[ISN] Critical W2K bug unpatched after 105 days

InfoSec News isn at c4i.org
Wed Nov 17 03:45:42 EST 2004


By Sam Varghese
November 16, 2004

A critical flaw in Windows 2000, discovered by eEye Digital Security,
is yet to be patched by Microsoft though 105 days have elapsed since
full details of the bug were provided to the software giant.

eEye has characterised the bug as a "remotely-exploitable
vulnerability that allows anonymous attackers to compromise default
installations of the affected software, without requiring user
interaction, and gain absolute access to the host machine."

Details were sent to Microsoft on August 2.

eEye started informing the public of upcoming security advisories last
year. The procedure it follows is to provide the bare details of the
bug and then wait for a patch to be issued before it released full
details of the flaw in question.

Yesterday, eEye sent details of another critical bug - in Windows ME,
Windows 2000, Windows XP and Windows 2003 - to Microsoft.

This was described as "a vulnerability in default installations of the
affected software that allows malicious code to be executed with
minimal user interaction."

Microsoft chief executive officer Steve Ballmer was quoted recently as
saying that patches for Windows were issued swiftly, compared to those
for other operating systems.

More information about the ISN mailing list