Experts: Enterprises must patch Microsoft server bug

Microsoft patches a total of 11 vulnerabilities -- five of them rated critical

Microsoft Tuesday issued six security updates for Windows, Office and the .Net Framework, patching a total of 11 vulnerabilities -- five of them rated critical.

The most serious of the batch is MS07-039, said security analysts who, unlike last month, had no trouble naming that critical update as the one which should be patched first.

"By far, this is the top of the list this month," said Andrew Storms, director of security operations at nCircle Network Security.

MS07-039 patches a pair of bugs in Active Directory in Windows 2000 Server and Windows Server 2003, the two supported server editions of Microsoft's operating system. The most dangerous of the two is a vulnerability in the way Active Directory validates an LDAP (Lightweight Directory Access Protocol) request. According to Microsoft's write-up, "an attacker who successfully exploited this vulnerability could take complete control of an affected system."

"Definitely at the top of today's list," agreed David Dewey, a researcher with IBM Internet Security Systems' X-Force team. "It's definitely exploitable."

Dewey should know, since it was a colleague at Internet Security Systems (ISS), Neel Mehta, who discovered the flaw last summer. "Neel's created proof-of-concept code in-house during the time we worked on this with Microsoft," said Dewey.

"It would certainly be worth the effort" to exploit this, added Storms. "Active Directory is in the center of every Windows network. There's a lot in there, including the group policy objects that set security -- and everything about every user."

Unlike most vulnerabilities, the Active Directory bug can be exploited without any user interaction, and on Windows 2000 Server, the older of the two operating systems, it can be attacked by an anonymous user. Although Windows Server 2003 may look safer at first glance -- an attacker must have valid credentials to exploit the bug on that edition -- looks can be deceiving, said Tom Cross, another X-Force researcher.

"In this case, the authentication requirements become less important," said Cross. "Anyone on the network -- an employee, for example -- would by definition have credentials." Worse, said Cross, is that outside attackers could exploit this without a lot of trouble by bundling an MS07-039 exploit with a multistrike attack that figures on compromising some fraction of enterprise laptops while they're outside the network. Once back inside the enterprise's perimeter, the Active Directory exploit could fire up -- using the credentials of the hijacked notebook -- to grab systems running the supposedly more secure Windows Server 2003.

Two of the remaining five bulletins -- MS07-036 and MS07-040 -- were pegged "critical" by Microsoft, with another two marked "important" and the final update tagged as "moderate."

As usual, Microsoft's monthly updates have been posted to Microsoft Update and Windows Update services, and they can also be retrieved through Windows Server Update Services (WSUS).

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Gregg Keizer

Computerworld
Show Comments

Father’s Day Gift Guide

Brand Post

Bitdefender 2019

Bitdefender’s best-in-class security solutions have been awarded Product of the Year. Get cybersecurity that 500 MILLION users already have and trust!

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?