News

Critical Vulnerability Found in Domain Controllers

Microsoft alerted users to a critical unchecked buffer vulnerability in a service that is enabled by default on Windows 2000 and Windows NT 4.0 domain controllers.

The alert was one of three security alerts that Microsoft sent to users on Wednesday night. The other new security holes both rate as "moderate" vulnerabilities in Microsoft's threat risk scale. The affected products are Content Management Server 2001 and Outlook 2002. The three alerts were the first batch of security bulletins out of Redmond for 2003.

The critical problem in Windows 2000 and Windows NT 4.0 domain controllers involves the Locator service, which maps logical names to network-specific names. The service is present in Windows NT 4.0, Windows 2000 and Windows XP, although it is only enabled by default in domain controllers.

According to Microsoft, the vulnerability could allow code of an attacker's choice to be executed. To exploit the vulnerability, an attacker would have to send a specially malformed request to the Locator service. Microsoft contends that a properly configured firewall would block Internet-based attackers from exploiting the hole.

A patch for the vulnerability is available at http://www.microsoft.com/technet/security/bulletin/ms03-001.asp.

Microsoft developed a cumulative patch in fixing the new flaw affecting Content Management Server 2001. The flaw, which does not affect the newer Content Management Server 2002, requires an attacker to follow a complex series of technical and social engineering steps, one of which would be to lure a victim user to a page. Once there, the attacker could wrongfully obtain information disclosed by the user.

The cumulative patch can be found at www.microsoft.com/technet/security/bulletin/ms03-002.asp.

The Outlook 2002 flaw addressed in the third bulletin could result in supposedly encrypted messages being sent in plain text. When users select a less common method of encryption, known as V1 Exchange Server Security Certificates, their HTML e-mail messages can go out in plain text.

"As a result of this flaw, Outlook fails to encrypt the mail correctly and the message will be sent in plain text. This could cause the information in the e-mail to be exposed when the user believed it to be protected through encryption," Microsoft's security bulletin reads.

A patch for the Outlook 2002 flaw is available at www.microsoft.com/technet/security/bulletin/ms03-003.asp.

About the Author

Scott Bekker is editor in chief of Redmond Channel Partner magazine.

Featured

  • An image of planes flying around a globe

    2025 Microsoft Conference Calendar: For Partners, IT Pros and Developers

    Here's your guide to all the IT training sessions, partner meet-ups and annual Microsoft conferences you won't want to miss.

  • Microsoft to Shut Down Skype Services

    Microsoft will discontinue its Skype telecommunications and video calling services on May 5, 2025, marking the end of the platform's decades-long run.

  • Big Blue To Acquire Datastax in Enterprise AI Play

    In a bid to bolster its enterprise-aimed AI capabilities, IBM is planning to acquire Datastax, a leading AI and data solutions provider, for an undisclosed amount.

  • Microsoft Confirms End of HoloLens Mixed Reality Hardware

    Microsoft officially announced this week that it is discontinuing its HoloLens mixed reality hardware, marking the end of its efforts in the space.

Most   Popular