PDA

View Full Version : Microsoft Warns Over New Exploit



Pancake
28-06-2006, 02:21 PM
Microsoft Warns Over New Exploit


Source: Information Week
http://www.informationweek.com/news/showArticle.jhtml?articleID=189601614

Microsoft disclosed over the weekend that exploit code for a recently patched flaw in Routing and Remote Access had been published to the Internet. The vulnerability had been patched in June's Patch Tuesday release, and the company was not aware of any attacks using the exploit.

Those who have applied the MS06-025 patch are immune to the exploit, according to a Microsoft investigation. Additionally, the flaw is easiest to exploit in Windows 2000; on Windows XP Service Pack 2, Windows Server 2003 and Windows Server 2003 Service Pack 1 the attacker would need logon credentials.

"The MSRC is monitoring this situation to keep customers informed and to provide customer guidance as necessary," Stephen Toulouse of the Microsoft Security Research Center said. He recommended that all users apply the patch as soon as possible.

MS06-025 was updated Tuesday to fix a problem with legacy dial-up connections that use a terminal window or dial-up scripting. Users who were not affected by the problem do not need to reinstall the patch if they have already done so.

Microsoft said it would continue to monitor the situation and provide further information as necessary. However, it expressed concern at how the vulnerability was disclosed.

"Microsoft is disappointed that certain security researchers have breached the commonly accepted industry practice of withholding vulnerability data so close to update release and have published exploit code, potentially harming computer users," the company said in an advisory.

"We continue to urge security researchers to disclose vulnerability information responsibly and allow customers time to deploy updates so they do not aid criminals in their attempt to take advantage of software vulnerabilities," it continued.

TGoddard
01-07-2006, 09:09 PM
"Microsoft is disappointed that certain security researchers have breached the commonly accepted industry practice of withholding vulnerability data so close to update release and have published exploit code, potentially harming computer users," the company said in an advisory.

"We continue to urge security researchers to disclose vulnerability information responsibly and allow customers time to deploy updates so they do not aid criminals in their attempt to take advantage of software vulnerabilities," it continued.

Hilarious! Microsoft are so used to controlling the de facto standards they think their opinion makes a standard by itself. The open release / closed release debate has been running for decades. There are no standard industry practices with regards to release of vulnerability research.

Twelvevolts
01-07-2006, 09:48 PM
Microsoft announces new vulnerabilities - using Windows, Office or Internet Explorer.

Pancake
01-07-2006, 10:54 PM
And some more......................


http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9001540&source=NLT_PM&nlid=8