News

Critical Vulnerability Found in Domain Controllers

Microsoft alerted users to a critical unchecked buffer vulnerability in a service that is enabled by default on Windows 2000 and Windows NT 4.0 domain controllers.

The alert was one of three security alerts that Microsoft sent to users on Wednesday night. The other new security holes both rate as "moderate" vulnerabilities in Microsoft's threat risk scale. The affected products are Content Management Server 2001 and Outlook 2002. The three alerts were the first batch of security bulletins out of Redmond for 2003.

The critical problem in Windows 2000 and Windows NT 4.0 domain controllers involves the Locator service, which maps logical names to network-specific names. The service is present in Windows NT 4.0, Windows 2000 and Windows XP, although it is only enabled by default in domain controllers.

According to Microsoft, the vulnerability could allow code of an attacker's choice to be executed. To exploit the vulnerability, an attacker would have to send a specially malformed request to the Locator service. Microsoft contends that a properly configured firewall would block Internet-based attackers from exploiting the hole.

A patch for the vulnerability is available at http://www.microsoft.com/technet/security/bulletin/ms03-001.asp.

Microsoft developed a cumulative patch in fixing the new flaw affecting Content Management Server 2001. The flaw, which does not affect the newer Content Management Server 2002, requires an attacker to follow a complex series of technical and social engineering steps, one of which would be to lure a victim user to a page. Once there, the attacker could wrongfully obtain information disclosed by the user.

The cumulative patch can be found at www.microsoft.com/technet/security/bulletin/ms03-002.asp.

The Outlook 2002 flaw addressed in the third bulletin could result in supposedly encrypted messages being sent in plain text. When users select a less common method of encryption, known as V1 Exchange Server Security Certificates, their HTML e-mail messages can go out in plain text.

"As a result of this flaw, Outlook fails to encrypt the mail correctly and the message will be sent in plain text. This could cause the information in the e-mail to be exposed when the user believed it to be protected through encryption," Microsoft's security bulletin reads.

A patch for the Outlook 2002 flaw is available at www.microsoft.com/technet/security/bulletin/ms03-003.asp.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • Microsoft Appoints Althoff as New CEO for Commercial Business

    Microsoft CEO and chairman Satya Nadella on Wednesday announced the promotion of Judson Althoff to CEO of the company's commercial business, presenting the move as a response to the dramatic industrywide shifts caused by AI.

  • Broadcom Revamps VMware Partner Program Again

    Broadcom recently announced a significant update regarding its VMware Cloud Service Provider (VCSP) program, coinciding with the release of VMware Cloud Foundation (VCF) 9.0, a key component in Broadcom’s private cloud strategy.

  • Closeup of the new Copilot keyboard key

    Microsoft Updates Copilot To Add Context-Sensitive Agents to Teams, SharePoint

    Microsoft has rolled out a new public preview for collaborative "always on" agents in Microsoft 365 Copilot, bringing enhanced, context-aware tools into Teams channels, meetings, SharePoint sites, Planner workstreams and Viva Engage communities.

  • Windows 365 Cloud Apps Now Available for Public Preview

    Microsoft announced this week that Windows 365 Cloud Apps are now available for public preview. This aims to allow IT administrators to stream individual Windows applications from the cloud, removing the need to assign Cloud PCs to every user.

Most   Popular