To print: Click here or Select File and then Print from your browser's menu

This story was printed from silicon.com, located at http://www.silicon.com/

Story URL: http://software.silicon.com/security/0,39024655,39117781,00.htm

Three new Microsoft security patches released
Let's go to work...

By Robert Lemos

Published: Wednesday 14 January 2004

Microsoft has released patches for three flaws, the most serious of which could give attackers a back door into the company's security server product.

The most major flaw affects Microsoft's Internet Security and Acceleration Server 2000, which is included with Small Business Server 2000 and 2003 editions. The flaw lies in the way a filter in the server product's firewall processes data formatted in the real-time multimedia communications standard, known as International Telecommunications Union (ITU) H.323.

Internet Security and Acceleration Server is designed to help protect companies' networks from online attacks.

Stephen Toulouse, security program manager at Microsoft, said: "It is kind of the same situation that we have seen - a certain level of human error is going to be present, and that is true even for security software."

The H.323 flaw was found by the National Infrastructure Security Co-ordination Centre, the UK's internet infrastructure protection agency, and researchers from the University of Oulu, in Finland.

Many companies, primarily makers of voice over Internet Protocol equipment, also likely are affected by the issue - but to a lesser extent than Microsoft's product.

The other flaws the software giant announced include a vulnerability in the Microsoft Data Access Component software in Windows 2000 and XP, along with Microsoft's SQL Server 2000 and Windows Server 2003. The flaw could allow an attacker to take over a vulnerable system - only after successfully disguising the attacking computer as an SQL server. Because of the complexity of the attack, Microsoft graded the flaw as "important," not critical.

The last vulnerability, in Exchange Server 2003, allows an attacker to abuse the Online Web Access module to access the email inbox of another random user who recently accessed the server.

"The end result is that an attacker could, under certain circumstances, get access to a complete random user," Microsoft's Toulouse said.

Microsoft posted discussions and patches for the products on its website and will automatically provide fixes to its customers through its update service.

Along with the three vulnerabilities, Microsoft re-released another patch that had caused computers that run Windows in Hebrew, Arabic and Thai to crash.

Robert Lemos writes for CNET News.com