Microsoft patches Windows 2000 security hole

Microsoft achieves a dubious milestone this week, releasing the first security patch for its Windows 2000 operating system, despite the fact that the OS is still a few weeks away from its official release.

3 min read
Microsoft achieved a dubious milestone this week, releasing the first security patch for its Windows 2000 operating system, despite the fact that the OS is still a few weeks away from its official release.

The software giant this week released the security patch for two problems affecting the Microsoft Index Server, a file search engine included with Windows 2000, as well as Windows NT and Internet Information Server. Windows 2000 is the company's new corporate operating system, designed to run computers for large companies, Web sites and e-commerce services.

Although the function affected by the glitch is not specific to Windows 2000, the vulnerability is somewhat embarrassing for Microsoft, given its recent struggles with security issues, its promotion of Windows 2000 as the most secure and reliable operating system to date, and the fact that the product has not yet even been officially released.

Taken together, the security problems would allow a malicious user to learn where administrative files are stored on a Web server, then view and read the files, a Microsoft representative said. The bugs do not allow anyone to actually modify or gain access to the files themselves.

The vulnerability itself would not be enough for a hacker to manipulate personal information, a security expert said, but would offer clues to point the malicious user in the right direction.

"This is something that regular NT users should not be worried about," said Elias Levy, a security consultant with Security Focus, explaining that the bugs would allow hackers to view the source code of Web sites using Microsoft's Internet Information Server, which could ostensibly include some embedded sensitive information.

The bug only allows access to information stored on the Web server, not to any databases of information, Levy said.

"It doesn't allow you to obtain full access to the machine," he said. "Just because you get an account name for the database doesn't mean that you're able to reach the database itself--it just gives the hacker more intelligence."

Although it ranks low on the severity scale, the problem does raise questions as to whether Microsoft has overhyped the stability of the new operating system and its own internal bug-testing operation. Microsoft has called Windows 2000 the most heavily tested software release in the company's history.

"For Windows 2000 users, of course, this patch is somewhat interesting, if only because it is the first update to the new operating system," wrote Paul Thurrott, in his WinInfo email newsletter. "It's also extremely disappointing from an administrative standpoint...because the patch requires you to reboot the machine once it's installed. One of the primary selling points of Windows 2000 is that it requires far fewer reboots than Windows NT 4.0."

The patch for the problem, and background information on the glitch, is available on the Microsoft Web site.

For its part, Microsoft argued that the quick turnaround time on the bug fix reflects the company's commitment to customer concerns about security.

"The person who reported that this was an issue is someone who's been working closely with Microsoft," the representative said, noting that Microsoft has not been informed of any actual problems as a result of the vulnerability. "This is not an issue where a malicious instance actually happened."

A possible reason: Microsoft does not officially release the software until Feb. 17, at a launch event in San Francisco. The first collection of Windows 2000 bug fixes, known as a service pack, is expected to be released in June.