Microsoft late Wednesday issued patches for three security holes affecting its Point-to-Point Tunneling Protocol (PPTP), Windows 2000 platform and versions of the Internet Information Server (IIS).

The Redmond, Wash.-based software giant warned that the most critical of the three bugs was an unchecked buffer in PPTP implementation that could enable denial-of-service (DoS) attacks.

Two other security alerts, which bring the total announced by Microsoft this year to 64, cover fixes for the default permissions in Windows 2000 that could allow Trojan Horse program execution and a cumulative patch that plugs four house in IIS versions 4.0, 5.0 or 5.1.


PPTP Implementation
In its advisory warning of an unchecked buffer in the PPTP implementation, Microsoft said the "critical" vulnerability could lead to denial-of-service attacks against customers using Windows 2000 or Windows XP.

"Administrators offering PPTP services should install the patch immediately; users who utilize remote access using PPTP should consider installing the patch," Microsoft warned. (Download patch locations: Windows 2000; Windows XP 32-bit and Windows XP 64-bit.

Microsoft said the unchecked buffer was detected in a section of code that processes the control data used to establish, maintain and tear down PPTP connections. "By delivering specially malformed PPTP control data to an affected server, an attacker could corrupt kernel memory and cause the system to fail, disrupting any work in progress on the system," the company said.

Windows 2000 and Windows XP support the Point-to-Point Tunneling Protocol (PPTP), a Virtual Private Networking (VPN) technology that is implemented as part of Remote Access Services (RAS). The protocol was developed jointly by Microsoft, U.S. Robotics, and several remote access vendor companies (known collectively as the PPTP Forum).

Microsoft warned that the vulnerability could be exploited against any server that offers PPTP. If a workstation had been configured to operate as a RAS server offering PPTP services, it could likewise be attacked, according to the advisory. "Workstations acting as PPTP clients could only be attacked during active PPTP sessions. Normal operation on any attacked system could be restored by restarting the system," it said.

Because of how the overrun occurs, Microsoft said it could not find any reliable means of using it to gain control over a system. "Servers would only be at risk from the vulnerability if they had been specifically configured to offer PPTP services. PPTP does not run by default on any Windows system. Likewise, although it is possible to configure a workstation to offer PPTP services, none operate in this capacity by default.

Cumulative Patch for IIS
The 62nd security alert from Redmond came in the form of a cumulative patch to squash four bugs in IIS versions 4.0, 5.0 or 5.1, the most serious of which could enable applications on a server to gain system-level privileges.

The patch for Microsoft's Internet Information Server which runs on the company's NT platforms includes the functionality of all security patches released for IIS 4.0 since Windows NT 4.0 Service Pack 6a, and all security patches released to date for IIS 5.0 and 5.1, the company said.

In addition to including previously released fixes, the cumulative patch also includes fixes for a privilege elevation vulnerability affecting the way ISAPIs are launched when an IIS 4.0, 5.0 or 5.1 server is configured to run them out of process.

By design, Microsoft said the hosting process (dllhost.exe) should run only in the security context of the IWAM_computername account; however, it can actually be made to acquire LocalSystem privileges under certain circumstances, thereby enabling an ISAPI to do likewise.

Also patched is a new denial-of-service vulnerability that results because of a flaw in the way IIS 5.0 and 5.1 allocate memory for WebDAV requests. If a WebDAV request were malformed in a particular way, the advisory said IIS would allocate an extremely large amount of memory on the server. By sending several such requests, an attacker could cause the server to fail.

A vulnerability (also newly discovered) involves the operation of the script source access permission in IIS 5.0 that operates in addition to the normal read/write permissions for a virtual directory, and regulates whether scripts, .ASP files and executable file types can be uploaded to a write-enabled virtual directory.

Microsoft said a typo error in the table that defines the file types subject to this permission has the effect of omitting .COM files from the list of files subject to the permission. As a result, a user would need only 'write access' to upload such a file. A separate alert warned system administrators running Windows 2000 of a bug in the default permissions that could allow the execution of Trojan Horse programs.

This bug, which was discovered by Security Focus, has a "moderate" rating and there is no patch. Instead, Microsoft recommends that administrators change the access permissions on the Windows 2000 system root directory.

It said the problem lies in the default permissions that provide the Everyone group with Full access (Everyone:F) on the system root folder (typically, C:\). In most cases, the system root is not in the search path but, under certain conditions, it can be, causing a scenario that could enable an attacker to mount a Trojan horse attack against other users of the same system.

Microsoft said an attacker could create a program in the system root with the same name as some commonly used program, then wait for another user to subsequently log onto the system and invoke the program. "The Trojan horse program would execute with the user's own privileges, thereby enabling it to take any action that the user could take," it warned.

"The systems primarily at risk from this vulnerability would be workstations that are shared between multiple users, and local terminal server sessions."