Windows 2000 bug reports and hotfixes have slowed to a trickle during the past few months. This slowdown always presages the release of a new service pack. As of June 8, the Microsoft Knowledge Base contained 23 Win2K pre–Service Pack 5 (SP5) articles, including the recommended Layer Two Tunneling Protocol (L2TP), IP Security (IPSec), and Network Address Translation (NAT) update I described in last week's column (http://www.winnetmag.com/windowsserver2003/index.cfm?articleid=39166). These pre–SP5 articles indicate that SP4 won't include fixes for several USB problems or problems with terminal servers that fail in high-stress environments. Using history as a guide, we can expect SP4 sometime during June or July. So ramp up your software distribution scripts and put SP4 on the schedule for a late summer or early fall deployment.
The Newest IIS Security Rollup
After engaging in numerous real-time cyber–sword fights against malicious intruders for weeks, I am particularly sensitive to Microsoft IIS security hotfixes these days. Although I don't yet have all the data I need to do a technically correct forensic analysis of the break-in I'm researching, it appears that intruders used a Trojan Horse to hijack the Web server for nefarious purposes. My top candidates for the hijackers activity include pushing spam files or stolen software through the Internet. The hijacking ended with a firewall that's now dead and refuses to boot. When I finish the postmortem and determine how the intruders tapped into a well-protected firewall and the Web server, I'll pass on what I've learned. In the meantime, I strongly encourage you to update all your Internet Information Services (IIS) 5.1, IIS 5.0, and Internet Information Server (IIS) 4.0 Web servers with the latest IIS security rollup, which you can learn about in the Microsoft article "MS03-018: May 2003 Cumulative Patch for Internet Information Services (IIS)" (http://support.microsoft.com/?kbid=811114). The article contains download links for all affected IIS versions. In the never-ending battle between developers and crackers, the latest IIS security rollup closes four new vulnerabilities, including a cross-scripting security problem, a buffer overflow, and two forms of Denial of Service (DoS) attacks. Although none of the fixes are rated critical, keeping your IIS servers patched and current is important. Failure to do so opens the door to more sophisticated exploits that leverage the same flaws in the future. The rollup
• Eliminates a cross-site scripting vulnerability that lets an IIS server redirect an Active Server Pages (ASP) script meant for server A to an alternate IIS server, server B. Server B responds to the client request, and the redirected script executes using the security settings on server B rather than the settings on server A. If server B is less secure, the script runs with elevated privileges.
• Eliminates a buffer overflow that occurs in Win2K IIS servers because this version doesn't correctly validate requests for server-side include files. A malicious user can leverage this flaw by uploading a script that generates the buffer overflow to the unsecured server. After the buffer overflow occurs, the malicious user can run code with unrestricted access in the security context of the System.
• Eliminates a DoS vulnerability in Win2K and NT IIS servers that occurs because IIS doesn't limit the amount of memory a script can allocate when creating the header for an HTTP response. To exploit this flaw, an attacker must first place a page with suitably programmed ASP script onto an unsecured server. If the script allocates a large enough block of memory, IIS dies.
• Eliminates a second DoS vulnerability in Windows XP and Win2K IIS servers that occurs because of how IIS responds to errors when it processes a long WWW Distributed Authoring and Versioning (WebDAV) request. When an attacker exploits this flaw, IIS stops and immediately restarts. If you secure your servers with the IIS Lockdown utility, this tool disables WebDAV authoring.
If you stay on top of security fixes, you no doubt have already updated client systems running Microsoft Office with the identity spoofing hotfix in Microsoft Security Bulletin MS02-050 (Certificate Validation Flaw Could Enable Identity Spoofing). If you haven't installed the client certificate hotfix, you should do so before you install the IIS security rollup. The bulletin has download links for this identity spoofing update for a variety of clients, including XP, Win2K, Windows 9x, and Macintosh. If you don't update your clients and IIS requires certificates for authentication, IIS will reject the client certificates when they attempt to connect to the updated IIS server. I also want to remind you to update Microsoft Internet Explorer (IE) on all your systems with the security rollup Microsoft released on April 24. If you don't install the rollup, a malicious user can exploit the latest batch of vulnerabilities from a Web site or an HTML-based email message to download and run code on unpatched systems. I describe the risks and provide the download links for all versions of IE in my May 27 column (http://www.winnetmag.com/articles/index.cfm?articleid=39094).