Security flaw found in key Microsoft services

By Joe Wilcox

Microsoft has warned users of a number of its subscription programs, including product testing and volume licensing, of a potential security flaw affecting the software they use for downloads.

The software giant strongly urged customers using the File Transfer Manager (FTM) program to upgrade to the newest version. Microsoft released the new version, FTM 4.0.0.72, in late June. Affected customers can download the update from Microsoft's FTM website (http://transfers.one.microsoft.com/ftm/install/HomeIE.asp ).

FTM is used to automatically download software for use with some Microsoft services. Microsoft distributes FTM to beta testers, companies participating in volume licensing programs and Microsoft Developer Network (MSDN) subscribers, among others.

In its email to customers, Microsoft thanked Russian programmer Andrew Tereschenko for identifying the security flaw, which the company would not clearly identify.

Lynn Terwoerds, senior program manager for Microsoft's Security Response Center, said the flaw was originally reported to another division within the company. "The security response center has been handling this for about a month," she added.

"There's a vulnerability in the File Transfer Manager," Terwoerds said. "In that component there's a way for a person to take over the machine. In most cases here, we are dealing simply with a bug that is of a security class that would allow a user or attacker to gain higher privileges than what would be appropriate."

Terwoerds downplayed the number of affected customers because the new version of the software has been available for two months. "We think it's a fairly small number, because not a lot of customers use (the older version)... or have (it) installed on their machines," she said. "I don't know the exact number, but not everyone will have this."

Terwoerds said that's the reason Microsoft did not post a broader bulletin or distribute a warning to the 500,000 people subscribing to the company's security alerts service.

"We let the people who really needed to know about this, know about this," Terwoerds said. "It was a focused mailing."

But analysts were not convinced the unidentified vulnerability would be so limited, because of how infrequently companies update software. In fact, one of Microsoft's biggest ongoing security problems has been companies waiting months or even years to install important patches or security updates.

"By and large, there are a good number of businesses that don't regularly update their software nor send updates to their end users," said Technology Business Research analyst Bob Sutherland. "Something like this provides Microsoft an opportunity to get back in touch with their customers and get them to pay more attention when there's a security bulletin."

Joe Wilcox writes for News.com