On TechRepublic: The 5 worst tech products of 2009
BNET Business Network:
BNET
TechRepublic
ZDNet
35 TalkBacks

By Ina Fried
Posted on ZDNet News: May 11, 2004 9:09:00 PM

Microsoft on Tuesday detailed a new vulnerability in Windows XP and Windows Server 2003 that could enable an attacker to remotely execute malicious code.

The software maker described the problem as "important," its second-highest rating for such problems. Antivirus software maker Symantec, meanwhile, characterized the vulnerability as "high risk," citing the impact that there could be if the vulnerability was successfully exploited.


Get Up to Speed on...
Enterprise security
Get the latest headlines and
company-specific news in our
expanded GUTS section.

The flaw exists in the way Windows' Help and Support Center validates information that is sent to it. The software maker released a patch for the vulnerability and urged customers to "install the update at the earliest opportunity." The patch is posted to the company's security Web site, as is a bulletin outlining the flaw.

The bulletin was released as part of Microsoft's regularly scheduled monthly security update, according to Stephen Toulouse, a security program manager in the Microsoft Security Response Center. As for the rating level, Toulouse said Microsoft typically only deems vulnerabilities "critical"--the highest level--if they can be exploited without the user taking any action.

The announcement of the flaw comes as Microsoft works to battle the outbreak of the Sasser worm and its variants. The software giant has been touting the arrest of a German teenager believed responsible for Sasser and other recent infections.

However, unlike Sasser, the latest vulnerability cannot be exploited simply through an e-mail worm. According to Symantec and Microsoft, there are a number of steps the user would need to take in order for their system to be compromised. Most likely, an attacker would have to host a Web site with a page designed to exploit the vulnerability and convince a user with an unpatched system to visit the site and perform several actions.

Microsoft warned of the vulnerability that led to Sasser in a bulletin last month.

The patch released Tuesday by Microsoft to fix the new flaw also makes two other changes designed to make Windows more secure. First, Microsoft removed a feature in Windows XP that gave users the option to upgrade a DVD decoder, in a move designed to prevent malicious exploitation of the feature.

Second, Microsoft eliminated a feature in the Help and Support Center that sometimes prompts people to send out information on their system's hardware after they run the "Found new hardware" wizard. Now, instead of being prompted to send their hardware information, users will now get an error message at the end of installing new hardware.

SponsoredWhite Papers, Webcasts, and Downloads

  • Talkback
  • Most Recent of 35 Talkback(s)
Windows never even needed to be patched...
Anyone could survive even without the patch. The security of Windows is so incredible that no malicious user could possibly get in. I instruct all my employees not to worry about these so-called vulne... (Read the rest)
Posted by: Sniper_z Posted on: 05/13/04 You are currently: a Guest | | Terms of Use
Nothing New....  mabricen | 05/11/04
re: Nothing New  Franklin_z | 05/11/04
Average  mabricen | 05/12/04
Average is sometimes good enough  AbsolutelyNot | 05/12/04
Whata Bunch of Bumbling IDIOTS !!!  realitycheck101 | 05/11/04
Hmmmm, you sound like....  mojoman_x@... | 05/11/04
Yeah, Nevermind  ickusslime@... | 05/11/04
Don't forget apps...  rpmyers1 | 05/11/04
checked what you sound like?  ryusen | 05/11/04
That would explain  michael-t | 05/11/04
Hmmmm, you sound like....  Spam-ZD | 05/12/04
(NT)Dont feed the trolls  toadlife | 05/11/04
Why, aren't you hungry?  Jeff Spicoli | 05/11/04
please get a clue  toadlife | 05/11/04
Get the Waaaambulance for YeahRight  Saxonborg | 05/11/04
Good news  toadlife | 05/11/04
Whoopie!  Jeff Spicoli | 05/11/04
One of the "ET Phone home" flaws.. Where's Bitty now?  Xunil_Sierutuf | 05/11/04
Scary...  FederalistPaperBoy | 05/11/04
What's more scary  toadlife | 05/12/04
Humm  toadlife | 05/11/04
That author of that 'article' was so blantantly clueless...  toadlife | 05/12/04
uggg  toadlife | 05/12/04
ahhh...  dwerner | 05/12/04
This patch hurts MYIE2.  Saxonborg | 05/11/04
Try Mozilla (NT)  toadlife | 05/11/04
More sloppy journalism...  Rick_K | 05/11/04
harsh words, but very true  dwerner | 05/12/04
Whatever happened to windowsupdate.microsoft.com?  Michael Kelly | 05/12/04
It is not a Windows 2000 flaw  vferrara | 05/12/04
whoops!  Michael Kelly | 05/12/04
Doesn't affect Win2k?  bybelknap | 05/12/04
Get out your Brotron FoeKing Heat Ray...  boomslang_z | 05/12/04
analogy  toadlife | 05/12/04
Windows never even needed to be patched...  Sniper_z | 05/13/04

What do you think?

advertisement
advertisement

White Papers, Webcasts, and Downloads

SmartPlanet

Click Here