SAN FRANCISCO: Microsoft Corp. on Wednesday announced a security patch that
fixes more than a dozen holes in its Web server software, including several
critical ones that could allow a hacker to take complete control over machines
running the popular software.
The new patch fixes all previously known security vulnerabilities with
Microsoft's Internet Information Server, as well as 10 new ones, said Lynn
Terwoerds, security program manager for the Microsoft Security Response Center.
A Microsoft spokesman said there had been no reports of anyone attempting to
take advantage of the exploits.
"This is a biggie," said Russ Cooper, editor of the NT BugTraq
e-mail list. "It's a biggie because one of the new vulnerabilities
announced involves every IIS server on Windows 2000 and Windows XP out there,
regardless of how it's configured." Many of the vulnerabilities make
computer systems susceptible to two common types of attacks: denial-of-service
and buffer overflow.
In a denial-of-service attack a Web server is flooded with so much traffic
that it is unable to handle legitimate traffic, temporarily crippling it. In a
buffer overflow an attacker sends more data to a target computer than can be
appropriately handled. The overflow is then able to run inside the machine as
executable code that can be controlled by the attacker.
"The attacker could then do anything that you can do, such as change Web
pages, install and run software, or reformat the hard drive," according to
a Microsoft security notice on its Web site. "Even rarely visited Web sites
could be attacked via a virus or worm."
Customers operating a Web site using IIS versions 4, 5 and 5.1 should
download the patch. The Web software runs on Windows NT 4.0, Windows 2000 and
Windows XP and might be running without the user's knowledge, Terwoerds said.
Windows XP Professional users can receive the patch automatically via the
AutoUpdate feature. All Windows users can install the patch by going to the
automated Windows Update Web site. Patches can also be downloaded and installed
manually. Microsoft also urges users to use the IIS Lockdown Tool that disables
unnecessary features.