Microsoft managed to beat itself to the punch last week, issuing the first patches to fix security holes in the much delayed Windows 2000 operating system - several weeks before its official release date.
Two security bugs were detected in Microsoft Index Server, search engine software found in both Windows NT and Windows 2000. The first could allow a malicious user to view, but not change, add or delete, files from a Web server, while the second could reveal the physical location of Web directories on the server, according to a security bulletin issued by Microsoft last week. The bulletin also said that the two glitches were unrelated except for the fact that they both were found in the Index Server.
Windows 2000, Microsoft's new operating system for corporate users, is scheduled to be officially released on February 17. Index Server is a tool designed to allow users to perform full-text, online searches via a Web browser. It was designed to search Word, PowerPoint and Excel documents as well as standard HTML documents, according to information from Microsoft's Web site.
The first bug, or the Malformed Hit-Highlighting Argument "vulnerability," as Microsoft calls it, allows users to request information beyond their security access via a specific type of malformed request.
"It's highly possible that someone could take advantage of the vulnerability," said David Litchfield [CQ], security analyst at UK-based Cerberus Information Security, who originally spotted the bug. "But it depends on what the ultimate end of the attacker is," he noted. "If he's trying to look for sensitive files on the Web server. . . or view the source of active server pages, he can do that."
Microsoft's patch, which he has installed on his system, does eliminate the problem, Litchfield said.