Microsoft looks to fix security flaw
By Allison Linn
Associated Press Business Writer
SEATTLE Microsoft Corp. has released a patch to fix a security flaw that could allow a hacker to gain complete control, in a matter of seconds, of a Web site running its flagship server software.
The security flaw in Windows 2000 Server's Internet Information Server was discovered about two weeks ago in the software's Internet printing component by eEye Digital Security, Inc. of Aliso Viejo, Calif., while the company was testing the latest version of its security scanning software.
"The thing that's different about this flaw compared to some other flaws is that it basically affects every installation, no matter what security patches you have installed," said Mark Maiffret, eEye's chief hacking officer.
Microsoft security program manager Scott Culp said customers running any version of the Internet server software would be vulnerable to an attack unless they had taken certain security steps that could have disabled the Internet printing component that has the flaw.
"It is certainly a serious vulnerability," Culp said.
The company said more than one million Windows 2000 Server licenses have been sold, but it is not clear how many people are running the product's Internet software.
Culp said a fix is available on Microsoft's Web site, and customers also have been notified through subscription lists and Microsoft technicians.
The problem is serious enough to delay the release of Windows 2000 Service Pack II, a Windows 2000 operating system update that was nearly ready to ship but will now be completely reworked to allow a fix for the flaw.
Culp said the company did not know when the product would be released, or how much the delay would cost Microsoft, but felt it was necessary.
Richard Reiner, head of security operations for FSC Internet Corp. in Toronto, said the flaw is especially nasty because most firewall programs will not protect against this type of attack.
He said the biggest concern now is that the flaw has been made public but not all companies using the software may know of it.
"It's going to be a long window of vulnerability," he said.
Culp said the company had not had reports of hacker attacks resulting from the flaw so far.
This is the second major security flaw that eEye has discovered with Windows 2000 Internet server software. The last one was discovered in 1999.