|
|
New security problems continue to be reported with Microsoft products that
both Windows users and server administrators should watch out for. Below are
summaries of some of the more recent alerts.
Exchange 2000. In late May, Microsoft reported a critical vulnerability
affecting email servers running Exchange 2000. To exploit the flaw, sophisticated
attackers could create malformed email messages, ultimately causing a denial-of-service
attack. Once the process starts it can't be stopped, and the server can
be crippled for several hours. For details, see "MS sounds siren about
Exchange hole" at
http://zdnet.com.com/2100-1104-928091.html
Cumulative Patch for Internet Explorer 5.01, 5.5, and 6.0. Six additional
vulnerabilities uncovered in Internet Explorer 5.01, 5.5., and 6.0 have led
Microsoft to issue a new cumulative patch. In addition to addressing these new
security holes, this patch (available at http://www.microsoft.com/technet/security/bulletin/MS02-023.asp)
includes the functions of all previously released patches for these versions
of IE.
Cross-site scripting (CSS), the most serious of the new IE vulnerabilities,
has the potential to allow attackers to take control of a local computer zone
and run code of their choice. CSS attacks occur when malicious data is entered
on a website and either hosted on a web server or sent as HTML email. When the
web page is viewed and a user clicks on the URL link, attackers' script is injected
into the local resource, potentially giving them complete control of the system.
Secure Sockets Layer (SSL) cannot protect against CSS-type attacks. For more
details on this type of attack, see the Advisories at http://spoor12.edup.tudelft.nl/SkyLined/index.php
A tool to test websites for CSS is the Linux-based WhiteHat Arsenal 1.05, available
at http://community.whitehatsec.com
Server Vulnerabilities. Recent Microsoft security bulletins cited several
holes in Microsoft server products:
As always, it's a good idea to routinely run Windows Update.