It's not scheduled for release until Feb. 17, but Microsoft has already released the first patch affecting Windows 2000.
The patch, released by Microsoft on Wednesday, repairs two different security bugs in Microsoft Index Server, the more egregious of which allows hackers to view files stored on a target Web server. Index Server is an add-on to Windows NT 4.0 and is built into Windows 2000 (in the form of Indexing Services). Index Server provides developers with Active Scripting and query management capabilities.
The more dangerous of the two problems, dubbed the "Malformed Hit-Highlighting Argument Vulnerability" by Microsoft, was spotted by David Litchfield of Cerberus Information Security on Jan. 17 and immediately reported to Microsoft security. The bug allows attackers to view files stored on a target Web server and represents a major threat, according to Litchfield.
"Of course, ideally you make sure there's no sensitive data on your Web server, but this can be incredibly difficult," Litchfield said.
"A lot of servers have account passwords and user names on them. Even under the best of circumstances you can end up with account information and sometimes credit card numbers stored in temporary files on the server. You should clear those files out regularly, but you still end up with a 'race condition' where attackers can try to grab them before they're erased."
Microsoft: It's all serious
"It's not for us to assess the seriousness of this problem,
because we take all security risks seriously," said Microsoft
Security Manager Scott Culp. "The important thing now is that
the patch is out, and that it fixes the problem. All of our
customers should check out our security site."
However, Litchfield's investigation of the bug suggests that the majority of Windows-based servers are at risk.
He confirmed that at least six banks and three major computer manufacturers were affected by the bug.
"The problem is that Index Server is active by default, so most people don't even realize they've got it on. Even if they see an MS alert, they're probably not going to realize that it applies to them," Litchfield said.
Culp acknowledged that many users may have the Index server active without realizing it.
"Of course, from a security perspective, you shouldn't offer any services you don't use," Culp said. "We want to make sure our customers are educated about this, and that they are aware of which services they have active and how to disable what they don't need. We've also given Windows 2000 tighter defaults and made it much easier to configure."
Second bug relatively minor
The second of the two bugs allows an intruder to access information
about the targeted network, but it is considered relatively minor.
Although several specialists assert that this problem has been
publicly discussed for several months, Culp stated that Microsoft
only became aware of it within the past two weeks.
According to Culp, both of these problems were discovered too late to be fixed in the shipping version of Windows 2000.
"These came to our attention in mid-January, and Windows 2000 went out to OEMs and many customers Dec. 15. It's a shipping product, and we're supporting as any other shipping product."
Microsoft released to manufacturing Windows 2000 on Dec. 15 and delivered it to hardware makers and some other key partners on that date. Large customers and developers received the gold code in early- to mid-January.