Vulnerabilities in Windows and the FrontPage Server Extensions, reported in Microsoft's Nov. 2003 Windows Security Bulletin Summary, could easily be exploited by worms. The vulnerabilities require organizations running Windows 2000 and Windows XP to take immediate corrective action, because they enable attackers to take over remote computers without any action by the computers' users. This means these vulnerabilities could become the basis of software "worms" similar to Blaster or SQL Slammer that automatically infect large numbers of computers over the Internet.

Buffer Overrun in Workstation Service

A vulnerability (designated MS-03-049) in certain versions of Windows enables attackers to take control of computers running the Windows Workstation service, which supports file sharing, print sharing, and discovery of computers on LANs. The vulnerability affects the following Windows versions:

• Windows 2000 Service Pack (SP) 2, 3, and 4
• Windows XP, Windows XP SP 1
• Windows XP 64-Bit Edition.

Windows NT 4.0, Windows Millennium Edition, and Windows Server 2003, among others, are not affected.

Organizations can block UDP ports 138, 139, and 445 and TCP ports 138, 139, and 445 at the firewall to prevent exploits of this vulnerability over the Internet. In fact, most firewalls (including Windows XP's built-in firewall) block these ports by default. However, organizations must also ensure that computers which bypass the firewall (such as laptops or home PCs connecting by remote access) are not vulnerable.

Disabling the Workstation service on a computer will block exploits of the vulnerability, but will also prevent the computer from using file and printer sharing. Consequently, it is practical only for isolated PCs, such as home computers.

Buffer Overrun in FrontPage Server Extensions

Another vulnerability (designated MS03-051) enables attackers to take over computers that are running Internet Information Server (IIS) Web server with the FrontPage Server Extensions (FPSE). FPSE is a set of optional Web server components that enable Web site administration and provide commonly used Web site functions, such as hit counters.

The vulnerability affects FPSE versions 2000 and 2002, which means it affects the following products:

• Windows 2000 SP 2 and 3
• Windows XP and Windows XP SP 1
• SharePoint Team Services, as shipped in Office XP and Office XP Service Release 1.

Windows NT 4.0, Windows Millennium Edition, Windows 2000 SP 4, and Windows Server 2003 are not affected. Windows XP does not install FPSE by default, so many PCs running Windows XP won't be affected.

Organizations can work around the vulnerability by uninstalling or disabling FPSE on affected servers (for example, by using the IIS Lockdown Wizard), but this could disable some features of Web sites on those servers.

Other Vulnerabilities Less Serious

Other vulnerabilities in the Nov. 2003 Security Bulletin Summary are less likely to be exploited by worms because they require users to take action, such as visiting an attacker's Web site or opening a document. Nevertheless, several of these vulnerabilities can give an attacker control of a remote computer, and so deserve serious consideration for patching.

The bulletin does contain some good news for Microsoft: neither of the two serious vulnerabilities affects Windows Server 2003, the first version of Windows to have undergone a code security review as part of the company's Trustworthy Computing initiative. If Windows Server 2003 continues to escape threats like these, it will be a concrete sign of progress for Trustworthy Computing.

For the Nov. 2003 Windows Security Bulletin Summary, see www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/winnov03.asp.

A similar summary outlining Office vulnerabilities (such as a vulnerability that enables attackers to bypass macro security in Word and Excel) is at www.microsoft.com/technet/security/bulletin/offnov03.asp.