Microsoft races to fix security hole

A hole in Internet Information Server 5.0, described as serious, could give system level access to a hacker
Written by ZDNet Staff, Contributor

Microsoft has announced a serious security hole in its flagship Web server software, and on Tuesday was racing to convince system administrators to patch their Web servers before online vandals compromise their systems.

The flaw affects Window 2000 server software running version 5.0 of Internet Information Server (IIS). The hole is in Windows 2000's Internet printing module but can only be exploited if IIS is activated.

"It is a serious vulnerability," said Scott Culp, security product manager for the software giant. "We are going to some extraordinary steps. We want to make sure the people know about this vulnerability and apply the fix now."

The vulnerability affects servers with Internet printing turned on, the default setting with the software. By sending a specially formatted string of characters, the printing module can be made to give the remote user full access to the Web server.

Marc Maiffret, chief hacking officer for network protection firm eEye Digital Security, said the vulnerability is very serious.

"There are at least a million web servers sitting on the Internet that, within a few minutes, you can get system level access to them," he said. The Californian company discovered the flaw two weeks ago and notified Microsoft immediately.

The flaw allows properly written remote commands to overflow the memory for the Internet printing service's ISAPI (Internet Service Application Programming Interface).

Web servers using Microsoft's IIS 4.0 software are not affected by the flaw. Companies that have set up their Web server with the printing turned off -- as outlined in Microsoft's "IIS Security Checklist" guidelines -- or used the IIS Security Lockdown Tool don't need to worry about the vulnerability, either.

Microsoft has taken extraordinary steps to try to convince system administrators to patch the software.

Microsoft posted a patch and security advisory on its site yesterday describing the vulnerability.

In addition, the company notified information-sharing and analysis centers, which informed key sectors, such as the telecommunications industry and the information technology industry, of critical security holes.

Microsoft has decided to hold Service Pack 2 -- a collection of updates and big fixes -- for Windows 2000 until it can integrate the patch with the update.

"The update was in the can, and we delayed it because this fix has to go in," Culp said.

The announcement of the vulnerability comes at a bad time, as Chinese and American online vandals have apparently started cooperating for a weeklong string of attacks on government and corporate servers to protest the actions of each other's governments.

Bill Wall, chief security engineer for technology support firm Harris, said that online vandals will most likely have an exploit for the new flaw in a matter of hours.

"This will be the next vulnerability of choice for breaking into Web servers by hackers," he said.

Take me to Hackers

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read what others have said.

Editorial standards