eEye spots a wormhole...
Published: 4 August 2005 08:30 GMT
A serious flaw has been discovered in a core component of Windows 2000, with no possible workaround until it gets fixed, a security company said.
The vulnerability in Microsoft's operating system could enable remote intruders to enter a PC via its internet protocol address, Marc Maiffret, chief hacking officer at eEye Digital Security, said on Wednesday. As no action on the part of the computer user is required, the flaw could easily be exploited to create a worm attack, he noted.
What may be particularly problematic with this unpatched security hole is that a workaround is unlikely, he said.
"You can't turn this [vulnerable] component off," Maiffret said. "It's always on. You can't disable it. You can't uninstall."
eEye declined to give more details on the flaw or the Windows 2000 component in question. As part of company policy, it does not release technical details of the vulnerabilities it finds until the software's maker has released either a patch or an advisory.
A Microsoft representative said the software giant will issue a comment once it has had a chance to review the eEye advisory, which has yet to be posted on the security company's website.
The vulnerabilities affect Windows 2000 but Maiffret noted eEye is still conducting tests, and he anticipates other versions of Microsoft's OS are likely to be affected.
For Microsoft, this marks the second eEye advisory it's received this week. On Monday, eEye notified the software giant it had found critical vulnerabilities in Internet Explorer.
The IE vulnerabilities could allow malicious attackers to launch a remote buffer overflow attack should users click on a malicious website link.
The flaw, which is rated as "high" risk, affects IE, Windows XP and SP1, Windows 2003 and Windows 2000.
Microsoft confirmed it received the eEye advisory regarding IE through its standard vulnerability reporting system.
A Microsoft representative said: "We are investigating the report and will take appropriate action to help protect customers as part of our normal security response process." Microsoft issues a monthly bulletin of patches and also has a programme of security advisories with workarounds for unpatched, reported flaws.
Dawn Kawamoto writes for CNET News.com
A project accountant is required by a Housing organisation based in the East Midland to lead on the new component accounting initiative, the project ...
Felixstowe/Product Engineer/30K-32K/Hardware Component Design This purpose of this position is to sustain current and legacy electricity meters ...
The role will be concerned with developing and driving sales growth into various market sectors within the electronic component industry We are ...
Agenda Setters 2009
Welcome to the ninth annual Agenda Setters poll – silicon.com's list of the top 50 most influential individuals in the technology and IT industries, from techies and CIOs to entrepreneurs and business leaders. Find out more in our latest special report.
Stories from the web...
Copyright © 2008 CBS Interactive Limited. All rights reserved. Top of page
Digg
Slashdot
Del.icio.us
Stumble
Reddit
RSS Feeds
Bob Tarzey Why you must rein in your power users When they do damage, it can be catastrophic to your business
Jon Collins Is losing a mobile device really such a big deal? How to minimise the damage to your business