Windows 2000: Microsoft patch failed to perform
One of the security updates from the recent Patch Tuesday failed to function correctly on Windows 2000, leaving a critical hole open. In response, Microsoft has released a new version intended actually to close the hole this time. At issue is a flaw in the XMLHTTP ActiveX control of XML Core Services (MSXML) used to process server responses. Rigged web sites can exploit the flaw to smuggle code onto a system. To remove the problem, the patch sets what is known as a kill bit, preventing specific objects from being called up by external pages and thereby removing the exploitation threat.
The first version of the update did perform as intended for Windows XP and Server 2003. Why the Windows 2000 version failed at its task was not explained in the announcement posted on the Microsoft Security Response Center blog. Microsoft recommends that all Windows 2000 users apply the patch as soon as possible. Corporate network users in particularly may be affected, since Windows 2000 is still very frequently used in such situations.
Microsoft has faced heavy criticism in the American media for the lapse. "How poorly are their Q&A processes if such a problem can slip through?", raged Russ Cooper from Cybertrust. The incident also provides another vivid example of how important it is for corporate networks to use hacker tools to test whether the manufacturer has performed the promised service and really closed a given hole. Otherwise one ends up relying on the manufacturer's statements – which just got a bit more difficult to swallow in the light of this incident.
- Information on re-release of MS06-061, blog entry by the MSRCTEAM