Bug Affects NT, W2K, SQL and Exchange
- By Scott Bekker
- July 27, 2001
For the third time in three days, Microsoft Corp. alerted customers to a serious new bug in its Windows NT 4.0 and Windows 2000 operating systems. And in a separate action, the software giant confirmed the existence of a vulnerability in its Windows Media Player application that could allow an attacker to execute code of her choice on a compromised system.
In a security bulletin which it dispatched to the subscribers of its Security mailing list, Microsoft acknowledged a problem with its remote procedure call (RPC) implementation that affects services running on Windows NT 4.0, Windows 2000, SQL Server 7.0, SQL Server 2000, Exchange 5.5 and Exchange 2000.
According to Microsoft, the vulnerability is a result of “mismatch” between the interface definitions in several RPC server stubs and the input validation code in the associated servers. Because certain inputs aren’t validated prior to use, Microsoft says, invalid definitions that are permissible vis-à-vis the interface definitions could in some cases be used to disrupt server operation.
As was the case with yesterday’s RDP vulnerability, an attacker could exploit the RPC vulnerability to launch a denial of service (DoS) attack against an affected server. In most cases, such an attack would cause a specific RPC-dependent service to hang, but in some cases, Microsoft acknowledged, a DoS attack of this type would cause a system-wide failure that could only be fixed by a reboot.
IT organizations that have followed Microsoft’s best practices and which have blocked Internet access to the ports on which the affected RPC server stubs listen should be unaffected by external attempts to compromise this vulnerability, the software giant claims.
Microsoft provided a variety of hotfixes to fix this latest vulnerability. Administrators must apply all pertinent patches, however, which could complicate matters to some extent: A Windows NT 4.0 Server hosting SQL Server 7.0 and Exchange 5.5 must apply all three hotfixes to properly patch the problem.
In a related move, the software giant last night distributed still another bulletin to the subscribers of its security mailing list and alerted them to the presence of a buffer overrun vulnerability that affects versions 6.4, 7.0 and 7.1 of its Media Player application.
The vulnerability occurs because of an unchecked buffer in the .NSC files that Media Player uses to support play-list functionality. If properly exploited, the Media Player vulnerability could allow an attacker to run code of her choice on a compromised system.
The problem is exacerbated because an attacker could attach a malicious .NSC file to an e-mail message or provide a link – via e-mail – to a Web page from which a malicious .NSC file could be downloaded.
Microsoft provided patches for all three affected Windows Media player variants. Stephen Swoyer
Scott Bekker is editor in chief of Redmond Channel Partner magazine.