The Cross-site scripting (CSS) bug affects Microsoft Indexing Services for Windows 2000 and Windows NT 4.0. Cross-site scripting attacks were first publicised in February of 2000, and can affect a variety of different server-side software, enabling an attacker to insert malicious code into a user's browsing session via a trusted Web site. Microsoft said that a component of Indexing Services called CiWebHitsFile is vulnerable to a CSS attack, and released a patch to fix it. Indexing Services is a search service integrated into Internet Information Server and Windows 2000. Denial of service vulnerability
Microsoft's Proxy Server 2.0 and ISA Server contain a vulnerability that allows an attacker from within the network to put them out of commission using a specially-crafted data packet. The packet causes the software to hit 100 percent CPU utilisation and stop responding to internal and external requests. While a reboot allows the software to function again, it is still vulnerable to the same attack. Specifically, the two pieces of software both contain a flawed version of the Winsock Proxy service, which enables certain client-side applications to function as though they had a direct Internet connection, while routing their traffic through an internal server. Microsoft released a patch for the bug on its Web site, and noted that while the attack could shut the servers down, it did not allow a hacker to gain any higher privileges or compromise any content cached on the server.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section.
Let the editors know what you think in the Mailroom.
