This story was written by Keith Dawson for the Industry Standard's Media Grok email newsletter. It is archived here for informational purposes only because The Standard's site is no more. This material is Copyright 1999-2001 by Standard Media.

Microsoft Security Flaw in Shades of Gray

May 04 2001 09:08 AM PDT

Hackers identify a big hole in Windows 2000, and sometimes it's hard to tell who the good guys are.

The latest security hole in Microsoft's Internet Information Server 5.0 is a doozy. It lets anyone anywhere run code on the hosting Windows 2000 system with administrator privileges. The hole was reported on Tuesday by eEye Digital Security. Microsoft released a patch to fix it, and acknowledged and thanked eEye.

Microsoft's hole-du-jour was widely reported on Wednesday. That same day, several hackers released exploits demonstrating how to use the technique to run code on remote Windows 2000 systems, and the press clamor began anew.

Accounts varied as to how many vulnerable systems there are. The AP reported that Microsoft has sold a million licenses of its Windows 2000 Server, but didn't guess how many are running the IIS Web software. The Register blithely guesstimated, and headlined, that "several million" Windows 2000/IIS 5.0 systems are in use.

An early Associated Press report simply covered a press release from eEye announcing the exploits. ZDNet and InternetNews identified one of the hackers - who goes by the nickname Dark Spyrit - and described his exploit code, called jill.c.

Because eEye waited for Microsoft's fix before posting details of the problem, the security community would consider it a "white hat." (Gray hats are those hackers who believe that the best way to force attention to security is to promulgate dangerous exploits. Black hats are the just-plain bad guys.) Yet after Dark Spyrit - whom InternetNews's Brian McWilliams called a gray hat - released jill.c, eEye's "chief hacking officer" published a harmless sample exploit of his own. Watch his hat darken.

The Register's hat is looking a little smudged after its coverage. Reporter Thomas C. Greene not only fingered a second published exploit but also provided handy links to both pieces of abusive code. InternetNews quoted security expert Russ Cooper, identified as the "surgeon general" of TruSecure, who said releasing an exploit "was not necessary to put fire under the butts of anybody. Every alerting mechanism on the planet has been invoked."

Microsoft Fights Security Flaw (AP)
New York Times
(Registration required.)

Hacker Exploits Microsoft Server Flaw

First Remote IIS 5 Root Exploit in The Wild

Exploits for Several Million Microsoft Servers Posted
The Register

Remote 'Root' Exploit in IIS 5.0

Unchecked Buffer in ISAPI Extension Could Enable Compromise of IIS 5.0 Server
Microsoft TechNet