Microsoft discloses flaw in website software

Ted Bridis

Thursday, June 13, 2002 | 10:06 a.m.

WASHINGTON -- Microsoft Corp. acknowledged a serious flaw Wednesday in its Internet server software that could allow sophisticated hackers to seize control of Web sites, steal information and use vulnerable computers to attack others online.

The software, which runs about one-third of the world's websites, is used by millions of businesses and organizations but less commonly by home users. Microsoft made available a free patch for customers using versions of its Internet Information Server software with its Windows NT or Windows 2000 operating systems.

The server software included within Microsoft's newer Windows XP operating system was not affected by the security flaw.

In a separate warning Wednesday, Microsoft said customers of its Windows NT, Windows 2000 and Windows XP operating systems were vulnerable to an unrelated problem affecting Microsoft's technology to connect to the Internet over phone lines. Hackers trying to attack these computers must already have permission to use them, limiting the risks.

A researcher with eEye Digital Security Inc., Riley Hassell, found the Web server flaw in mid-April during testing of eEye's own hacker-defense software, but the discovery was kept closely guarded under an agreement with Microsoft until Wednesday.

Microsoft described the risk to Web servers as "moderate." The company and other top experts, including U.S. officials at the National Security Agency, have for months recommended turning off the vulnerable feature unless customers need it.

However, it was impossible to know how many customers followed that advice and shut off the feature, which is turned on automatically the first time the software is installed.

One consolation for Microsoft's customers was that the software flaw wasn't easy to exploit by most hackers. "It does take a more sophisticated level of skill," said David Gardner, a security program manager at Microsoft.

The latest vulnerability affects a function in the server software that allows Web administrators to change passwords for an Internet site. Despite the anticipated difficulty for hackers, the flaw was considered unusually threatening because it is closely related to a similar Internet server glitch disclosed by Microsoft on April 10.

Experts believe hackers already have been distributing customized attack tools to exploit the April 10 flaw, and they fear these underground tools could be updated readily to attack computers susceptible to the latest glitch.

A little-known Chinese hacking group has been distributing such tools on a website for weeks, although these are limited to attacking computers running Chinese-language versions of Microsoft's server software. Others claim to have developed more reliable attack tools using the April 10 glitch.

The FBI had warned that the previous, similar flaw was "a signficant threat due to the magnitude and type of potential victim systems."

archive