Hello! I would like to report a vulnerability that was reported by me to MS and now have a remedy. Unfortunately, MS decided that this problem does not deserve its own urgent security hot fix and preferred to wait for the latest service packs. Affected OS: Windows 2000 (server and professional) up to and including SP2 and Windows XP Professional (no SP, the initial version only) Remedy: Applying Windows 2000 SP3 or Windows XP SP1 for each OS The problem: If you define that an event log (from any kind, not only security – application and system as well) will not overwrite itself but will stop logging when it is full (and thus let you save it to the side as a file and only then clear it) – and you also set that this PC will send administrative alerts (pop-up messages generated using the "Alerter" and "Messenger" services on the originating PC when certain system events are triggered locally (like a full event log or lack of disk space) and accepted on target PC with an active "Messenger" service) – This alerts are never sent when ANY event log type (not only security) is filled up and thus not logging any more. Attached links to articles explaining of how to set up administrative alerts in windows 2000 and XP: Q243625 - How to Configure Administrative Alerts in Windows 2000 (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q243625 ) Q310490 - HOW TO: Set Up Administrative Alerts in Windows XP (http://support.microsoft.com/default.aspx?scid=kb;en-us;Q310490 ) Vulnerability effect: The problem here, mostly with the security event log – is that the log can be filled (by normal security logging operation by the OS or by a malicious attacker filling the log with bogus events, just to fill up to the log to the point it will stop logging) and when the log is full – then any malicious or regular security events are not being logged (and no administrator is aware of the fact the log should be cleared aside). This can also be risky for the system event log (I think it is the system type) if it can't log the fact that a drive is being almost full – this can lead to an OS / Application corrupt up to (or should I say "down to"…) a crash. No exploit programs are required, but I guess any program that can fill up the security event log with bogus events can help attackers. Workaround: Not any I am aware of. Remedy: For Windows 2000 Serve and Professional: Apply SP3 for Windows 2000 For Windows XP Professional: Apply SP1 for Windows XP The TechNet article regarding this issue can be found in http://support.microsoft.com/default.aspx?scid=kb;en-us;Q329350 Credit: Eitan Caspi Israel Email: eitancaspi@yahoo.com
