Ethical Hacking

Learn to find vulnerabilities before the bad guys do! Gain real world hands on hacking experience in our state of the art hacking lab. Course designed and taught by expert instructors with years of penetration testing experience. 12 student maximum in every class. Certification attempt included in every package.
Computer Forensics Training at InfoSec Institute

Gain the in-demand skills of a certified computer examiner, learn to recover trace data left behind by fraud, theft, and cybercrime perpetrators. Discover the source of computer crime and abuse at your organization so that it never happens again. All of our class sizes are guaranteed to be 12 students or less to facilitate one-on-one interaction with one of our expert instructors.




Network Security Information-Security-News
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

[ISN] Severity of 127-day-old W2K flaw 'being determined'

from [InfoSec News] Network Security [Permanent Link]
Subject: [ISN] Severity of 127-day-old W2K flaw 'being determined'
Date: Thu, 9 Dec 2004 02:15:18 -0600 (CST) 
http://www.theage.com.au/news/Breaking/Severity-of-127dayold-W2K-flaw-being-determined/2004/12/08/1102182337247.html

By Sam Varghese
December 8, 2004 

A longstanding security vulnerability in Windows 2000, deemed to be
highly critical by the reputed security firm eEye Digital Security, is
being investigated by Microsoft, the company says.

The disclosure by eEye was made 127 days ago. A few days ago,
Microsoft said it would not be releasing a fifth service pack for
Windows 2000; rather it would issue an Update Rollup next year as a
final security patch.

Full details of the flaw found by eEye have not been revealed publicly
but have been sent to Microsoft; what little detail has been provided
publicly says it is "a remotely-exploitable vulnerability that allows
anonymous attackers to compromise default installations of the
affected software, without requiring user interaction, and gain
absolute access to the host machine."

Asked whether Microsoft would be patching this as a part of the final
security patch for Windows 2000, a Microsoft spokesman indicated that
the company was not yet sure whether the problem was severe or not.

"Microsoft is investigating reports from eEye Digital Security of a
possible vulnerability in Windows 2000 that could allow an attacker to
compromise default installations of the affected software and gain
access to a user's machine," the spokesman said. " Microsoft is
currently unaware of active attacks against customers attempting to
utilise this vulnerability, but is actively investigating the
reports."

eEye has found numerous serious flaws in various Windows versions in
the past, including the vulnerabilities that resulted in attacks by
worms like Sasser, Witty, and Code Red.

The Microsoft spokesman said: "Upon completion of this investigation,
Microsoft will take the appropriate action to protect our customers,
which may include providing a fix through our monthly release process
or an out-of-cycle security update, depending on customer needs.

"Security response requires a balance between time and testing, thus
Microsoft will only release an update - when warranted - that is as
well engineered and as thoroughly tested as possible - whether that is
a day, week, month or longer. In security response, an incomplete
security update can be worse than no patch at all if it only serves to
alert malicious hackers to a new issue."

Mainstream support for Windows 2000 will expire in June next year. A
survey by the technology research firm Gartner in October found that
around 60 percent of business users are still sticking with WIndows
2000.



_________________________________________
Open Source Vulnerability Database (OSVDB) Everything is Vulnerable - 
http://www.osvdb.org/
[More with this subject...]




<Prev in Thread] Current Thread [Next in Thread>
  • [ISN] Severity of 127-day-old W2K flaw 'being determined', InfoSec News <=
Previous by Date:  [ISN] Browser phishing 'flaw' could hook users, InfoSec News
Next by Date:  [ISN] The Password PUZZLE, InfoSec News
Previous by Thread:  [ISN] Browser phishing 'flaw' could hook users, InfoSec News
Next by Thread:  [ISN] The Password PUZZLE, InfoSec News
Indexes:  [Date] [Thread] [Top] [All Lists]