O.C. Firm Spots Security Flaw in Microsoft Server Software

Microsoft Corp. has released a patch to fix a security flaw that could allow a hacker to gain complete control in seconds of a Web site running Windows 2000 Internet server software.

The security flaw was discovered about two weeks ago in the software’s Internet printing component by EEye Digital Security Inc. in Aliso Viejo, which was testing the latest version of its own security scanning software.

The software, called Retina, was recently upgraded and was being tested against a Windows server in EEye’s lab when the flaw in the Microsoft product was found, said Marc Maiffret, the company’s chief hacking officer.

“Basically, our scanner looks at a piece of software like a hacker would,” Maiffret said. “When it found [the flaw], we then had to make sure it was a vulnerability that could do more than just crash the server.”

Maiffret said EEye determined the security flaw could indeed enable a hacker to break in and gain complete control of a Web site using the Windows 2000 5.0 server software. At least a million such sites are on the Internet, he said. Up to 5 million sites use Microsoft Internet Server software, but not all have upgraded to the 5.0 version.

“The thing that’s different about this flaw compared to some other flaws is that it basically affects every installation, no matter what security patches you have installed,” Maiffret said.

Microsoft security program manager Scott Culp said customers running any version of the Internet server software would be vulnerable to an attack unless they had taken certain security steps that could have disabled the Internet printing component that has the flaw.

“It is certainly a serious vulnerability,” Culp said.

The flaw is especially nasty because most firewall programs will not protect against this type of attack, said Richard Reiner, head of security operations for FSC Internet Corp. in Toronto.

He said the biggest concern now is that the flaw has been made public but not all companies using the software may know of it.

“It’s going to be a long window of vulnerability,” he said.

Microsoft said it is doing everything it can to notify customers as quickly as possible. A fix is available on the company Web site, and customers also have been notified through subscription lists and Microsoft technicians, Culp said.

The problem is serious enough to delay the release of Windows 2000 Service Pack II, a Windows 2000 operating system update that was nearly ready to ship but now will be completely reworked to fix the flaw.

Culp said the company did not know when the product would be released or how much the delay would cost Microsoft. He said Microsoft had no reports of hacker attacks resulting from the flaw.

This is the second major security flaw that EEye has discovered with Windows 2000 Internet server software. The last one was discovered in 1999.

More Inside

Hacker Heaven: Microsoft’s Internet server software has a flaw that could allow hackers to gain total control of a Web site. C3