Windows 2000 is nog niet officieel gereleased of ome Steve heeft al een patch klaar liggen. Het probleem blijkt, hoe verwonderlijk, te liggen in de beveiling van de Win2k webserver (thanks Jorrit voor de tip):
Microsoft posts first Windows 2000 security fix
Three weeks before Windows 2000 is slated for widespread availability and it already needs a security patch. Microsoft Security Bulletin MS00-006 describes the patch, which fixes two vulnerabilities that affect Microsoft Index Server in Windows NT 4.0 and Indexing Services in Windows 2000. The vulnerabilities could allow a malicious user to read files on an NT/2000 Web server under certain conditions and reveal where Web files are located on the server. [break] Voor meer info over het Index Server probleem kun je terecht in dit artikel van ZDNet: [/break] The more dangerous of the two problems, dubbed the "Malformed Hit-Highlighting Argument Vulnerability" by Microsoft (Nasdaq: MSFT), was spotted by David Litchfield of Cerberus Information Security on Jan. 17 and immediately reported to Microsoft security. The bug allows attackers to view files stored on a target Web server and represents a major threat, according to Litchfield.
"Of course, ideally you make sure there's no sensitive data on your Web server, but this can be incredibly difficult," Litchfield said.
"It's not for us to assess the seriousness of this problem, because we take all security risks seriously," said Microsoft Security Manager Scott Culp. "The important thing now is that the patch is out, and that it fixes the problem. All of our customers should check out our security site."
However, Litchfield's investigation of the bug suggests that the majority of Windows-based servers are at risk. He confirmed that at least six banks and three major computer manufacturers were affected by the bug.