Microsoft issues first patch for Windows Server 2003

Two serious security flaws that could allow an attacker to take over a user's system exist in all current versions of Microsoft's Internet Explorer (IE) Web browser, including the one that ships with Windows Server 2003, Microsoft said Wednesday.

Affected are IE versions 5.01, 5.5, 6.0 and 6.0 for Windows Server 2003, Microsoft said in Security Bulletin MS03-020. The bulletin includes a software patch for all browser versions that the Redmond, Washington-based software vendor urges users to install immediately. (See:http://www.microsoft.com/technet/security/bulletin/MS03-020.asp)

With the announcement, Microsoft released its first security patch for Windows Server 2003, two months after the launch of the server product touted by Microsoft as one of its most secure products ever.

Microsoft was quick to stress that it had not failed to deliver on its security promise, but that in fact the flaws demonstrate that its "secure by design, secure by default and secure by deployment" approach is paying off.

"Windows Server 2003 in its default configuration is not vulnerable to this attack. Because of that, the severity rating on the predecessor platforms is critical, but the severity rating on Windows Server 2003 is moderate," said Jeff Jones, senior director of Trustworthy Computing at Microsoft.

IE on Windows Server 2003 is locked down as users are not expected to use a server computer for general Web browsing. The software has a "reduced attack surface area," Jones said. However, because the underlying vulnerability still exists, Microsoft does want people to apply the patch, he said.

Although Jones sees this as "a proofpoint for Trustworthy Computing," Forrester Research Inc. Senior Analyst Laura Koetzle warns that it is too early to draw any conclusion on the level of security in Windows Server 2003.

"It is good that in the default configuration Windows Server 2003 is not vulnerable to this. However, I don't think we should jump the gun saying that Windows Server 2003 is clearly more secure than previous versions of Windows. All signs point to yes, but it is a bit premature to make that decision," Koetzle said.

The first vulnerability exists because IE can automatically start downloading and running software if it is flooded by requests for software downloads, allowing an attacker to run arbitrary code on a user's computer, Microsoft said.

The second vulnerability exists because of a buffer overrun flaw in the way IE reads "object tags" in Web pages, Microsoft said. Object tags are used to embed objects such as Office documents or media files in a Web page. Buffer overrun flaws typically allow an attacker to gain control of a victim's computer.

Microsoft has a four-tiered system for rating security issues. Vulnerabilities that could be exploited to allow malicious Internet worms to spread without user action are rated critical. Issues that are rated important could still expose user data or threaten system resources. Vulnerabilities rated moderate are hard to exploit because of factors such as default configuration or auditing, or difficulty of exploitation.

Join the newsletter!

Or

Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.

Joris Evers

IDG News Service
Show Comments

Brand Post

Most Popular Reviews

Latest Articles

Resources

PCW Evaluation Team

Luke Hill

MSI GT75 TITAN

I need power and lots of it. As a Front End Web developer anything less just won’t cut it which is why the MSI GT75 is an outstanding laptop for me. It’s a sleek and futuristic looking, high quality, beast that has a touch of sci-fi flare about it.

Emily Tyson

MSI GE63 Raider

If you’re looking to invest in your next work horse laptop for work or home use, you can’t go wrong with the MSI GE63.

Laura Johnston

MSI GS65 Stealth Thin

If you can afford the price tag, it is well worth the money. It out performs any other laptop I have tried for gaming, and the transportable design and incredible display also make it ideal for work.

Andrew Teoh

Brother MFC-L9570CDW Multifunction Printer

Touch screen visibility and operation was great and easy to navigate. Each menu and sub-menu was in an understandable order and category

Louise Coady

Brother MFC-L9570CDW Multifunction Printer

The printer was convenient, produced clear and vibrant images and was very easy to use

Edwina Hargreaves

WD My Cloud Home

I would recommend this device for families and small businesses who want one safe place to store all their important digital content and a way to easily share it with friends, family, business partners, or customers.

Featured Content

Product Launch Showcase

Latest Jobs

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?