The "critical" flaw is a buffer overrun in the phone book of the Remote Access Service (RAS), a standard part of Windows NT 4.0, Windows 2000 and Windows XP. An attacker could gain full control over the machine or cause it to fail, Microsoft said in its advisory.
To carry out an attack, an attacker first has to change an RAS setting on the affected system, before connecting to the system using RAS. If the target system's settings restrict user access, it will not be at risk, Microsoft said. RAS is used for dial-up connections.
Another bulletin addresses a flaw in Internet Information Server (IIS) versions 4.0 and 5.0, the Web server components of Windows NT 4.0 and Windows 2000. An attacker could run arbitrary code on the system by exploiting a flaw in software that supports HTR scripting, an older and largely obsolete scripting language, Microsoft said.
HTR has been part of IIS since version 2.0. It was never widely adopted because ASP (Active Server Pages), introduced in IIS 4.0, became popular before HTR use could take off.
Virtually the only use for HTR today is a Web-based NT password managed service, Microsoft said, adding that it has long recommended customers to disable HTR functionality and convert scripts that are needed to ASP. The IIS Lockdown Tool offered by Microsoft disables HTR by default.
A third security bulletin addresses two vulnerabilities in the SQLXML part of SQL Server 2000. SQLXML enables the transfer of XML (Extensible Markup Language) data to and from SQL Server 2000. The most serious of the flaws could allow an attacker to take over the machine running the database, Microsoft said.
More information on the RAS flaw can be found at:
More information on the flaw in IIS versions 4.0 and 5.0 can be found at:
More information on the SQLXML flaw can be found at: