Microsoft urges urgent action on Windows security hole

A vulnerability affecting every version of Windows 2000 and current Windows XP betas allows remote attackers to take control of victims' machines
Written by Matt Loney, Contributor

Systems running beta versions of Microsoft Windows XP, as well as production versions of Windows 2000 Professional, Server, Advanced Server and Datacenter Server have a bug that allows a remote intruder to run any code on the victim machine, according to CERT, the pre-eminent reporting centre for Internet security problems.

Systems running Microsoft Windows NT 4.0 with IIS 4.0 or IIS 5.0 enabled are also affected by the vulnerability, which gives an intruder complete control over the target machine.

Microsoft said the problem is a "serious vulnerability", and said it is urging all customers to "take action immediately".

While patches are available for Windows NT 4.0 and for Windows 2000 systems, there is no patch available for the Windows XP beta. CERT is advising Windows XP users to "upgrade to a newer version of the software when it becomes available".

According to CERT, specific technical details on how to create an exploit are publicly available for this vulnerability. "System administrators should apply fixes or workarounds on affected systems as soon as possible," said the organisation in its alert this morning.

The problem, which was discovered by eEye Digital Security, stems from a remotely exploitable buffer overflow in one of the ISAPI extensions installed with most versions of IIS 4.0 and 5.0. ISAPI extensions are dynamic link libraries (dlls) that provide extended functionality. The dll causing the problem is called idq.dll, which provides support for administrative scripts (.ida files) and Internet Data Queries (.idq files).

According to Microsoft, an attacker who could establish a web session with a server on which idq.dll is installed "could conduct a buffer overrun attack and execute code on the web server... giving the attacker complete control of the server and allow him to take any desired action on it".

The company said that customers who cannot install the patch can protect their systems by removing the script mappings for .idq and .ida files via the Internet Services Manager in IIS. But even this can cause problems because it is possible for these mappings to be automatically reinstated if additional system components are added or removed. Because of this, Microsoft recommends that all customers using IIS install the patch, even if the script mappings have been removed.

The patch for Windows NT 4.0 is available here, while the patch for Windows 2000 Professional, Server, and Advanced Server can be found here. CERT said that users of Windows 2000 Datacenter Server software should contact the company that supplied the hardware for patches.

Is your PC safe? Find out in ZDNet UK's Viruses and Hacking News Section.

Have your say instantly, and see what others have said. Click on the TalkBack button and go to the Security forum.

Let the editors know what you think in the Mailroom. And read other letters.

Editorial standards