Despite a serious security vulnerability found last week in Windows 2000 Server, IT executives will have to wait for the second service pack for a fix.
Microsoft was set to ship the service pack nearly two weeks ago when researchers reported a major vulnerability in Internet Information Server (IIS) 5.0, which is built into Win 2000. Microsoft immediately canceled shipment of the service pack so it could include a patch that corrects the problem. It is unclear when the service pack will be ready. A Microsoft spokesman would only say it will ship in the first half of this year.
The vulnerability discovered last week is known as a buffer overrun, one of the most well-known and common avenues for security attacks. In IIS, the flaw is exploited through an Internet Services Application Programming Interface (ISAPI) and can provide an attacker with system-level access to the server. That means an attacker would have full control of Win 2000 Server. The vulnerability is present in the Server, Advanced Server and DataCenter editions.
"I expect this exploit to be as bad as [Remote Data Services]," says Russ Cooper, editor of the NT BugTraq Web site and the surgeon general for TruSecure. RDS was introduced three years ago in IIS 4.0 and hackers have been using it ever since to deface Web sites and collect credit card numbers.
"We estimate 26% of IIS servers today are still vulnerable to it," because IT administrators have not plugged the hole, Cooper says. "I expect this most recent bug to be with us for a long time and in about six months we'll see an exploit."
With that in mind, Microsoft last week scrambled to issue a patch, but the company also began work on incorporating it into Service Pack 2 for Win 2000.
"We have to redo all the system testing and all the final testing before we can release the service pack," says Scott Culp, security program manager at the Microsoft Security Response Center.
Culp says the bug is serious enough to mandate that enterprise users get a fix in a service pack, which is likely to get more attention than a patch. But he says users should get the patch as soon as possible.
Service Pack 2, which is already off the every-six-months release cycle for service packs Microsoft announced when it shipped Win 2000, features a number of fixes for Win 2000 and Active Directory. Microsoft has not publicly discussed what specifically is included.
The newest fix, however, is for the ISAPI extension in IIS that supports the Internet Printing Protocol, which allows printing over the Web. To exploit the flaw, a hacker sends a cleverly crafted URL to the server that contains the malicious code. The string of characters overruns a buffer and then adds executable code to the server. Once the code is run, the hacker gains access to the entire machine. The exploit works only with IIS 5.0.
