October 31, 2002 12:12 PM PST
Microsoft flags three security holes
The company rated only a single flaw--affecting the point-to-point tunneling protocol portion of the Windows VPN software--as "critical." Even that vulnerability doesn't pose a great threat, said Scott Culp, manager for Microsoft's security response team.
"The flaw would only result in a denial of service," he said.
The vulnerability had originally been found by Austrian security firm Phion Information Technologies last month. The company had billed the problem as one that could lead to significant compromises in a business's network security.
After studying the problem, however, Microsoft said that the issue could lead only to a denial-of-service attack, a network attack that causes a computer to freeze when attacked by a program or to stop responding due to a deluge of data.
Microsoft also warned Windows 2000 users that there is a problem with the default way the operating system searches for a program that matches a given command. An attacker could put a Trojan horse--malicious code that fools the person or machine into thinking it's a legitimate program--in a directory that the operating system searches. The result: Windows 2000 will execute the malicious program rather than a legitimate command.
Finally, the company released a patch for its Internet Information Service (IIS) Web server. The patch includes many older fixes as well as four new ones.
All the warnings and suggested fixes for the problems can be found on the TechNet portion of Microsoft's Web page.