ZDNet UK

CNET NETWORKS UK BUSINESS SITES:
atlarge.com
BNET UK
silicon.com
SmartPlanet.com
ZDNet.co.uk

ZDNet.co.uk - Winner of Best Business Website 2007

You are here: ZDNet.co.uk > News > Security

Security threats Toolkit

Microsoft puts out three patches

Published: 14 Jan 2004 08:35 GMT

Microsoft released patches on Tuesday for three flaws, the most serious of which could give attackers a back door into the company's security server product.

The most major flaw affects Microsoft's Internet Security and Acceleration Server 2000, which is included with Small Business Server 2000 and 2003 editions. The flaw lies in the way a filter in the server product's firewall processes data formatted in the real-time multimedia communications standard, known as International Telecommunications Union (ITU) H.323.

Internet Security and Acceleration Server is designed to help protect companies' networks from online attacks.

"It is kind of the same situation that we have seen -- a certain level of human error is going to be present, and that is true even for security software," said Stephen Toulouse, security program manager at Microsoft.

The H.323 flaw was found by the National Infrastructure Security Co-ordination Centre, the United Kingdom's Internet infrastructure protection agency, and researchers from the University of Oulu, in Finland.

Many companies, primarily makers of voice over Internet Protocol equipment, are also likely to be affected by the issue -- but to a lesser extent than Microsoft's product.

The other flaws the software giant announced include a vulnerability in the Microsoft Data Access Component software in Windows 2000 and XP, along with Microsoft's SQL Server 2000 and Windows Server 2003. The flaw could allow an attacker to take over a vulnerable system -- only after successfully disguising the attacking computer as an SQL server. Because of the complexity of the attack, Microsoft graded the flaw as "important," not critical.

The last vulnerability, in Exchange Server 2003, allows an attacker to abuse the Online Web Access module to access the email in-box of another random user who recently accessed the server.

"The end result is that an attacker could, under certain circumstances, get access to a complete random user," Microsoft's Toulouse said.

Microsoft posted discussions and patches for the products on its Web site and will automatically provide fixes to its customers through its update service.

Along with the three vulnerabilities, Microsoft re-released another patch that had caused computers that run Windows in Hebrew, Arabic and Thai to crash.