Code Exec Bugs Hit Windows

Officials at security software vendor eEye say two high-level
vulnerabilities are targeting numerous versions of Microsoft Windows NT 4.0, Windows 2000, Windows XP and Windows 2003 operating systems. But Microsoft isn’t saying much more.

Details of the two vulnerabilities, which were first reported on March 16 and March 29, respectively, will remain sketchy until the company releases patches for them.

Marc Maiffret, eEye co-founder and chief hacking officer, said this is to avoid giving malicious hackers clues into
exploiting the vulnerability on their own. To date, he said, there have been no known exploits of the bugs.

Maiffret said the vulnerabilities allow crackers
to insert a remote code execution script into the system,
giving them complete control over the computer. He added that attack vectors can
come from Internet Explorer, Outlook or even chat programs like MSN
Messenger and AOL Instant Messenger.

“They’re basically client-side vulnerabilities, so it’s not really
safe to surf the Internet necessarily or receive the wrong e-mails,” he
said. “That’s if someone did discover the vulnerabilities; as it stands
now, we’re treating it like every other vulnerability where we report it to
Microsoft and they work on a patch.”

A Microsoft spokesperson said the company is investigating the
vulnerabilities and has not found any incidences of the attack on its
customer base, but wouldn’t go into details of the vulnerability.

“Upon completion of this investigation, Microsoft will take the appropriate
action to protect our customers, which may include providing a fix through a
service pack, our monthly release process or an out-of-cycle security
update, depending on customer needs,” the Microsoft rep said.

Microsoft’s next monthly patch day is scheduled for April 12.

Maiffret doesn’t expect to see a patch in the near future, noting Microsoft
holds the record among software vendors it tracks for the longest time taken to patch a reported vulnerability — at 230 days. After 60 days the vulnerability is declared overdue by eEye if no patch is

News Around the Web