RSS
Subscribe to magazine
Follow us on:
  • Recommend:
  • 0 Comments

Microsoft Patches Four More Security Flaws

Software giant issues new security bulletins, one regarding a critical flaw in some versions of Windows.

By Joris Evers, IDG News   

Microsoft issued three security bulletins late Wednesday, offering patches for four recently discovered security vulnerabilities in several of its products. One hole in Windows NT, Windows 2000, and Windows XP was rated "critical" by the vendor.

The hole deemed "critical" is a buffer overrun flaw in the phone book of the Remote Access Service, a standard part of Windows NT 4.0, Windows 2000, and Windows XP. An attacker could gain full control over the machine or cause it to fail, Microsoft says in its advisory.

To carry out an attack, an attacker first has to change a RAS setting on the affected system, before connecting to the system using RAS. If the target system's settings restrict user access, it will not be at risk, Microsoft says. RAS is used for dial-up connections.

More Concerns

Another bulletin addresses a flaw in Internet Information Server versions 4.0 and 5.0, the Web server components of Windows NT 4.0 and Windows 2000. An attacker could run arbitrary code on the system by exploiting a flaw in software that supports HTR scripting, an older and largely obsolete scripting language, Microsoft says.

HTR has been part of IIS since version 2.0. It was never widely adopted because Active Server Pages, or ASP, introduced in IIS 4.0, became popular before HTR use could take off. Virtually the only use for HTR today is a Web-based NT password managed service, Microsoft says, adding that it has long recommended customers to disable HTR functionality and convert scripts that are needed to ASP. The IIS Lockdown Tool offered by Microsoft disables HTR by default.

A third security bulletin addresses two vulnerabilities in the SQLXML part of SQL Server 2000. SQLXML enables the transfer of XML data to and from SQL Server 2000. The most serious of the flaws could allow an attacker to take over the machine running the database, Microsoft says.

Pick Your Patch

More information on the RAS flaw can be found at: http://www.microsoft.com/technet/security/bulletin/MS02-029.asp.

More information on the flaw in IIS versions 4.0 and 5.0 can be found at: http://www.microsoft.com/technet/security/bulletin/MS02-028.asp.

More information on the SQLXML flaw can be found at: http://www.microsoft.com/technet/security/bulletin/MS02-030.asp.

Would you recommend this story? YES NO

  • Recommend:
  • 0 Comments

  • Speed Up Everything!

    PCWorld shows you the secrets to improve performance on all your hardware.

    Get the Superguide now!

Lenovo Laptop Deals

Subscribe to the Windows News & Tips Newsletter - weekly

See All Newsletters »
Today's Special Offers
Editors' Picks