http://www.theage.com.au/news/Breaking/Severity-of-127dayold-W2K-flaw-being-determined/2004/12/08/1102182337247.html By Sam Varghese December 8, 2004 A longstanding security vulnerability in Windows 2000, deemed to be highly critical by the reputed security firm eEye Digital Security, is being investigated by Microsoft, the company says. The disclosure by eEye was made 127 days ago. A few days ago, Microsoft said it would not be releasing a fifth service pack for Windows 2000; rather it would issue an Update Rollup next year as a final security patch. Full details of the flaw found by eEye have not been revealed publicly but have been sent to Microsoft; what little detail has been provided publicly says it is "a remotely-exploitable vulnerability that allows anonymous attackers to compromise default installations of the affected software, without requiring user interaction, and gain absolute access to the host machine." Asked whether Microsoft would be patching this as a part of the final security patch for Windows 2000, a Microsoft spokesman indicated that the company was not yet sure whether the problem was severe or not. "Microsoft is investigating reports from eEye Digital Security of a possible vulnerability in Windows 2000 that could allow an attacker to compromise default installations of the affected software and gain access to a user's machine," the spokesman said. " Microsoft is currently unaware of active attacks against customers attempting to utilise this vulnerability, but is actively investigating the reports." eEye has found numerous serious flaws in various Windows versions in the past, including the vulnerabilities that resulted in attacks by worms like Sasser, Witty, and Code Red. The Microsoft spokesman said: "Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through our monthly release process or an out-of-cycle security update, depending on customer needs. "Security response requires a balance between time and testing, thus Microsoft will only release an update - when warranted - that is as well engineered and as thoroughly tested as possible - whether that is a day, week, month or longer. In security response, an incomplete security update can be worse than no patch at all if it only serves to alert malicious hackers to a new issue." Mainstream support for Windows 2000 will expire in June next year. A survey by the technology research firm Gartner in October found that around 60 percent of business users are still sticking with WIndows 2000. _________________________________________ Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - http://www.osvdb.org/
This archive was generated by hypermail 2.1.3 : Thu Dec 09 2004 - 01:46:36 PST