Microsoft issued a slew of advisories late on Wednesday, spelling out bugs
in the Remote Access Service (RAS) phonebook implementation that puts users
of Windows NT 4.0, Windows 2000 and Windows XP at risk.
The company said security firm Next
Generation Security Software detected an unchecked buffer in the RAS
phonebook that could Lead to Code Execution.
“The overrun could be exploited for either of two purposes: causing a system
failure, or running code on the system with Local System privileges. If an
attacker were able to log onto an affected server and modify a phonebook
entry using specially malformed data, then made a connection using the
modified phonebook entry, the specially malformed data could be run as code
by the system,” according to the Microsoft advisory.
Remote Access Service (RAS), which is delivered as a native system service
in Windows NT 4.0, Windows 2000 and Windows XP, provides dial-up connections
between computers and networks over phone lines. Microsoft said these
implementations include a offending RAS phonebook, which is used to store
information about telephone numbers, security, and network settings used to
dial-up remote systems.
Another security bulletin from the software behemoth issued
patches for two bugs detected in Microsoft SQL Server 2000.
It said the two vulnerabilities existed in SQLMXL — a buffer overflow in
the SQLXML ISAPI filter and a cross site scripting vulnerability. The
company said the buffer overflow vulnerability in an ISAPI extension “could,
in the worst case, allow an attacker to run code of their choice on the
Microsoft Internet Information Services (IIS) Server.”
It also detailed a flaw in a function specifying an XML tag that could allow
an attacker to run script on the user’s computer with higher privilege. “For
example, a script might be able to be run in the Intranet Zone instead of
the Internet Zone,” it explained.
For the unchecked buffer in SQLXML ISAPI extension, Microsoft said the
vulnerability gives no means for an attacker to obtain the directory
structure, which must be set up by an administrator. “The attacker must know
the location of the virtual directory on the IIS Server that has been
specifically set up for SQLXML.”
For an attack to succeed with the cross site scripting vulnerability,
Microsoft said the user must have privileges on the SQL Server and must know
the address of the SQL Server on which the user has privileges. “Microsoft
best practices recommends against allowing ad hoc URL queries against the
database through a virtual root,” the company said.
The latest bug fixes comes on the heels of a massive security
patch issued last month to plug six vulnerabilities within Internet
Explorer 5.1, 5.5 and 6.0 browsers. That patch addressed a buffer overflow
hole that could give an attacker complete control of a user’s machine and
another vulnerability that would let an attacker view files on an IE user’s
local drive.
In recent months, Microsoft’s well-publicized security headaches have also
included flaws
in two versions of its SQL Server software that could cause SQL failure or
allow hackers to execute code in the security context in which SQL Server is
running.