Microsoft Patches Windows, IIS Flaws | eWeek

Microsoft Patches Windows, IIS Flaws

Écrit par
Dennis Fisher
Dennis Fisher
Oct 31, 2002
2 minute read
eWeek Le contenu et les recommandations de produits sont indépendants de la rédaction. Nous pouvons gagner de l'argent lorsque vous cliquez sur des liens vers nos partenaires. En savoir plus

Microsoft Corp. on Thursday issued patches for several new vulnerabilities in various applications, including a critical flaw in the PPTP implementation in Windows 2000 and XP that could be used to crash remote servers.

There are also four new flaws in IIS (Internet Information Services) and a vulnerability in Windows 2000 that enables an intruder to mount a Trojan horse attack against other users on a given system.

Windows 2000 and XP both include native support for the PPTP (point-to-point tunneling protocol) used in some VPN (virtual private network) implementations. Both versions of Windows have a buffer overrun vulnerability in the section of code that processes the control data used to establish, maintain and terminate PPTP connections.

An attacker who sends a specially crafted set of control data to a PPTP server could crash the machine.

Of the four new vulnerabilities in IIS, the most serious affects the way that ISAPIs (Internet server application programming interfaces) are launched when an IIS 4, 5 or 5.1 server is configured to run them out of process. The hosting process can be made to attain LocalSystem privileges, which would, in turn, give the ISAPI the same privileges.

There is also a denial-of-service vulnerability in the way that IIS 5 and 5.1 allocate memory for WebDAV requests. This could enable an attacker to crash the server.

Two cross-site scripting vulnerabilities in IIS 4, 5 and 5.1 give an attacker the ability to render scripts on a users machine by enticing the user to click on a Web link. And, a vulnerability in the operation of the script source access permission in IIS 5 enables a user to upload .COM files to a virtual directory without the correct permissions.

The final vulnerability is in the Windows 2000 default permissions. To exploit this flaw, an attacker could create a program in the system root with the same name as a commonly used program and then wait for another user to log on and select that program from the Start menu. By doing so, the attackers code would execute and be able to take any actions that the user could take.

eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

Propriété de TechnologyAdvice. © 2026 TechnologyAdvice. Tous droits réservés

Divulgation publicitaire : Certains des produits qui apparaissent sur ce site proviennent d'entreprises dont TechnologyAdvice reçoit une compensation. Cette compensation peut influencer la façon dont les produits apparaissent sur ce site, notamment l'ordre dans lequel ils apparaissent. TechnologyAdvice n'inclut pas toutes les entreprises ou tous les types de produits disponibles sur le marché.