Microsoft has announced a serious security hole in its flagship Web server software and raced to convince system administrators to patch their Web servers before online vandals compromise their systems.
The flaw affects Window 2000 server software running version 5.0 of Internet Information Server (IIS). The hole is in Windows 2000's Internet printing module but can only be exploited if IIS is activated.
"It is a serious vulnerability," said Scott Culp, security product manager for the software giant. "We are going to some extraordinary steps. We want to make sure the people know about this vulnerability and apply the fix now."
The vulnerability affects servers with Internet printing turned on, the default setting with the software. By sending a specially formatted string of characters, the printing module can be made to give the remote user full access to the Web server.
Marc Maiffret, chief hacking officer for network protection firm eEye Digital Security, said the vulnerability is very serious.
"There are at least a million Web servers sitting on the Internet that, within a few minutes, you can get system level access to them," he said. The company discovered the flaw two weeks ago and notified Microsoft immediately.
The flaw allows properly written remote commands to overflow the memory for the Internet printing service's ISAPI (Internet Service Application Programming Interface).
Web servers using Microsoft's IIS 4.0 software are not affected by the flaw. Companies that have set up their Web server with the printing turned off - as outlined in Microsoft's "IIS Security Checklist" guidelines - or used the IIS Security Lockdown Tool don't need to worry about the vulnerability, either.
The company notified information-sharing and analysis centres, which informed key sectors, such as the telecommunications industry and the information technology industry, of critical security holes.
Microsoft has decided to hold Service Pack 2 - a collection of updates and big fixes - for Windows 2000 until it can integrate the patch with the update.
The announcement of the vulnerability comes at a bad time, as Chinese and American online vandals have apparently started cooperating for a weeklong string of attacks on government and corporate servers to protest the actions of each other's governments.
I've written this article 2 times and you keep refreshing the page and I loose it all.
Just install Zone Alarm and go back to sleep.