Microsoft warns of three flaws

The software giant releases patches for the bugs, the most serious of which could give attackers a back door into the company's security server product.

Robert Lemos Staff Writer, CNET News.com

Robert Lemos

covers viruses, worms and other security threats.

See full bio

Robert Lemos

Jan. 13, 2004 5:50 p.m. PT

2 min read

Microsoft released patches on Tuesday for three flaws, the most serious of which could give attackers a back door into the company's security server product.

The most major flaw affects Microsoft's Internet Security and Acceleration Server 2000, which is included with Small Business Server 2000 and 2003 editions. The flaw lies in the way a filter in the server product's firewall processes data formatted in the real-time multimedia communications standard, known as International Telecommunications Union (ITU) H.323.



		Get Up to Speed on... Enterprise security Get the latest headlines and company-specific news in our expanded GUTS section.

Internet Security and Acceleration Server is designed to help protect companies' networks from online attacks.

"It is kind of the same situation that we have seen--a certain level of human error is going to be present, and that is true even for security software," said Stephen Toulouse, security program manager at Microsoft.

The H.323 flaw was found by the National Infrastructure Security Co-ordination Centre, the United Kingdom's Internet infrastructure protection agency, and researchers from the University of Oulu, in Finland.



		Get Up to Speed on... VoIP Get the latest headlines and company-specific news in our expanded GUTS section.

Many companies, primarily makers of voice over Internet Protocol equipment, also likely are affected by the issue--but to a lesser extent than Microsoft's product.

The other flaws the software giant announced include a vulnerability in the Microsoft Data Access Component software in Windows 2000 and XP, along with Microsoft's SQL Server 2000 and Windows Server 2003. The flaw could allow an attacker to take over a vulnerable system--only after successfully disguising the attacking computer as an SQL server. Because of the complexity of the attack, Microsoft graded the flaw as "important," not critical.

The last vulnerability, in Exchange Server 2003, allows an attacker to abuse the Online Web Access module to access the e-mail in-box of another random user who recently accessed the server.

"The end result is that an attacker could, under certain circumstances, get access to a complete random user," Microsoft's Toulouse said.

Microsoft posted discussions and patches for the products on its Web site and will automatically provide fixes to its customers through its update service.

Along with the three vulnerabilities, Microsoft re-released another patch that had caused computers that run Windows in Hebrew, Arabic and Thai to crash.