[ISN] Severity of 127-day-old W2K flaw 'being determined'

InfoSec News isn at c4i.org
Thu Dec 9 03:15:18 EST 2004


By Sam Varghese
December 8, 2004 

A longstanding security vulnerability in Windows 2000, deemed to be
highly critical by the reputed security firm eEye Digital Security, is
being investigated by Microsoft, the company says.

The disclosure by eEye was made 127 days ago. A few days ago,
Microsoft said it would not be releasing a fifth service pack for
Windows 2000; rather it would issue an Update Rollup next year as a
final security patch.

Full details of the flaw found by eEye have not been revealed publicly
but have been sent to Microsoft; what little detail has been provided
publicly says it is "a remotely-exploitable vulnerability that allows
anonymous attackers to compromise default installations of the
affected software, without requiring user interaction, and gain
absolute access to the host machine."

Asked whether Microsoft would be patching this as a part of the final
security patch for Windows 2000, a Microsoft spokesman indicated that
the company was not yet sure whether the problem was severe or not.

"Microsoft is investigating reports from eEye Digital Security of a
possible vulnerability in Windows 2000 that could allow an attacker to
compromise default installations of the affected software and gain
access to a user's machine," the spokesman said. " Microsoft is
currently unaware of active attacks against customers attempting to
utilise this vulnerability, but is actively investigating the

eEye has found numerous serious flaws in various Windows versions in
the past, including the vulnerabilities that resulted in attacks by
worms like Sasser, Witty, and Code Red.

The Microsoft spokesman said: "Upon completion of this investigation,
Microsoft will take the appropriate action to protect our customers,
which may include providing a fix through our monthly release process
or an out-of-cycle security update, depending on customer needs.

"Security response requires a balance between time and testing, thus
Microsoft will only release an update - when warranted - that is as
well engineered and as thoroughly tested as possible - whether that is
a day, week, month or longer. In security response, an incomplete
security update can be worse than no patch at all if it only serves to
alert malicious hackers to a new issue."

Mainstream support for Windows 2000 will expire in June next year. A
survey by the technology research firm Gartner in October found that
around 60 percent of business users are still sticking with WIndows

More information about the ISN mailing list