BBC Homepage World Service Education
BBC Homepagelow graphics version | feedback | help
BBC News Online
 You are in: Sci/Tech
Front Page 
World 
UK 
UK Politics 
Business 
Sci/Tech 
Health 
Education 
Entertainment 
Talking Point 
In Depth 
AudioVideo 

Wednesday, 2 May, 2001, 15:13 GMT 16:13 UK
Microsoft warns of 'serious' software hole
Bill Gates AP
Microsoft has been left looking foolish as yet another security flaw comes to light
By BBC News Online technology correspondent Mark Ward

A serious security vulnerability has been found in the Microsoft software used to keep millions of websites running.

Security experts who discovered the hole said malicious hackers could use it to take over a server, letting them view, change or steal almost any of the information held on it.

Microsoft said the vulnerability was so serious that it started contacting many of the high-profile users of the at-risk software. It urged all other users of the software to apply patches immediately.

The loophole is only the latest in a series of security holes that have been found in Microsoft products that millions of people use to run or view websites.

Action urged

Yesterday Microsoft issued a warning to many of the users of its Windows 2000 server software "strongly urging" them to update the software with a security patch to close a serious vulnerability.

Although the vulnerability was discovered on 19 April, Microsoft did not publicise it until a patch was available.


...systems can be bypassed and your web server can be broken into via this vulnerability

eEye Digital Security
EEye Digital Security discovered the bug, which affects Windows 2000 Servers running the Internet Information Server 5.0 (IIS) add-on. Many organisations use this software to run websites. Security expert Riley Hassell at eEye said the bug was serious because it was so easy to exploit.

The flaw uses the remote printing protocols inside the software. When the right string of text is sent, it causes the software to return an unsecured command prompt, effectively giving high-level access to a server.

The string of text need only be 420 characters long. This sentence, including spaces, is 56 characters long.

"It does not matter what kind of security systems you have in place, firewalls, intruder detection systems, etc.," eEye wrote in its alert about the bug, "because all of those systems can be bypassed and your web server can be broken into via this vulnerability. The default set-up of the software leaves the vulnerability open."

Release dates

Windows 2000 Server was released in February last year and over one million companies have licensed it.

Web watching company Netcraft performs regular surveys of server software and its latest poll reveals that almost 20%, almost 6 million, of web servers are running one flavour or other of Microsoft IIS. Earlier versions of IIS are not vulnerable to the bug.

Windows 2000 Users
Barnesandnoble.com
Buy.com
CommerceOne.com
Cornerdrugstore.com
Marthastewart.com
Nasdaq.com
Nordstrom.com
Reel.com
Workz.com

Although Microsoft has contacted many users of the Windows 2000 Server software, it is unlikely that all of them will apply the patch and many sites could be left open to attack.

In 1998, the RDS (Remote Data Services) bug was discovered that also affected IIS. Some computer criminals are known to have exploited this to steal credit card numbers and deface websites. Even now, three years after it was found, up to 25% of sites are thought to have left the hole unpatched.

The printing protocol bug is only the latest in a string of security problems and vulnerabilities traced to Microsoft products. Viruses such as Melissa and the Love Bug only proliferated because of the lax controls Microsoft Outlook places on the files attached to e-mail messages.

In October last year, a serious bug also in IIS came to light that let hackers using malformed URLs look at supposedly secure files and directories on a server.

Search BBC News Online

Advanced search options
Launch console
BBC RADIO NEWS
BBC ONE TV NEWS
WORLD NEWS SUMMARY
PROGRAMMES GUIDE
See also:

18 May 00 | Sci/Tech
When paper clips attack
11 Jan 00 | Business
Fresh web security scare
24 Apr 01 | Sci/Tech
System to combat e-mail viruses
09 Jun 00 | Sci/Tech
Locking up Outlook
26 Jan 01 | Business
Microsoft hit by hacker attack
Internet links:


The BBC is not responsible for the content of external internet sites

Links to more Sci/Tech stories are at the foot of the page.


E-mail this story to a friend

Links to more Sci/Tech stories