Posts Tagged: Server 2003


13
Jul 10

Microsoft Security Updates, and a Farewell to Windows XP Service Pack 2

Microsoft today released software updates to fix at least five security vulnerabilities in computers running its Windows operating system and Office applications. Today also marks the planned end-of-life deadline for Windows XP Service Pack 2, a bundle of security updates and features that Microsoft first released in 2004.

Four out of five of the flaws fixed in today’s patch batch earned a “critical” rating, Redmond’s most severe. Chief among them is a bug in the Help and Support Center on Windows XP and Server 2003 systems that’s currently being exploited by crooks to break into vulnerable machines. Microsoft released an interim “FixIt” tool last month to help users blunt the threat from this flaw, and users who applied that fix still should install this patch (and no, you don’t need to undo the FixIt setting first). Update 5:50 p.m. ET: I stand corrected on this — it looks like Microsoft won’t offer the patch for this flaw if you’ve already used the FixIt tool.

Continue reading →


5
Jul 10

Microsoft Warns of Uptick in Attacks on Unpatched Windows Flaw

Microsoft is warning that hackers have ramped up attacks against an unpatched, critical security hole in computers powered by Windows XP and Server 2003 operating systems. The software giant says it is working on an official patch to fix the flaw, but in the meantime it is urging users to apply an interim workaround to disable the vulnerable component.

Redmond first warned of limited attacks against the vulnerability in mid-June, not long after a Google researcher disclosed the details of a flaw in the Microsoft Help & Support Center that can be used to remotely compromise affected systems. Last week, Microsoft said the pace of attacks against Windows users had picked up, and that more than 10,000 distinct computers have reported seeing this attack at least one time.

If you run either Windows XP or Server 2003, I’d encourage you to consider running Microsoft’s stopgap “FixIt” tool to disable the vulnerable Help Center component. To do this, click this link, then click the “FixIt” button in the middle of the page under the “enable this fix” heading. Should you need to re-enable the component for any reason, click the other FixIt icon. Users who apply this fix don’t need to undo it before applying the official patch once it becomes available, which at this rate probably will be on Tuesday, July 13.


14
Jun 10

Security Alert for Windows XP Users

Microsoft is warning Windows XP and Server 2003 users that exploit code has been posted online showing attackers how to break into these operating systems remotely via a newly-discovered security flaw.

The vulnerability has to do with a weakness in how Windows Help and Support Center processes links. Both Windows XP and Server 2003 retrieve help and support information from a fixed set of Web pages that are included on a whitelist maintained by Windows. But Google security researcher Tavis Ormandy last week showed the world that it was possible to add URLs to that whitelist.

Microsoft said an attacker could exploit this flaw by tricking a user into clicking a specially crafted link. Any files fetched by that link would be granted the same privileges as the affected system’s current user, which could spell big problems for XP users browsing the Web in the operating system’s default configuration — using the all-powerful “administrator” account.

“Given the public disclosure of the details of the vulnerability, and how to exploit it, customers should be aware that broad attacks are likely,” Microsoft said in a statement released last week.

Continue reading →


2
Mar 10

MS: Be Careful With Those Function Keys

Microsoft Corp. has a message for Windows 2000, XP and Server 2003 users: If you browse the Interwebs with Internet Explorer 6, 7, or 8, take care to ignore any prompts that ask you to hit the F1 key on your keyboard, as doing so may be unhealthful to your PC.

It turns out that there is a security flaw in the way these operating systems + browser versions process “Windows Help files” in such a way that is entirely unhelpful. That is, clicking on the F1 key when presented with a specially crafted pop-up box prompting you to do so could allow criminals to download and install malicious software to your computer.

Thankfully, most Windows users are more likely to locate the “any” key on their systems before they realize that the “Function 1” key is but the first of 12 such keys situated just above the left-to-right number keys on the standard Windows keyboard. Indeed, most Windows users’ first experience with these function keys is when something goes wrong with Windows.

In a security advisory issued Monday, Microsoft said it may at some point issue a software update to address this shortcoming. Redmond’s advisory on this topic is available here. The organization responsible for this warning — Polish security firm iSec Security Research — has a bit more information here on the ins and outs of this bug.