NEWS FROM THE LAB - Wednesday, November 11, 2009

Windows 2K Server Patch Update Posted by Christine @ 00:27 GMT

Microsoft just released a patch to address the License Logging Server Heap Overflow Vulnerability (CVE-2009-2523). This vulnerability affects the License Logging Service (LLS), a feature which according to Microsoft is "designed to help customers manage licenses for Microsoft server products that are licensed in the Server Client Access License (CAL) model."

More details on LLS at: Description of the License Logging Service in Windows Server operating systems

This vulnerability only affects Microsoft Windows 2000 Server Service Pack 4 and is rated Critical since this service is enabled by default in that OS. It is also accessible via anonymous network connection and exploiting this vulnerability can lead to extensive heap memory corruption which could possibly lead to remote code execution. It no longer affects the newer MS Server systems since this service has already been removed since Windows Server 2008.

More details of this patch are at these locations:

  •  Microsoft Security Bulletin MS09-064
  •  Details on the License Logging Service vulnerability

It's time to patch those old 2K servers.