Windows Server 2003: Shots are being fired

There have been several interesting developments in the last week or so in regards to Microsoft and its new flagship product Windows Server 2003. At least two critical vulnerabilities have been discovered. One of these problems is focused on DirectX implementation and the other RPC. Both are serious, and both demand that you respond immediately and apply the patch (

    Requires Free Membership to View

MS03-026 and MS03-030). The RPC bug is so serious that several experts claim that a worm exploiting this vulnerability could easily outpace the speed and total number of infects of Code Red by a factor of 10 or more.

Another issue that I find extremely interesting is that a team of Swiss researchers have discovered a means to crack a Windows password in about 13 seconds, surpassing the group's previous record by more than 90 seconds per password. The group discovered or developed a password-cracking scheme that takes advantage of the means by which Windows encrypts and stores passwords. Windows always encrypts using the same encryption scheme and always stores the passwords in the same manner, method and format. This rigidity has led to an inherent vulnerability in the password protection implementation that these researchers have exploited. Unfortunately, without a change to the Windows security accounts storage mechanism, there is no countermeasure or workaround for this new exploit.

One last item of interest: Microsoft has dropped its limitations on liability for customers. In fact, if a customer is sued over the disclosure of intellectual property because of flaws in Microsoft products, Microsoft will pay for all related legal bills. This is a significant change to the liability clause in previous license agreements. Experts doubt this change will result in Microsoft shelling out millions. Especially since even under the previous liability restrictions, not a single customer has been able to show intentional oversight or gross negligence on the part of Microsoft's products.

About the author
James Michael Stewart is a partner and researcher for ITinfopros, a technology-focused writing and training organization.

For more on this topic, visit these resources:

This was first published in July 2003

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.