There have been several interesting developments in the last week or so in regards to Microsoft and its new flagship product Windows Server 2003. At least two critical vulnerabilities have been discovered. One of these problems is focused on DirectX implementation and the other RPC. Both are serious, and both demand that you respond immediately and apply the patch (
Another issue that I find extremely interesting is that a team of Swiss researchers have discovered a means to crack a Windows password in about 13 seconds, surpassing the group's previous record by more than 90 seconds per password. The group discovered or developed a password-cracking scheme that takes advantage of the means by which Windows encrypts and stores passwords. Windows always encrypts using the same encryption scheme and always stores the passwords in the same manner, method and format. This rigidity has led to an inherent vulnerability in the password protection implementation that these researchers have exploited. Unfortunately, without a change to the Windows security accounts storage mechanism, there is no countermeasure or workaround for this new exploit.
One last item of interest: Microsoft has dropped its limitations on liability for customers. In fact, if a customer is sued over the disclosure of intellectual property because of flaws in Microsoft products, Microsoft will pay for all related legal bills. This is a significant change to the liability clause in previous license agreements. Experts doubt this change will result in Microsoft shelling out millions. Especially since even under the previous liability restrictions, not a single customer has been able to show intentional oversight or gross negligence on the part of Microsoft's products.
About the author
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.
For more on this topic, visit these resources:
- Web Security Tip: Web security benefits from Windows Server 2003
- Web Security Tip: The first security update for Windows Server 2003
- Network Security Tip: First steps in locking down Windows Server 2003
This was first published in July 2003