Firm exposes WinNT security hole

Nearly every Windows NT-based Web server on the Internet is vulnerable to a newly discovered security hole that lets a malicious hacker take over the server -- and, in some cases, the network to which it is attached, says a network security company.

According to the eEye Digital Security Team, which develops network security software, it discovered the bug on June 6 when its Retina network security scanning software -- which automatically employs techniques commonly used to break into computer systems -- succeeded in crashing an NT server. The engineers quickly realised that the bug could be exploited not only to crash the NT machine but also to take it over completely.

According to eEye CEO Firas Bushnaq, the company supplied detailed information about the bug to Microsoft on June 8. However, a week later, said Bushnaq, the software giant had still not published a fix and stopped responding to e-mail correspondence about the bug.

Believing that Microsoft "was not giving the problem the attention it deserved," eEye released not only a description of the hole but two working demonstration programs that allow anyone to break into an NT server running IIS 4.0. The break-in code appears to work on any server from which a Web page can be retrieved, even if a firewall is present.

eEye explained its decision to disclose the bug, and to publish a program that lets anyone readily exploit it, in a brief note on its Web site. "We are a full-disclosure security team," they wrote. "If our team starts hiding the facts, we'll be no better than a software vendor that rushes insecure products to market."

Microsoft, however, took exception to this philosophy. "Responsible security companies do not provide tools that can be used to attack innocent people," said Microsoft security manager Scott Culp. Bushnaq, for his part, noted that a moderately skilled hacker, armed with the knowledge that the bug existed, could easily craft a program to exploit it in less than two hours.

At 6 p.m. PT on Tuesday, June 15, Microsoft published instructions describing how system administrators could implement a temporary workaround for the problem. Unfortunately, one side effect of the workaround is that users who upload pages to the NT Web server cannot employ a Web-based mechanism to change their expiring passwords, and thus may be left without access.

Microsoft's Culp says that a more permanent patch that does not have this problem is in the works. Users can subscribe to a mailing list that distributes bulletins about security problems, and remedies for them, by following the instructions on the company's Web site.

This security glitch is one of many that have plagued Windows NT and IIS. Microsoft advises customers that a long list of steps, posted at its site, should be taken whenever an NT/IIS machine is placed on the Net as a Web server. These steps include disabling many NT features, such as POSIX compatibility, and in some cases reformatting the machine's hard drives.