Posted on 02/11/2002 1:08:07 PM PST by Dominic Harr
MS server bugs open the door to hackers MS server bugs open the door to hackers
Mon Feb 11, 4:43 PM ET
By Matthew Broersma, ZDNet News
Microsoft has warned of vulnerabilities in its Exchange 2000 server software and Telnet remote-access service that could open the doors to malicious hackers.
|
||||||||||||||||||||||||
Microsoft recently launched a security initiative unprecedented in the company's history, which begins this month with a top-down review of the code of key products to root out underlying flaws. The appearance of these two new flaws emphasises the difficulty of the task the company faces. Many security experts accuse Microsoft of adhering to lax security standards until now.
The Telnet bug affects the Telnet Service in Windows 2000 and the Telnet Daemon in Microsoft Interix 2.2. Telnet is a service that allows users to remotely access a computer; Interix lets users run Unix applications on a Windows system.
The two Telnet products contain unchecked buffers, which means that a malicious hacker could cause a buffer overflow, causing the Telnet Server to fail, and in some cases allowing the hacker to execute code of his or her choice on the system.
Microsoft rates this vulnerability as a medium risk, but other organizations say it's more serious. For example, the U.S. Government's Computer Incident Advisory Capability (CIAC) flagged the risk as "high".
Telnet is installed by default in Windows 2000 systems, but is not running by default, meaning an administrator would have to have started the service. The server would be accessible to an Internet attack if Telnet were configured to allow users from outside the company's network, Microsoft said. Anyone who could connect to the telnet service could attempt to exploit the hole.
Microsoft's patch for the Telnet Service in Windows 2000 is here. The patch for the Interix 2.2 is here. To install the Windows 2000 patch, users must already have Windows 2000 Service Pack 1 or 2.
The Exchange vulnerability
The Exchange bug, at its worst, would allow a malicious hacker to access the server's system registry, gaining details about the software running on the system, or changing the registry.
Microsoft rates the problem as a low risk, while an advisory from security firm WatchGuard Technologies classed it as a medium risk.
The problem is with the Microsoft Exchange System Attendant, which helps maintain the Exchange system. To allow remote administration of the server, the System Attendant changes to the permissions of the Windows Registry. However, it incorrectly gives the "Everyone" group privileges to access the registry, something only administrators should normally have.
Microsoft cautions that although this privelege only allows users to view the registry, an incorrectly configured registry could allow them the ability to modify registry settings. The information in the registry could also help hackers launch an attack on the Exchange server.
Microsoft's patch for the Exchange Server 2000 is here.
This week Microsoft plans to release a patch for a bug with MSN Messenger that allowed any Web site to grab a visitor's IM nickname and buddy list. A few days ago, gamers had problems connecting to the Microsoft Network owing to a glitch with the company's Passport log-in service. In August, Microsoft patched a hole in Hotmail that could allow a person's email to be read by others.
Robert Lemos contributed to this report.
Mr. Gate's new 'Trustworthy Computing' initiative is off to a rocky start.
I think it'll take mucho time to do, because it's a big ship.
But these security problems are still news . . .
Check the last thread, linked to above. I'm defending MS on this stuff, at least for the time being.
They deserve a chance to prove themselves.
*nix has never ever had a patch... right?
Indexing...
| To find excuses and circular reasoning using Microsoft_Security_Failure_List, click below: | ||||
| click here >>> | Microsoft_Security_Failure_List | <<< click here | ||
| (To view all FR Bump Lists, click here) | ||||
Odd how defensive some people seem to get when MS security and quality problems are reported.
I think it's that kind of 'bunker' mentality that Mr. Gates is currently trying to end. In order to make quality software and fix all security bugs, an open mind is absolutely essential. You must be willing to find the flaws in your product, instead of just covering them up and being defensive.
Methinks that in 5-7 years, Microsquish will probably have the most bulletproof AND easily secured apps and OS in the world, because Bill's memo said (well, ya gotta read between the lines for this) "Attention MicroSerfs, there is a Blue Light Special on stock options for making our stuff secure!"
Sorry dude, I just don't get all that emotionally wrought over the software that I or other people care to use. I simply tire of all the handwringing by some that just hate MS for the sheer hipness of it. Because... that's all it is. The hippest of the dweeb clubs have it at about number two or three on their membership exam.
Lots of people will continue to use MS products. Get over it.
I have to say, I don't see where I did any kind of gloating. More shock and dismay. If I sounded like I was gloating, forgive me.
I'm a Windows guy. I've never owned a Mac, and only played with Linux. Altho some of my stuff gets deployed on Unix, that's the Accounting depts choice, not mine. I don't know much about Unix at all.
I want this stuff fixed. I want the quality problems to end. It's time for the entire software industry to grow up. Someday, people are going to want basic consumer protection laws to apply to software -- things like it must work as advertised.
MS's 'most secure OS ever', and Oracle's 'Unbreakable', campaigns are absolutely amazing.
It's time to fix this stuff.
Which means Dom is popping open a cold one.
In Harr-ville, the sun is shining, Microsoft has problems, and God's in His heaven.
Until MS stops using poorly designed programs to design their poorly designed programs they will never have anything close to a secure product. Programmers were true programmers back when they used Machine and or Assembly language to design programs/routines. Programs that were 10k or less in size are now 1 meg+ in size. Like everything else anymore, most companies are more interested in speed versus quality. Or in the words of that much maligned computer "geek", garbage in = garbage out.
God Bless America
Some things that come across in voice don't travel so well by text only.
At any rate, my guess is that "SecureWindows 1.0" won't be secure, V2.0 won't be completely secure and will be impossible to configure, V3.0 will be mostly secure, but the remaining bugs will be nasty, and the help files will look like they were translated from Urdu to Sanskrit by way of Gaelic before getting a quick run through Babelfish, V4.0 will start being ready for prime time, and V5.0 will be damn near unbreakable by anything short of shooting the hard disk.
And the industrial-grade MS flying monkeys have yet to report in...
Lots of people will continue to use MS products. Get over it.
Really? Quality doesn't matter to you? That's fine; it does matter to a lot of people.
And some people continue to use MS products simply because they're unwilling or unable to try something else. And their boxes will continue to be exploited by the black hats and their systems will continue to destablize because new "stupid" bugs like these will continue to be found.
An unchecked buffer is one of the oldest bugs in the world. It is so easy to check for and prevent one of these, it really is stupid to let one through.
Oh yeah, people will continue to get angry at the messenger who brings bad tidings because they're really angry at themselves for being taken in. They wouldn't dream of blaming MS for marketing a product that's full of holes. MS says it's fine, and that's good enough for them.
So we just settle for mediocrity? I don't think so. Mr. Gates evidently doesn't think so, either.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.
