Microsoft Corp. disclosed today that an “extremely serious” flaw in an extension included in Windows 2000 could allow a malicious hacker to gain complete control of any computer running the Internet Information Services (IIS) 5.0 software built into that operating system.
In a bulletin posted on its Web site, Microsoft said the vulnerability is caused by an unchecked buffer in an extension that provides native support for Internet printing capabilities within Windows 2000. The software vendor “strongly” urged all IIS 5.0 users to install a new patch that’s supposed to fix the problem.
Scott Culp, a program manager at Microsoft’s security response center, went even further in an interview, saying it’s “imperative” that anyone running IIS 5.0 apply the patch. The hole is especially serious because it could enable an attacker to run code that would give him complete control of Windows 2000 on a vulnerable server. “There is literally nothing [an attacker] could not do,” Culp said.
Information about the vulnerability has been distributed to hundreds of thousands of Microsoft users and business partners, he added. The hole was first reported to Microsoft 10 days ago by eEye Digital Security, an Aliso Viejo, California-based security software vendor that has posted its own advisory about the vulnerability.
While the new flaw is considered serious, Culp said it would affect only those users who have explicitly turned on IIS 5.0 and the Internet Printing Protocol feature offered as part of Windows 2000. The problematic extension that implements the protocol is installed by default on all Windows 2000-based servers, but it can be accessed only via IIS 5.0.
Marc Maiffret, chief hacking officer at eEye, said the security vendor reported the hole to Microsoft almost two weeks ago. Microsoft confirmed the vulnerability and then created the patch that was released today. The problem affects systems running Windows 2000 Server, Windows 2000 Advanced Server and Windows 2000 Datacenter Server.
According to eEye’s advisory, a filter on the Internet Server Application Program Interface (ISAPI) extension that controls the Internet printing commands “does not do proper ‘bounds checking’ on user-inputted buffers.” That makes it susceptible to buffer overflow attacks that could give hackers the keys they need to gain system-level access to servers.
Once that’s accomplished, Maiffret said, an attacker could view all files on a penetrated server and execute any commands. He added that the vulnerability poses a potential threat to Windows 2000 servers running at “everything from mom-and-pop shops to Fortune 100 companies.”
While the hole itself is somewhat obscure, security analysts said ways to exploit it are sure to be developed and shared among would-be attackers. Maiffret said eEye is posting “a proof-of-concept exploit that can’t be used maliciously,” but he and William Wall, a senior security engineer at Harris Corp.’s network security unit in Melbourne, Fla., agreed that instructions for taking advantage of the hole will be widespread within a few days.
As a result, systems administrators need to act quickly to ensure that their corporate servers don’t get attacked, Maiffret said. “As soon as somebody learns about [the hole], they need to install the patch,” he advised. “They shouldn’t wait an hour or a day.”
Sam Costello is a reporter for the IDG News Service.
