dcsimg
RealTime IT News

Code Exec Bugs Hit Windows

Officials at security software vendor eEye say two high-level vulnerabilities are targeting numerous versions of Microsoft Windows NT 4.0, Windows 2000, Windows XP and Windows 2003 operating systems. But Microsoft isn't saying much more.

Details of the two vulnerabilities, which were first reported on March 16 and March 29, respectively, will remain sketchy until the company releases patches for them.

Marc Maiffret, eEye co-founder and chief hacking officer, said this is to avoid giving malicious hackers clues into exploiting the vulnerability on their own. To date, he said, there have been no known exploits of the bugs.

Maiffret said the vulnerabilities allow crackers to insert a remote code execution script into the system, giving them complete control over the computer. He added that attack vectors can come from Internet Explorer, Outlook or even chat programs like MSN Messenger and AOL Instant Messenger.

"They're basically client-side vulnerabilities, so it's not really safe to surf the Internet necessarily or receive the wrong e-mails," he said. "That's if someone did discover the vulnerabilities; as it stands now, we're treating it like every other vulnerability where we report it to Microsoft and they work on a patch."

A Microsoft spokesperson said the company is investigating the vulnerabilities and has not found any incidences of the attack on its customer base, but wouldn't go into details of the vulnerability.

"Upon completion of this investigation, Microsoft will take the appropriate action to protect our customers, which may include providing a fix through a service pack, our monthly release process or an out-of-cycle security update, depending on customer needs," the Microsoft rep said.

Microsoft's next monthly patch day is scheduled for April 12.

Maiffret doesn't expect to see a patch in the near future, noting Microsoft holds the record among software vendors it tracks for the longest time taken to patch a reported vulnerability -- at 230 days. After 60 days the vulnerability is declared overdue by eEye if no patch is published.