Saturday March 29, 2008 10:28
Hacker Bags Windows Server 2008 Trophy
eWEEK’s Ryan Naraine reports “serious design weaknesses” affecting Internet Information Services 7, Windows Server 2008, Windows XP and Windows Vista. IIS 7 is bundled with Windows Server 2008.Exploit details are sketchy, but not the source: Argeniss co-founder Cesar Cerrudo.
Apparently, Cerrudo plans to share more information about the security flaws during April’s Hack in the Box Security Conference. That will give Microsoft some time to research the problem before Cerrudo tells all. He plans to demonstrate zero-day exploits for elevating privileges in IIS, SQL Server and Windows Server 2008.
Assuming the exploits, or flaws, are really as serious as reported, they should be a reminder to Microsoft when the bug counting starts. Sometime in the next few months I expect Microsoft to count off the number of security vulnerabilities found in Windows Server 2008. Microsoft took this approach with Windows Server 2003 and Windows Vista in comparison with their predecessors. The counting tactic is flawed for lots of reasons, but here’s a simple one: It’s not the number but the severity that matters. One really bad flaw can be worse than 20, or 50, smaller ones.
Flaw counting is meaningful, just not the way it’s used by Microsoft. Fewer vulnerabilities means fewer patches, which means fewer patch management headaches.
In the meantime, the question for enterprises to ask is, “When?” Are Windows 2008 and Windows Vista really enterprise security-ready? Some enterprises should consider a slower testing and migration path until more concrete information is available.
Microsoft has taken great pains to improve security in both operating systems. But Cerrudo has identified flaws with fundamental Windows services accounts—NETWORK SERVICE or LOCAL SERVICE—and claims the ability to seize control of exploited systems.
As I said, one really bad flaw is enough for concern. IT organizations should ask about the ease with which IIS 7 and either SQL Server 2005 or 2008 could be compromised for public-facing Web sites. Ryan reports that in IIS 7′s default configuration, skilled hackers can completely compromise Windows Server security using ASP.Net applications.
One mitigating circumstance puzzles me: server roles. Apparently, Cerrudo didn’t tell Ryan whether Windows Server 2008 can be compromised in all configurations or whether some server roles are less vulnerable than others. Windows XP and Vista don’t use roles. But businesses can install portions of Windows Server 2008 for specific tasks. I haven’t fully tested Windows Server 2008, so I can’t say in what context, if any, the NETWORK SERVICE or LOCAL SERVICE accounts could be disabled.
News source: Microsoft Watch.
Tags: Exploit, Hackers, IIS, Microsoft, Operating Systems, Security, Vista, Windows, Windows Server, Windows Server 2008, Windows Vista, Windows XP
Comments are closed.