If you don't succeed the first seven times, try, try (and try some more) again. That seems to be the lesson Friday as Microsoft Corp. acknowledged new vulnerabilities in the Telnet code included in Windows 2000, eight months after issuing a patch that fixed seven other security holes in Windows 2000's Telnet.
A buffer overflow attack -- an attack in which the amount of memory allotted to an application is overrun -- against the Telnet service could cause a denial of service, or in some cases, allow the attacker to run any code they wanted in Windows 2000 or Interix 2.2, Microsoft said in its alert. Telnet is a common line program often used for remote access to systems. Interix is a program that allows users to run Unix applications in Windows 2000. Microsoft has issued a patch that fixes the problem in both applications.
However. the security hole does have some mitigating features which could minimize its impact, the company said. First, if attack code is run, it will only run with the level of permission given to the Telnet service. Second, Telnet is not turned on by default in Windows 2000 and would have be turned on to make a system vulnerable. Finally, Telnet is not installed by default in Interix and would have to be intentionally installed to make a system vulnerable.
In June 2000, Microsoft issued a patch that plugged seven security holes in Windows 2000's Telnet service, including serious holes that could have led to Denial of Service attacks.
More information about the bug, and the download for the patch, can be found at http://www.microsoft.com/technet/security/bulletin/ms02-004.asp.
