Microsoft issues "critical" server fix

As previously reported, Microsoft recommends that customers running a Web site on its Windows NT 4.0, Windows 2000 or Windows XP Professional operating systems install the patch immediately.

"The really important thing is getting the patch on," said Scott Culp, manager of Microsoft's Security Response Center, adding that the software giant is pushing hard to get the advisory in front of everyone who runs IIS 4.0, 5.0 or 5.1.

Microsoft deemed three of the fixes critical for all three versions of IIS and one critical for IIS 4 and 5. The other new vulnerabilities pose either a moderate or a low security threat. In the past, similar types of widespread vulnerabilities meant that many Web servers running Microsoft software were susceptible to attack by the Code Red worm.

At least one security company, however, is reporting that the new patch causes problems on some servers.

Engineers with SecurityFocus said that installing the patch broke some functions of IIS's SiteServer module that enables authentication and Web site customization.

"It makes SiteServer authentication unreliable," said Oliver Friedrichs, director of engineering for San Mateo, Calif.-based SecurityFocus. "It is a known issue. Microsoft is issuing an additional fix to people that phone them." Friedrichs added that the patch for the problems solved the newest bugs.

Microsoft representatives could not immediately confirm that the reported patch problem exists. Problems with the software giant's patches are rare, but they do happen.

Despite the new flaws, which recall past security problems with Microsoft software, the hard push to notify all customers of the bugs and the fact that two of the flaws were found by the company's own engineers is a signal that the company is much more serious about security, said Marc Maiffret. Maiffret is chief hacking officer of network-protection company eEye Digital Security, one of the companies acknowledged by Microsoft for notifying the giant of a critical flaw.

"I've always said that when they actually start finding the vulnerabilities themselves and announcing them, then it shows that they are being proactive about security," Maiffret said. "And I think that they are really showing that with this advisory."

In addition to posting the advisory and sending it out to more than 300,000 subscribers on its security mailing list, Microsoft is also directly contacting large companies and anyone that has recently asked for support on the company's Web server software.

"Microsoft has been much better about getting this pushed out," Maiffret said. "There should be a much wider audience that sees this, so hopefully there should be a lot more people that get the patch."

In January, following a companywide memo from Chairman Bill Gates, Microsoft embarked on its so-called Trustworthy Computing initiative. In late January and early February, the company put nearly 9,000 of its internal developers, product managers and testers through a half-day security seminar. Following the training, the groups responsible for any of the more than 70 components that make up the Windows operating system reviewed the code for potential security problems.

While the two problems found by the company's engineers were not discovered during that code-review process, the new focus on security had a lot to do with urging the developers to look at the potentially problematic code, said Microsoft's Culp.

"The security push is not done yet, and I don't want to suggest that this patch is the delivery of what we are doing," Culp said. "But what did happen was that as we heard about these new vulnerabilities, we shifted to certain areas (of the program highlighted by the flaws). And indeed, we were able to find new problems."

The security patch is cumulative, in that it incorporates other separately released fixes. The patch also addresses 10 newly discovered security vulnerabilities affecting IIS, Microsoft said. IIS 5 is susceptible to all the new vulnerabilities, IIS 4 to nine, and IIS 5.1 to eight.

Beta-build, or test, versions 3605 or higher of .Net Server, which has still not been released, already contain the fix. IIS 6 is included with .Net Server.

Many of the new fixes have to do with so-called buffer overflow or denial-of-service attacks that could cripple Web sites. In a buffer overflow, an attacker floods a field, typically an address bar, with more characters than it can accommodate. The excess characters in some cases can be run as "executable" code, effectively giving the attacker control of the computer without being constrained by security measures.

Microsoft recommends that IIS operators either download the patch separately or, if running Windows XP, retrieve the fix using the automatic update feature. The IIS 4 patch requires that Service Pack 6a be applied to Windows NT Server. The IIS 5 patch can be applied to Windows 2000 running either Service Pack 1 or 2. Microsoft recommends that the IIS 5.1 patch be applied to systems running Windows XP Professional.

The IIS 5 patch will be included in Windows 2000 Service Pack 3, which is in beta testing. The fixes for II 5.1 will be included in Windows XP Service Pack 1, which is expected to begin beta testing next month.

In addition to applying the patches, Microsoft said, IIS operators should download and use IIS Lockdown Tool 2.1, which turns off unnecessary features that if left on could create vulnerabilities for hackers to exploit.