Holey Microsoft!

Microsoft late Wednesday issued patches for three
security holes affecting its Point-to-Point Tunneling Protocol (PPTP),
Windows 2000 platform and versions of the Internet Information Server (IIS).

The Redmond, Wash.-based software giant warned that the most critical of the three
bugs was an unchecked buffer in PPTP implementation that could
enable denial-of-service (DoS) attacks.

Two other security alerts, which bring the total announced by Microsoft this
year to 64, cover fixes for the default permissions in Windows 2000 that
could allow Trojan Horse program execution and a cumulative patch that plugs
four house in IIS versions 4.0, 5.0 or 5.1.

PPTP Implementation

In its advisory warning of an unchecked buffer in
the PPTP implementation, Microsoft said the “critical” vulnerability could
lead to denial-of-service attacks against customers using Windows 2000 or
Windows XP.

“Administrators offering PPTP services should install the patch immediately;
users who utilize remote access using PPTP should consider installing the
patch,” Microsoft warned. (Download patch locations: Windows
2000; Windows
XP 32-bit and Windows
XP 64-bit.

Microsoft said the unchecked buffer was detected in a section of code that
processes the control data used to establish, maintain and tear down PPTP
connections. “By delivering specially malformed PPTP control data to an
affected server, an attacker could corrupt kernel memory and cause the
system to fail, disrupting any work in progress on the system,” the company said.

Windows 2000 and Windows XP support the Point-to-Point Tunneling Protocol
(PPTP), a Virtual Private Networking (VPN) technology that is implemented as
part of Remote Access Services (RAS). The protocol was developed jointly by
Microsoft, U.S. Robotics, and several remote access vendor companies (known
collectively as the PPTP Forum).

Microsoft warned that the vulnerability could be exploited against any
server that offers PPTP. If a workstation had been configured to operate as
a RAS server offering PPTP services, it could likewise be attacked,
according to the advisory. “Workstations acting as PPTP clients could only
be attacked during active PPTP sessions. Normal operation on any attacked
system could be restored by restarting the system,” it said.

Because of how the overrun occurs, Microsoft said it could not find any
reliable means of using it to gain control over a system. “Servers would
only be at risk from the vulnerability if they had been specifically
configured to offer PPTP services. PPTP does not run by default on any
Windows system. Likewise, although it is possible to configure a workstation
to offer PPTP services, none operate in this capacity by default.

Cumulative Patch for IIS

The 62nd security alert from Redmond came in the
form of a cumulative patch to squash four bugs in IIS versions 4.0, 5.0 or
5.1, the most serious of which could enable applications on a server to gain
system-level privileges.

The patch for Microsoft’s Internet Information Server which runs on the company’s NT platforms includes the functionality of all
security patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a,
and all security patches released to date for IIS 5.0 and 5.1, the company said.

In addition to including previously released fixes, the cumulative patch
also includes fixes for a privilege elevation vulnerability affecting the
way ISAPIs are launched when an IIS 4.0, 5.0 or 5.1 server is configured to
run them out of process.

By design, Microsoft said the hosting process (dllhost.exe) should run only
in the security context of the IWAM_computername account; however, it
can actually be made to acquire LocalSystem privileges under certain
circumstances, thereby enabling an ISAPI to do likewise.

Also patched is a new denial-of-service vulnerability that results because
of a flaw in the way IIS 5.0 and 5.1 allocate memory for WebDAV requests. If
a WebDAV request were malformed in a particular way, the advisory said IIS
would allocate an extremely large amount of memory on the server. By sending
several such requests, an attacker could cause the server to fail.

A vulnerability (also newly discovered) involves the operation of the script
source access permission in IIS 5.0 that operates in addition to the normal
read/write permissions for a virtual directory, and regulates whether
scripts, .ASP files and executable file types can be uploaded to a
write-enabled virtual directory.

Microsoft said a typo error in the table that defines the file types subject
to this permission has the effect of omitting .COM files from the list of
files subject to the permission. As a result, a user would need only ‘write
access’ to upload such a file.