The Archives of The Evil Empire2000 February | ||
28 February: Analysis: What's wrong with Microsoft security? The term "Microsoft's latest security glitch" has become a cliche. But it didn't have to. It really comes down to a question of philosophy. Microsoft has always viewed its software in terms of feature lists. To Microsoft, innovation is about adding new features and finding ways to interconnect them. In Microsoft's eyes, the best product is the one with the longest feature list. The problem is that security is not a feature. 25 February: Serious security flaws in Windows 2000 - Microsoft goes on bug hunt In the past week, Microsoft security teams have found themselves facing a sudden flurry of security problems. Since February 16 -- the day before Microsoft officially launched Windows 2000 -- Microsoft has issued five separate official security bulletins, with independent analysts delivering several more. To top the week off, anti-virus vendors announced the discovery of the first confirmed Windows-based distributed denial of service (DDoS) tool. Security bug #1: IE/Outlook security problem Perhaps the most dangerous of these issues, first announced by veteran bug-spotter Juan Cuartago, may present a threat to Internet Explorer (IE) and Outlook users. The problem lies in an ActiveX control called MS Active Setup, which can automatically install Microsoft-authenticated code onto a Windows-based machine. The install process can be triggered without any warning simply by visiting a web page or viewing an email containing the code. Currently, there is no patch or work-around for this issue, although MS Security has promised to allow users to make the installation process optional in future versions of Active Setup. Security bug #2: WordPad problem Independent analyst Georgi Guninski announced a bug in Microsoft's Wordpad application that may present a further risk for IE and Outlook users. According to Guninski, a malicious HTML file accessed in a browser or email client can trick Wordpad into executing malicious code. There is no patch for this problem yet. Security bugs #3 and 4: More Internet Explorer issues The "Image Source Redirect Vulnerability" allows a web server to steal files from an IE user's computer, provided they can be opened in a browser window. The "VM File Reading Vulnerability" has a similar impact, allowing a web server to send out malicious Java applets that can access files on an IE user's machine. Microsoft has posted patches for both of these bugs. Security bug #5: Minor bissues The remaining alerts have addressed relatively minor issues in the Windows 2000 installation process and various server applications. Microsoft has released patches for bugs in Systems Management Server, Site Server 3.0, and Windows Media Services 4.0 and 4.1. Reported bugs in the Windows 2000 installer and FrontPage Personal Web Server are under investigation. Read more about this on ZDNN at http://www.zdnet.com/zdnn/stories/news/0,4586,2448411,00.html 18 February: Novell confirms serious security flaw in Windows 2000 In a report entitled "Windows 2000 Security Issue: Problems with Limiting Administrative Access" Novell outlined how a network administrator could grant him- or herself permissions after being explicitly denied access rights to a particular file or directory. BugNet testing verified this security hole in Active Directory, which exposes previously restricted files and directories to any administrator in the directory tree. 17 February: Microsoft IIS susceptible to internal attack site If you think your Web site content is safe and sound, think again. If your ISP or Web hosting service relies upon Microsoft's Internet Information Server (IIS), other users may be able to read your files and write to your directories. The issue stems not from a programming flaw per se, but instead from incorrectly set permissions that allow an Active Server Pages (ASP) script to gain read and write permissions across all virtual hosts. 16 February: Intel: Faster chips needed for Windows 2000 Despite assurances from Microsoft that Windows 2000 will perform adequately on existing computers, chipmaker Intel is stating that many will need to upgrade their PCs. Microsoft's new operating system for businesses will require computers with processors that are 150-MHz to 250-MHz faster than those that ran Windows NT or Windows 98 to deliver the same level of performance, Intel executives said at the Intel Developer Forum here. 15 February: Windows 2000 under fire: serious security flaw and 63,000 bugs? Just two days before the long-awaited launch of Windows 2000, Microsoft is denying reports that the operating system has a security flaw. The company is also not commenting on reports that the new OS is plagued with 63,000 bugs. The security flaw came to light when archrival Novell Inc. said in a report on its Web site that some network administrators on an Active Directory network can use their access to the network to get confidential data such as payroll and legal information--even if they have been explicitly blocked from accessing that data. 14 February: Bill Gates used a Mac, not a Windows PC, says ex-girlfriend "We all bought Macs. Bill bought a Mac. Bill was using a Mac. Bill was using a Macintosh. Not a PC." Tthat's what Gates' old girlfriend, the venture capitalist Ann Winblad, apparently said to Michael Gross in an interview for a book to appear next month. 7 February: Swiss study: Apache twice as stable as MS IIS. Recent results of the Swiss SWePIX web performance index show worse than average results for web servers running Microsoft's Internet Information Server (IIS) software. According to the study, servers running IIS are crashing twice as often as those using the open source Apache software. Even in online banking, downtimes of IIS servers average 40 minutes per week. NOTE: this article is in German. 3 February: Windows NT 4.0 Recycle Bin has security leak Microsoft has informed users about a security leak in Windows NT 4.0 which could enable a malicious user to create, modify or delete files in another user's Recycle Bin. In the vast majority of cases, it would not provide any additional opportunity to read files in the Recycle Bin. 1 February: Windows 2000 security hole a "major threat" Six banks and three major PC makers are affected by a bug that lets attackers view files stored on Microsoft Index Server. Microsoft issued a patch today. The patch, released by Microsoft on Wednesday, repairs two different security bugs in Microsoft Index Server, the more egregious of which allows hackers to view files stored on a target Web server. |
