Hope I am not sending info everyone already knows about. ¯---------------------------------
Microsoft Discloses Flaw In Web Site Software Microsoft Corp. has acknowledged a serious flaw in its Internet server software that could allow sophisticated hackers to seize control of Web sites, steal information and use vulnerable computers to attack others online. The Internet Information Server software, which runs about one-third of the world's Web sites, is used by millions of businesses and organizations but less commonly by home users. Microsoft made available a free patch for customers using versions of the software with its Windows NT or Windows 2000 operating systems.The server software included within Microsoft's newer Windows XP operating system was not affected by the security flaw. In a separate warning Wednesday (13 June), Microsoft said customers of its Windows NT, Windows 2000 and Windows XP operating systems were vulnerable to an unrelated problem affecting Microsoft's technology to connect to the Internet over phone lines. Hackers trying to attack these computers must already have permission to use them, limiting the risks.A researcher with eEye Digital Security Inc., Riley Hassell, found the Web server flaw in mid-April during testing of eEye's own hacker-defense software, but the discovery was kept closely guarded under an agreement with Microsoft until Wednesday. Microsoft described the risk to Web servers as "moderate." The company and other top experts, including U.S. officials at the National Security Agency, have for months recommended turning off the vulnerable feature unless customers need it. One consolation for Microsoft's customers was that the software flaw wasn't easy to exploit by most hackers. "It does take a more sophisticated level of skill," said David Gardner, a security program manager at Microsoft. The latest vulnerability affects a function in the server software that allows Web administrators to change passwords for an Internet site. Despite the anticipated difficulty for hackers, the flaw was considered unusually threatening because it is closely related to a similar Internet server glitch disclosed by Microsoft on April 10. Experts believe hackers already have been distributing customized attack tools to exploit the April 10 flaw, and they fear these underground tools could be updated readily to attack computers susceptible to the latest glitch. A little-known Chinese hacking group has been distributing such tools on a Web site for weeks, although these are limited to attacking computers running Chinese-language versions of Microsoft's server software. Others claim to have developed more reliable attack tools using the April 10 glitch. The FBI had warned that the previous, similar flaw was "a significant threat due to the magnitude and type of potential victim systems." Marc Maiffret, the self-described "chief hacking officer" for eEye, said malicious hackers will devise automated tools to scan the Internet and attack vulnerable computers rather than targeting machines individually. The same technique was used to spread the damaging "Code Red" and "Nimda" across the Internet last year, which infected nearly 1 million servers. "It could readily be exploited with a worm," Mr. Maiffret said. "It's kind of a scary thing." ______________________________________________________________________ This list and all House of Fusion resources hosted by CFHosting.com. The place for dependable ColdFusion Hosting. FAQ: http://www.thenetprofits.co.uk/coldfusion/faq Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/ Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists