[ISN] Security flaw in key Microsoft services

From: InfoSec News (isnat_private)
Date: Wed Aug 21 2002 - 01:34:36 PDT

  • Next message: InfoSec News: "[ISN] Homeland info sharing advances"

    By Joe Wilcox 
    Staff Writer, CNET News.com
    August 20, 2002, 1:58 PM PT
    Microsoft on Tuesday warned users of a number of its subscription
    programs, including product testing and volume licensing, of a
    potential security flaw affecting the software they use for downloads.
    The Redmond, Wash.-based software giant strongly urged customers using
    the File Transfer Manager (FTM) program to upgrade to the newest
    version. Microsoft released the new version, FTM, in late
    June. Affected customers can download the update from Microsoft's FTM
    Web site.
    FTM is used to automatically download software for use with some
    Microsoft services. Microsoft distributes FTM to beta testers,
    companies participating in volume licensing programs and Microsoft
    Developer Network (MSDN) subscribers, among others.
    In its e-mail to customers, Microsoft thanked Russian programmer
    Andrew Tereschenko for identifying the security flaw, which the
    company would not clearly identify.
    Lynn Terwoerds, senior program manager for Microsoft's Security
    Response Center, said the flaw was originally reported to another
    division within the company. "The security response center has been
    handling this for about a month," she added.
    "There's a vulnerability in the File Transfer Manager," Terwoerds
    said. "In that component there's a way for a person to take over the
    machine. In most cases here, we are dealing simply with a bug that is
    of a security class that would allow a user or attacker to gain higher
    privileges than what would be appropriate."
    Terwoerds downplayed the number of affected customers because the new
    version of the software has been available for two months. "We think
    it's a fairly small number, because not a lot of customers use (the
    older version)...or have (it) installed on their machines," she said.  
    "I don't know the exact number, but not everyone will have this."
    Terwoerds said that's the reason Microsoft did not post a broader
    bulletin or distribute a warning to the 500,000 people subscribing to
    the company's security alerts service.
    "We let the people who really needed to know about this, know about
    this," Terwoerds said. "It was a focused mailing."
    But analysts were not convinced the unidentified vulnerability would
    be so limited, because of how infrequently companies update software.  
    In fact, one of Microsoft's biggest ongoing security problems has been
    companies waiting months or even years to install important patches or
    security updates.
    "By and large, there are a good number of businesses that don't
    regularly update their software nor send updates to their end users,"  
    said Technology Business Research analyst Bob Sutherland. "Something
    like this provides Microsoft an opportunity to get back in touch with
    their customers and get them to pay more attention when there's a
    security bulletin."
    Grappling with security
    Microsoft has been issuing security alerts on a fairly frequent basis
    since January, when company Chairman Bill Gates made security a top
    priority for the company. Microsoft's security Web site lists 41
    alerts issued so far this year compared to about 46 for the same
    period a year ago. But, as with the FTM flaw, Microsoft issues other
    security alerts to specific customers rather than posting bulletins
    for everyone.
    Among recent incidents: Last week, Microsoft issued a cumulative patch
    for security problems affecting SQL Server. A day earlier, the company
    warned of a critical flaw in Windows 2000's Connection Manager.
    A mid-August security bug potentially exposed credit card transactions
    made using Internet Explorer. In early August, the software giant
    identified a bug affecting Commerce Server 2001. A few weeks earlier,
    Microsoft issued four security alerts. The most serious addressed a
    hole that would allow hackers to take over SQL Server 2000.
    In early July, Microsoft warned of an e-mail bug with Outlook. A late
    June security patch plugged a hole that could have allowed hackers to
    seize control of a computer using Windows Media Player. Weeks earlier,
    Microsoft warned of a Gopher security hole in Internet Explorer that
    also could allow hackers to take control of computers or servers.
    Microsoft also incorporates cumulative security patches with the
    release of service packs, which are software bug-fix and update
    packages. Microsoft released Windows 2000 Service Pack 3 at the end of
    July. The software giant could release Windows XP Service Pack 1 as
    early as next Wednesday.
    The company is nearing the final testing stage for the important
    update, which introduces changes mandated by Microsoft's antitrust
    settlement with the Justice Department and nine of 18 states.  
    According to the settlement, Microsoft must also disclose technical
    information about application programming interfaces (APIs) by the
    time Windows XP Service Pack 1 ships. Microsoft plans to disclose the
    API information Wednesday.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn'
    in the BODY of the mail.

    This archive was generated by hypermail 2b30 : Wed Aug 21 2002 - 03:59:30 PDT