A Bad Week for Security

IIS may have laid the biggest security egg over the past week, writes Security Supersite Editor Larry Seltzer, but we've got a full carton of Grade AAA security holes for you.

Its been a heck of a week for security vulnerabilities. The most attention, deservedly so, went to another buffer overflow in Microsofts IIS Web server, but there were many more.

The IIS hole was unusual in that, unlike most vulnerabilities, it appears to have been exploited before it was discovered and patched. Even worse, it was the U.S. Armys Web server that was attacked. Microsoft put out a patch in relative hurry and there are several workarounds that should block the exploit. However, they come at the expense of functionality in IIS support for WebDAV, which allows file I/O-style access to web sites. This is one of those problems for which administrators should drop everything and deal.

After reports of server crashes introduced with the patch Microsoft modified the security advisory for this problem to warn that certain specific versions of Windows 2000 were incompatible with the patch and that it would cause these systems to blue-screen. Security patches from Microsoft are usually issued before there are any real-world exploits, and Microsoft puts them through extensive testing. No such luck in this case, and they had to write and issue the patch post-haste. This is what happens when youre in a hurry.

And it didnt end there. A second, less serious problem was found in the JScript engine. This one is a more run-of-the-mill problem with important mitigating factors, and patches are available through Windows Update and other locations.

Finally, a minor denial-of-service (DOS) attack is possible through ISA Server. The service denied is actually DNS servers on the other side of the ISA server, so this is nothing too much to worry about.

Those of you using a Version 4 implementation of Kerberos, the network-authentication system developed at MIT, should immediately patch your systems. MIT announced a "CRITICAL" vulnerability early this week that could allow an attacker to fabricate a "ticket" that represents credentials on the network. The good news is that there are patches. The bad news is that the weakness is at the protocol level and that fixing it necessarily involves limitations in functionality. Yet another reason to move to Version 5 of Kerberos, which is not vulnerable. (Incidentally, Windows 2000s Active Directory implements Version 5.) The full MIT advisory may be found here.

Two more vulnerabilities (here and here) do affect Kerberos 5 and can result in crashed server components and potentially compromised data.