Win2000 security hole a 'major threat'

The patch, released by Microsoft on Wednesday, repairs two different security bugs in Microsoft Index Server, the more egregious of which allows hackers to view files stored on a target Web server. Index Server is an add-on to Windows NT 4.0 and is built into Windows 2000 (in the form of Indexing Services). Index Server provides developers with Active Scripting and query management capabilities.

The more dangerous of the two problems, dubbed the "Malformed Hit-Highlighting Argument Vulnerability" by Microsoft (Nasdaq: MSFT), was spotted by David Litchfield of Cerberus Information Security on Jan. 17 and immediately reported to Microsoft security. The bug allows attackers to view files stored on a target Web server and represents a major threat, according to Litchfield.

"Of course, ideally you make sure there's no sensitive data on your Web server, but this can be incredibly difficult," Litchfield said.

"A lot of servers have account passwords and user names on them. Even under the best of circumstances you can end up with account information and sometimes credit card numbers stored in temporary files on the server. You should clear those files out regularly, but you still end up with a 'race condition' where attackers can try to grab them before they're erased."

Microsoft: It's all serious
"It's not for us to assess the seriousness of this problem, because we take all security risks seriously," said Microsoft Security Manager Scott Culp. "The important thing now is that the patch is out, and that it fixes the problem. All of our customers should check out our security site."

However, Litchfield's investigation of the bug suggests that the majority of Windows-based servers are at risk.

He confirmed that at least six banks and three major computer manufacturers were affected by the bug.

"The problem is that Index Server is active by default, so most people don't even realize they've got it on. Even if they see an MS alert, they're probably not going to realize that it applies to them," Litchfield said.

Culp acknowledged that many users may have the Index server active without realizing it.

"Of course, from a security perspective, you shouldn't offer any services you don't use," Culp said. "We want to make sure our customers are educated about this, and that they are aware of which services they have active and how to disable what they don't need. We've also given Windows 2000 tighter defaults and made it much easier to configure."