Microsoft warns of 'serious' software hole

Microsoft has been left looking foolish as yet another security flaw comes to light

By BBC News Online technology correspondent Mark Ward

A serious security vulnerability has been found in the Microsoft software used to keep millions of websites running.

Security experts who discovered the hole said malicious hackers could use it to take over a server, letting them view, change or steal almost any of the information held on it.

Microsoft said the vulnerability was so serious that it started contacting many of the high-profile users of the at-risk software. It urged all other users of the software to apply patches immediately.

The loophole is only the latest in a series of security holes that have been found in Microsoft products that millions of people use to run or view websites.

Action urged

Yesterday Microsoft issued a warning to many of the users of its Windows 2000 server software "strongly urging" them to update the software with a security patch to close a serious vulnerability.

Although the vulnerability was discovered on 19 April, Microsoft did not publicise it until a patch was available.

...systems can be bypassed and your web server can be broken into via this vulnerability

eEye Digital Security

EEye Digital Security discovered the bug, which affects Windows 2000 Servers running the Internet Information Server 5.0 (IIS) add-on. Many organisations use this software to run websites. Security expert Riley Hassell at eEye said the bug was serious because it was so easy to exploit.

The flaw uses the remote printing protocols inside the software. When the right string of text is sent, it causes the software to return an unsecured command prompt, effectively giving high-level access to a server.

The string of text need only be 420 characters long. This sentence, including spaces, is 56 characters long.

"It does not matter what kind of security systems you have in place, firewalls, intruder detection systems, etc.," eEye wrote in its alert about the bug, "because all of those systems can be bypassed and your web server can be broken into via this vulnerability. The default set-up of the software leaves the vulnerability open."

Release dates

Windows 2000 Server was released in February last year and over one million companies have licensed it.

Web watching company Netcraft performs regular surveys of server software and its latest poll reveals that almost 20%, almost 6 million, of web servers are running one flavour or other of Microsoft IIS. Earlier versions of IIS are not vulnerable to the bug.

Windows 2000 Users

Barnesandnoble.com

Buy.com

CommerceOne.com

Cornerdrugstore.com

Marthastewart.com

Nasdaq.com

Nordstrom.com

Reel.com

Workz.com

Although Microsoft has contacted many users of the Windows 2000 Server software, it is unlikely that all of them will apply the patch and many sites could be left open to attack.

In 1998, the RDS (Remote Data Services) bug was discovered that also affected IIS. Some computer criminals are known to have exploited this to steal credit card numbers and deface websites. Even now, three years after it was found, up to 25% of sites are thought to have left the hole unpatched.

The printing protocol bug is only the latest in a string of security problems and vulnerabilities traced to Microsoft products. Viruses such as Melissa and the Love Bug only proliferated because of the lax controls Microsoft Outlook places on the files attached to e-mail messages.

In October last year, a serious bug also in IIS came to light that let hackers using malformed URLs look at supposedly secure files and directories on a server.