Microsoft Reveals More Software Flaws - InformationWeek
IoT
IoT
Software // Enterprise Applications
News
7/24/2003
01:07 PM
50%
50%
RELATED EVENTS
Faster, More Effective Response With Threat Intelligence & Orchestration Playboo
Aug 31, 2017
Finding ways to increase speed, accuracy, and efficiency when responding to threats should be the ...Read More>>

Microsoft Reveals More Software Flaws

Vulnerabilities show up in SQL Server and various versions of Windows.

Business-technology managers still working to patch the software flaws revealed by Microsoft last week got some bad news Thursday. Microsoft has informed customers that there are new security vulnerabilities in several of its applications and versions of its Windows operating system.

The software vulnerabilities can permit denial-of-service attacks or let hackers hijack a user's system through malicious E-mails. They also will let malicious users escalate their system-access privileges under certain circumstances.

The most serious vulnerability, which Microsoft ranked as "critical," affects most Microsoft operating systems from Windows 98 to Windows Server 2003. This is the second critical vulnerability in a week to affect Windows Server 2003, which is touted as Microsoft's most secure operating system ever.

The vulnerability, identified by researchers at eEye Digital Security, lies within two unchecked buffers in Microsoft DirectX, which is used to run graphics and audio applications. The flaw could let an attacker craft a specially formed MIDI (audio) file that could cause unpatched versions of DirectX to experience a buffer-overflow, which results when a string of information is sent to an application that isn't properly designed to disallow the malformed information.

This flaw, security experts say, could be especially serious because MIDI files can be embedded within Web pages and HTML-enabled E-mails.

The vulnerability affects Microsoft DirectX versions 5.x through 9.x, though version 9.0b is not vulnerable. Microsoft is urging customers to patch and fix this vulnerability. More information is available in Microsoft security bulletin MS03-030.

In a separate bulletin, Microsoft is warning users of SQL Server 7.0, SQL Server 2000, Microsoft Data Engine 1.0, Microsoft SQL Server 2000 Desktop Engine, and SQL Server 2000 Desktop Engine to patch for what it's calling an "important" security flaw from three vulnerabilities discovered by researchers from the security consulting firm @stake.

One of these flaws lets users jump onto the connection of another user and obtain the access privileges of that user. For instance, a user with low access rights could potentially use this vulnerability to hijack the connection of a user with higher access rights and obtain higher levels of system access. In another flaw, an attacker who's logged on to a system running SQL Server or Microsoft Data Engine could send a malformed packet to a certain port on that system. If successful, the attacker could obtain upgraded access to the system.

In a third flaw, users running SQL Server or MSDE are vulnerable to malformed packets hitting their servers and causing a denial of service. More information on these flaws is available in MS03-031.

The company is also warning of a moderate vulnerability that affects Windows NT 4.0 Server and NT 4.0 Terminal Server Edition. This flaw would allow attackers to launch denial-of-service attacks against unpatched servers. More information on the flaw is available here.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
[Interop ITX 2017] State Of DevOps Report
[Interop ITX 2017] State Of DevOps Report
The DevOps movement brings application development and infrastructure operations together to increase efficiency and deploy applications more quickly. But embracing DevOps means making significant cultural, organizational, and technological changes. This research report will examine how and why IT organizations are adopting DevOps methodologies, the effects on their staff and processes, and the tools they are utilizing for the best results.
Register for InformationWeek Newsletters
White Papers
Current Issue
IT Strategies to Conquer the Cloud
Chances are your organization is adopting cloud computing in one way or another -- or in multiple ways. Understanding the skills you need and how cloud affects IT operations and networking will help you adapt.
Video
Slideshows
Twitter Feed
Sponsored Live Streaming Video
Everything You've Been Told About Mobility Is Wrong
Attend this video symposium with Sean Wisdom, Global Director of Mobility Solutions, and learn about how you can harness powerful new products to mobilize your business potential.
Flash Poll