Microsoft Patches Windows, IIS Flaws

Critical flaw in the PPTP implementation in Windows 2000 and XP could be used to crash remote servers.

Microsoft Corp. on Thursday issued patches for several new vulnerabilities in various applications, including a critical flaw in the PPTP implementation in Windows 2000 and XP that could be used to crash remote servers.

There are also four new flaws in IIS (Internet Information Services) and a vulnerability in Windows 2000 that enables an intruder to mount a Trojan horse attack against other users on a given system.

Windows 2000 and XP both include native support for the PPTP (point-to-point tunneling protocol) used in some VPN (virtual private network) implementations. Both versions of Windows have a buffer overrun vulnerability in the section of code that processes the control data used to establish, maintain and terminate PPTP connections.

An attacker who sends a specially crafted set of control data to a PPTP server could crash the machine.

Of the four new vulnerabilities in IIS, the most serious affects the way that ISAPIs (Internet server application programming interfaces) are launched when an IIS 4, 5 or 5.1 server is configured to run them out of process. The hosting process can be made to attain LocalSystem privileges, which would, in turn, give the ISAPI the same privileges.

There is also a denial-of-service vulnerability in the way that IIS 5 and 5.1 allocate memory for WebDAV requests. This could enable an attacker to crash the server.

Two cross-site scripting vulnerabilities in IIS 4, 5 and 5.1 give an attacker the ability to render scripts on a users machine by enticing the user to click on a Web link. And, a vulnerability in the operation of the script source access permission in IIS 5 enables a user to upload .COM files to a virtual directory without the correct permissions.

The final vulnerability is in the Windows 2000 default permissions. To exploit this flaw, an attacker could create a program in the system root with the same name as a commonly used program and then wait for another user to log on and select that program from the Start menu. By doing so, the attackers code would execute and be able to take any actions that the user could take.