Microsoft goes on a bug hunt

Since 16 February -- the day before it officially launched Windows 2000 -- Microsoft has issued five separate official security bulletins, with independent analysts delivering several more. To top it off, antivirus vendors last week announced the discovery of the first confirmed Windows-based Denial of Service (DoS) tool.

Perhaps the most dangerous of these issues, which was first announced by veteran bug-spotter Juan Cuartago, may present a threat to Internet Explorer (IE) and Outlook users. The problem lies in an ActiveX control called MS Active Setup, which can automatically install Microsoft-authenticated code onto a Windows-based machine. The install process can be triggered without any warning simply by visiting a Web page or viewing an email containing the code.

However, according to the Microsoft Security Response Team, this automatic installation is a feature, rather than a bug. In an email to the BugTraq mailing list, the Microsoft team states that the feature was included "in order to improve our customers' experience while downloading software from Microsoft Web sites".

Alfred Huger, vice president of engineering for SecurityFocus.com, says he believes that Active Setup presents a significant problem. "Microsoft has signed software components which have later turned out to have security holes, and they're still floating around out there. Someone could use this ActiveX bug to put one of these components on your machine, which then leaves you open to attack," explained Huger.

Cuartago has gone even further, accusing Microsoft of leaving a "back door" in Windows systems.

Currently, there is no patch or workaround for this issue, although Microsoft Security has promised to allow users to make the installation process optional in future versions of Active Setup.

Independent analyst Georgi Guninski announced a bug in Microsoft's Wordpad application that may present a further risk for IE and Outlook users. According to Guninski, a malicious HTML file accessed in a browser or email client can trick Wordpad into executing malicious code. As of yet, there is no patch for this problem.

Two of the five official Microsoft bulletins issued last past week warn of other vulnerabilities also effecting IE users. For example, the "Image Source Redirect Vulnerability" allows a Web server to steal files from an IE user's computer, provided they can be opened in a browser window. The "VM File Reading Vulnerability" has a similar impact, allowing a Web server to send out malicious Java applets that can access files on an IE user's machine. Microsoft has posted patches for both of these bugs on its security and Windows update Web sites.

Meanwhile, several security vendors also announced the first confirmed sightings of a Windows-based "Trin00" daemon last week -- one of a class of tools used in the type of DoS attacks that recently brought down CNN, Yahoo!, ZDNet and other large Web sites. These daemons allow attackers to hijack "innocent" computers and use them to flood Web sites with fake traffic. By giving attackers potential access to millions of Windows machines connected to the Internet -- particularly those with DSL or cable and modem connections -- this new software vastly increases the amount of the DoS firepower available. Moreover, the new daemon has been modified to make it much easier to distribute covertly.

A Microsoft spokeswoman noted that the DoS problem isn't specific to Windows. "Clearly, such a program can be written for any platform, although we can't say what specific platforms it has been written for. What makes the program malicious is not the technical details of the program, but rather the human factors -- how it's installed on the target machine, and what scenario it's used in," she said.

The remaining alerts have addressed relatively minor issues in the Windows 2000 installation process and various server applications. Microsoft has released patches for bugs in Systems Management Server, Site Server 3.0 and Windows Media Services 4.0 and 4.1. Reported bugs in the Windows 2000 installer and FrontPage Personal Web Server are under investigation.

SecurityFocus.com's Huger believes the sudden flood of bugs, right on the heels of the Windows 2000 launch, is a coincidence. "If anything, they [Microsoft] have gotten better; their response times have certainly improved tremendously," claims Huger.

"The Microsoft Security Response Center provides customers patches and workarounds in a timely and thorough manner," said the Microsoft spokeswoman. She emphasised the importance of public participation in the security process. "Microsoft encourages customers who have security questions or issues to send them into secure@microsoft.com, where each issue will be reviewed, evaluated and responded to."

Take me to the NEW Windows special.

What do you think? Tell the Mailroom and read what others have to say.