Microsoft Patches Windows, IIS Flaws
Cybersecurity
SHARE
Facebook X Pinterest WhatsApp

Microsoft Patches Windows, IIS Flaws

Written By
Dennis Fisher
Dennis Fisher
Oct 31, 2002
2 minute read
eWeek content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More

Microsoft Corp. on Thursday issued patches for several new vulnerabilities in various applications, including a critical flaw in the PPTP implementation in Windows 2000 and XP that could be used to crash remote servers.

There are also four new flaws in IIS (Internet Information Services) and a vulnerability in Windows 2000 that enables an intruder to mount a Trojan horse attack against other users on a given system.

Windows 2000 and XP both include native support for the PPTP (point-to-point tunneling protocol) used in some VPN (virtual private network) implementations. Both versions of Windows have a buffer overrun vulnerability in the section of code that processes the control data used to establish, maintain and terminate PPTP connections.

An attacker who sends a specially crafted set of control data to a PPTP server could crash the machine.

Of the four new vulnerabilities in IIS, the most serious affects the way that ISAPIs (Internet server application programming interfaces) are launched when an IIS 4, 5 or 5.1 server is configured to run them out of process. The hosting process can be made to attain LocalSystem privileges, which would, in turn, give the ISAPI the same privileges.

There is also a denial-of-service vulnerability in the way that IIS 5 and 5.1 allocate memory for WebDAV requests. This could enable an attacker to crash the server.

Two cross-site scripting vulnerabilities in IIS 4, 5 and 5.1 give an attacker the ability to render scripts on a users machine by enticing the user to click on a Web link. And, a vulnerability in the operation of the script source access permission in IIS 5 enables a user to upload .COM files to a virtual directory without the correct permissions.

The final vulnerability is in the Windows 2000 default permissions. To exploit this flaw, an attacker could create a program in the system root with the same name as a commonly used program and then wait for another user to log on and select that program from the Start menu. By doing so, the attackers code would execute and be able to take any actions that the user could take.
Dennis Fisher
eWeek Logo

eWeek has the latest technology news and analysis, buying guides, and product reviews for IT professionals and technology buyers. The site's focus is on innovative solutions and covering in-depth technical content. eWeek stays on the cutting edge of technology news and IT trends through interviews and expert analysis. Gain insight from top innovators and thought leaders in the fields of IT, business, enterprise software, startups, and more.

facebook
linkedin
youtube
rss
x

Company

About us Contact us Advertise with us

Categories

Latest News Resources Artificial Intelligence Video Big Data & Analytics Cloud Networking

Property of TechnologyAdvice. © 2026 TechnologyAdvice. All Rights Reserved

Advertiser Disclosure: Some of the products that appear on this site are from companies from which TechnologyAdvice receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. TechnologyAdvice does not include all companies or all types of products available in the marketplace.

Terms of Service Privacy Policy California - Do Not Sell My Information