Close
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
Read Down
Sign in
Close
Welcome!Log into your account
Forgot your password?
Read Down
Password recovery
Recover your password
Close
Search
Menu
Search
  • Latest News
  • Big Data and Analytics
  • Cloud
  • Networking
  • Cybersecurity
  • Applications
  • IT Management
  • Storage
  • Sponsored
  • Mobile
  • Small Business
  • Development
  • Database
  • Servers
  • Android
  • Apple
  • Innovation
  • Blogs
  • PC Hardware
  • Reviews
  • Search Engines
  • Virtualization
More
    Home Cybersecurity
    • Cybersecurity

    Microsoft Mends More Security Flaws

    By
    Dennis Fisher
    -
    June 13, 2002
    Share
    Facebook
    Twitter
    Linkedin

      Microsoft Corp. on Wednesday released patches for vulnerabilities in three separate products, including a new buffer overrun flaw in IIS that enables an attacker to run arbitrary code on a target machine.

      The vulnerability is in HTR, an old scripting language that is rarely used anymore. IIS 4.0 and 5.0 both include support for HTR for reasons of backward compatibility. The flaw is in the Chunked Encoding data transfer mechanism, and by sending a specially crafted session to the vulnerable server, an attacker could overwrite a section of the heap memory.

      An attacker can then manipulate portions of the overwritten memory to move foreign data into memory addresses that the attacker supplies, which would alter the flow of execution into the attackers own payload, according to a bulletin on the flaw released by eEye Digital Security Inc., which discovered the problem.

      This vulnerability is quite similar to another problem found with HTR earlier this year. There are attack tools available for the previous flaw, Microsoft said, which makes the new vulnerability all the more dangerous.

      “While many may believe that the risk for these types of vulnerabilities is fairly low due to the fact that addressing is dynamic and brute force techniques would need to be used in an attack…this premise is false as successful exploitation can be made with one attempt across .dll versions,” eEye said in its advisory.

      The patch is available online.

      Microsoft also issued a patch for a buffer overrun vulnerability in the Remote Access Service phonebook, which is used for dial-up connections and is included in NT 4.0, NT 4.0 Terminal Server Edition, Windows 2000 and Windows XP, as well as the Routing and Remote Access Server, all of which are vulnerable.

      An attacker could use the flaw to log on to an affected server, modify a phonebook entry with specially malformed code and then establish a connection using this entry. The attackers code would then be executed on the vulnerable system. Alternately, the flaw could be used to cause a system failure.

      There are also two new vulnerabilities in SQL Server 2000s SQLXML service. There is an unchecked buffer in an ISAPI extension that could enable an attacker to run code on the IIS server, as well as vulnerability in a function that specifies an XML tag. This second flaw could allow an attacker to run scripts on the vulnerable machine with escalated privileges, Microsoft said.

      The patch for these flaws is also available online.

      Related Stories:

      • Microsoft Warns of 10 IIS Flaws
      • Microsoft Updates MSN Chat Control Patch
      • Trusting in Microsoft
      • On the Mend?
      • More Security Coverage
      Dennis Fisher

      MOST POPULAR ARTICLES

      Android

      Samsung Galaxy XCover Pro: Durability for Tough...

      Chris Preimesberger - December 5, 2020 0
      Have you ever dropped your phone, winced and felt the pain as it hit the sidewalk? Either the screen splintered like a windshield being...
      Read more
      Cloud

      Why Data Security Will Face Even Harsher...

      Chris Preimesberger - December 1, 2020 0
      Who would know more about details of the hacking process than an actual former career hacker? And who wants to understand all they can...
      Read more
      Cybersecurity

      How Veritas Is Shining a Light Into...

      eWEEK EDITORS - September 25, 2020 0
      Protecting data has always been one of the most important tasks in all of IT, yet as more companies become data companies at the...
      Read more
      Big Data and Analytics

      How NVIDIA A100 Station Brings Data Center...

      Zeus Kerravala - November 18, 2020 0
      There’s little debate that graphics processor unit manufacturer NVIDIA is the de facto standard when it comes to providing silicon to power machine learning...
      Read more
      Apple

      Why iPhone 12 Pro Makes Sense for...

      Wayne Rash - November 26, 2020 0
      If you’ve been watching the Apple commercials for the past three weeks, you already know what the company thinks will happen if you buy...
      Read more

      eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site’s focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

      Facebook
      Linkedin
      RSS
      Twitter
      Youtube

      Advertisers

      Advertise with TechnologyAdvice on eWeek and our other IT-focused platforms.

      Advertise with Us

      Menu

      • About eWeek
      • Subscribe to our Newsletter
      • Latest News

      Our Brands

      • Privacy Policy
      • Terms
      • About
      • Contact
      • Advertise
      • Sitemap
      • California – Do Not Sell My Information

      Property of TechnologyAdvice.
      © 2021 TechnologyAdvice. All Rights Reserved

      Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

      ×