, should immediately patch your systems. MIT announced a "CRITICAL" vulnerability early this week that could allow an attacker to fabricate a "ticket" that represents credentials on the network. The good news is that there are patches. The bad news is that the weakness is at the protocol level and that fixing it necessarily involves limitations in functionality. Yet another reason to move to Version 5 of Kerberos, which is not vulnerable. (Incidentally, Windows 2000s Active Directory implements Version 5.) The full MIT advisory may be found here.
Two more vulnerabilities (here and here) do affect Kerberos 5 and can result in crashed server components and potentially compromised data.

Larry Seltzer has been writing software for and English about computers ever since—,much to his own amazement—,he graduated from the University of Pennsylvania in 1983.

He was one of the authors of NPL and NPL-R, fourth-generation languages for microcomputers by the now-defunct DeskTop Software Corporation. (Larry is sad to find absolutely no hits on any of these +products on Google.) His work at Desktop Software included programming the UCSD p-System, a virtual machine-based operating system with portable binaries that pre-dated Java by more than 10 years.

For several years, he wrote corporate software for Mathematica Policy Research (they're still in business!) and Chase Econometrics (not so lucky) before being forcibly thrown into the consulting market. He bummed around the Philadelphia consulting and contract-programming scenes for a year or two before taking a job at NSTL (National Software Testing Labs) developing product tests and managing contract testing for the computer industry, governments and publication.

In 1991 Larry moved to Massachusetts to become Technical Director of PC Week Labs (now eWeek Labs). He moved within Ziff Davis to New York in 1994 to run testing at Windows Sources. In 1995, he became Technical Director for Internet product testing at PC Magazine and stayed there till 1998.

Since then, he has been writing for numerous other publications, including Fortune Small Business, Windows 2000 Magazine (now Windows and .NET Magazine), ZDNet and Sam Whitmore's Media Survey.

Submit a Comment

Loading Comments...

Manage your Newsletters: Login   Register My Newsletters

Rocket Fuel