News

Microsoft fixes four flaws, one critical

Microsoft has issued three security bulletins offering patches for four recently discovered security vulnerabilities in its products. One hole in Windows NT, Windows 2000 and Windows XP was rated "critical".

The "critical" flaw is a buffer overrun in the phone book of the Remote Access Service (RAS), a standard part of Windows NT 4.0, Windows 2000 and Windows XP. An attacker could gain full control over the machine or cause it to fail, Microsoft said in its advisory.

To carry out an attack, an attacker first has to change an RAS setting on the affected system, before connecting to the system using RAS. If the target system's settings restrict user access, it will not be at risk, Microsoft said. RAS is used for dial-up connections.

Another bulletin addresses a flaw in Internet Information Server (IIS) versions 4.0 and 5.0, the Web server components of Windows NT 4.0 and Windows 2000. An attacker could run arbitrary code on the system by exploiting a flaw in software that supports HTR scripting, an older and largely obsolete scripting language, Microsoft said.

HTR has been part of IIS since version 2.0. It was never widely adopted because ASP (Active Server Pages), introduced in IIS 4.0, became popular before HTR use could take off.

Virtually the only use for HTR today is a Web-based NT password managed service, Microsoft said, adding that it has long recommended customers to disable HTR functionality and convert scripts that are needed to ASP. The IIS Lockdown Tool offered by Microsoft disables HTR by default.

A third security bulletin addresses two vulnerabilities in the SQLXML part of SQL Server 2000. SQLXML enables the transfer of XML (Extensible Markup Language) data to and from SQL Server 2000. The most serious of the flaws could allow an attacker to take over the machine running the database, Microsoft said.

More information on the RAS flaw can be found at:
www.microsoft.com/technet/security/bulletin/MS02-029.asp

More information on the flaw in IIS versions 4.0 and 5.0 can be found at:
www.microsoft.com/technet/security/bulletin/MS02-028.asp

More information on the SQLXML flaw can be found at:
www.microsoft.com/technet/security/bulletin/MS02-030.asp

Email Alerts

Register now to receive ComputerWeekly.com IT-related news, guides and more, delivered to your inbox.
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
 

COMMENTS powered by Disqus  //  Commenting policy