Microsoft fixes four flaws, one critical

Microsoft has issued three security bulletins offering patches for four recently discovered security vulnerabilities in its...

Microsoft has issued three security bulletins offering patches for four recently discovered security vulnerabilities in its products. One hole in Windows NT, Windows 2000 and Windows XP was rated "critical".

The "critical" flaw is a buffer overrun in the phone book of the Remote Access Service (RAS), a standard part of Windows NT 4.0, Windows 2000 and Windows XP. An attacker could gain full control over the machine or cause it to fail, Microsoft said in its advisory.

To carry out an attack, an attacker first has to change an RAS setting on the affected system, before connecting to the system using RAS. If the target system's settings restrict user access, it will not be at risk, Microsoft said. RAS is used for dial-up connections.

Another bulletin addresses a flaw in Internet Information Server (IIS) versions 4.0 and 5.0, the Web server components of Windows NT 4.0 and Windows 2000. An attacker could run arbitrary code on the system by exploiting a flaw in software that supports HTR scripting, an older and largely obsolete scripting language, Microsoft said.

HTR has been part of IIS since version 2.0. It was never widely adopted because ASP (Active Server Pages), introduced in IIS 4.0, became popular before HTR use could take off.

Virtually the only use for HTR today is a Web-based NT password managed service, Microsoft said, adding that it has long recommended customers to disable HTR functionality and convert scripts that are needed to ASP. The IIS Lockdown Tool offered by Microsoft disables HTR by default.

A third security bulletin addresses two vulnerabilities in the SQLXML part of SQL Server 2000. SQLXML enables the transfer of XML (Extensible Markup Language) data to and from SQL Server 2000. The most serious of the flaws could allow an attacker to take over the machine running the database, Microsoft said.

More information on the RAS flaw can be found at:

More information on the flaw in IIS versions 4.0 and 5.0 can be found at:

More information on the SQLXML flaw can be found at:



Enjoy the benefits of CW+ membership, learn more and join.

Read more on Hackers and cybercrime prevention



Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:




  • Dissecting the Hack

    In this excerpt from chapter three of Dissecting the Hack: The V3RB0TEN Network, authors Jayson E. Street, Kristin Sims and Brian...

  • Digital Identity Management

    In this excerpt of Digital Identity Management, authors Maryline Laurent and Samia Bousefrane discuss principles of biometrics ...

  • Becoming a Global Chief Security Executive Officer

    In this excerpt of Becoming a Global Chief Security Executive Officer: A How to Guide for Next Generation Security Leaders, ...