RealTime IT News

What Do You Want to Patch Today?

Microsoft issued a slew of advisories late on Wednesday, spelling out bugs in the Remote Access Service (RAS) phonebook implementation that puts users of Windows NT 4.0, Windows 2000 and Windows XP at risk.

The company said security firm Next Generation Security Software detected an unchecked buffer in the RAS phonebook that could Lead to Code Execution.

"The overrun could be exploited for either of two purposes: causing a system failure, or running code on the system with Local System privileges. If an attacker were able to log onto an affected server and modify a phonebook entry using specially malformed data, then made a connection using the modified phonebook entry, the specially malformed data could be run as code by the system," according to the Microsoft advisory.

Remote Access Service (RAS), which is delivered as a native system service in Windows NT 4.0, Windows 2000 and Windows XP, provides dial-up connections between computers and networks over phone lines. Microsoft said these implementations include a offending RAS phonebook, which is used to store information about telephone numbers, security, and network settings used to dial-up remote systems.

Another security bulletin from the software behemoth issued patches for two bugs detected in Microsoft SQL Server 2000.

It said the two vulnerabilities existed in SQLMXL -- a buffer overflow in the SQLXML ISAPI filter and a cross site scripting vulnerability. The company said the buffer overflow vulnerability in an ISAPI extension "could, in the worst case, allow an attacker to run code of their choice on the Microsoft Internet Information Services (IIS) Server."

It also detailed a flaw in a function specifying an XML tag that could allow an attacker to run script on the user's computer with higher privilege. "For example, a script might be able to be run in the Intranet Zone instead of the Internet Zone," it explained.

For the unchecked buffer in SQLXML ISAPI extension, Microsoft said the vulnerability gives no means for an attacker to obtain the directory structure, which must be set up by an administrator. "The attacker must know the location of the virtual directory on the IIS Server that has been specifically set up for SQLXML."

For an attack to succeed with the cross site scripting vulnerability, Microsoft said the user must have privileges on the SQL Server and must know the address of the SQL Server on which the user has privileges. "Microsoft best practices recommends against allowing ad hoc URL queries against the database through a virtual root," the company said.

The latest bug fixes comes on the heels of a massive security patch issued last month to plug six vulnerabilities within Internet Explorer 5.1, 5.5 and 6.0 browsers. That patch addressed a buffer overflow hole that could give an attacker complete control of a user's machine and another vulnerability that would let an attacker view files on an IE user's local drive.

In recent months, Microsoft's well-publicized security headaches have also included flaws in two versions of its SQL Server software that could cause SQL failure or allow hackers to execute code in the security context in which SQL Server is running.