Microsoft patches another Telnet flaw in Win 2000

If you don't succeed the first seven times, try, try (and try some more) again. That seems to be the lesson Friday, as Microsoft acknowledged new vulnerabilities in the Telnet code included in Windows 2000, eight months after issuing a patch that fixed seven other security holes in Windows 2000's Telnet.

A buffer overflow attack - an attack in which the amount of memory allotted to an application is overrun - against the Telnet service could cause a denial of service, or in some cases, allow the attacker to run any code they wanted in Win 2000 or Interix 2.2, Microsoft said in its alert. Telnet is a common line program often used for remote access to systems. Interix is a program that allows users to run Unix applications in Win 2000. Microsoft has issued a patch that fixes the problem in both applications.

The security hole does have some mitigating features, however, that could minimize its impact, the company said. First, if attack code is run, it will only run with the level of permission given to the Telnet service. Second, Telnet is not turned on by default in Win 2000 and would have to be turned on to make a system vulnerable. Finally, Telnet is not installed by default in Interix and would have to be intentionally installed to make a system vulnerable.

In June 2000, Microsoft issued a patch that plugged seven security holes in Windows 2000's Telnet service, including serious holes that could have led to denial-of-service attacks.

The IDG News Service is a Network World affiliate.