Hope I am not sending info everyone already knows about.
¯---------------------------------
Microsoft Discloses Flaw In Web Site Software
Microsoft Corp. has acknowledged a serious flaw in its Internet server software
that could allow
sophisticated hackers to seize control of Web sites, steal information and use
vulnerable computers to
attack others online. The Internet Information Server software, which runs about
one-third of the world's
Web sites, is used by millions of businesses and organizations but less commonly by
home users. Microsoft
made available a free patch for customers using versions of the software with its
Windows NT or Windows
2000 operating systems.The server software included within Microsoft's newer Windows
XP operating
system was not affected by the security flaw.
In a separate warning Wednesday (13 June), Microsoft said customers of its
Windows NT, Windows
2000 and Windows XP operating systems were vulnerable to an unrelated problem
affecting Microsoft's
technology to connect to the Internet over phone lines. Hackers trying to attack these
computers must
already have permission to use them, limiting the risks.A researcher with eEye Digital
Security Inc., Riley
Hassell, found the Web server flaw in mid-April during testing of eEye's own
hacker-defense software, but
the discovery was kept closely guarded under an agreement with Microsoft until
Wednesday.
Microsoft described the risk to Web servers as "moderate." The company and other
top experts,
including U.S. officials at the National Security Agency, have for months recommended
turning off the
vulnerable feature unless customers need it. One consolation for Microsoft's customers
was that the software
flaw wasn't easy to exploit by most hackers. "It does take a more sophisticated level
of skill," said David
Gardner, a security program manager at Microsoft.
The latest vulnerability affects a function in the server software that allows
Web administrators to change
passwords for an Internet site. Despite the anticipated difficulty for hackers, the
flaw was considered unusually
threatening because it is closely related to a similar Internet server glitch
disclosed by Microsoft on April 10.
Experts believe hackers already have been distributing customized attack tools to
exploit the April 10 flaw, and
they fear these underground tools could be updated readily to attack computers
susceptible to the latest glitch.
A little-known Chinese hacking group has been distributing such tools on a Web site
for weeks, although these
are limited to attacking computers running Chinese-language versions of Microsoft's
server software. Others claim
to have developed more reliable attack tools using the April 10 glitch. The FBI had
warned that the previous,
similar flaw was "a significant threat due to the magnitude and type of potential
victim systems." Marc Maiffret,
the self-described "chief hacking officer" for eEye, said malicious hackers will
devise automated tools to scan
the Internet and attack vulnerable computers rather than targeting machines
individually. The same technique
was used to spread the damaging "Code Red" and "Nimda" across the Internet last year,
which infected nearly
1 million servers. "It could readily be exploited with a worm," Mr. Maiffret said.
"It's kind of a scary thing."
______________________________________________________________________
This list and all House of Fusion resources hosted by CFHosting.com. The place for
dependable ColdFusion Hosting.
FAQ: http://www.thenetprofits.co.uk/coldfusion/faq
Archives: http://www.mail-archive.com/cf-talk@houseoffusion.com/
Unsubscribe: http://www.houseoffusion.com/index.cfm?sidebar=lists
