According to a security bulletin published Thursday by Microsoft, remote attackers have the ability, through a buffer overflow, to gain control of a victim's system. The attacker could run apps or use the PC as part of a denial-of-service attack. Microsoft has published its security bulletin MS01-059 as well as patches at www.microsoft.com/security.
Jim Magdych, director of Covert Labs for Network Associates Inc., says users running the plug-and-play architecture and who aren't blocking ports 1900 and 5000 are vulnerable. Magdych says it's just a matter of time before someone publishes automated tools to exploit this vulnerability or unleashes an automated exploit such as Code Red.
EEye Digital Security, the same company that discovered the flaw in Microsoft's Internet Information Services that was capitalized on by the author of Code Red, also found this security hole. EEye had taken considerable criticism at the time for releasing too much information about that vulnerability. Some argued that eEye made it easier for hackers to exploit IIS's vulnerabilities.
In early November, Microsoft revealed its vulnerability-disclosure initiative, a plan to create an organization that promotes "the need to develop and institutionalize a code of conduct for responsible handling of security vulnerabilities."
Bob Lonadier, president and security analyst at RCL & Associates, says that if a "maverick" firm like eEye "can see the wisdom in getting along with Microsoft, then there is no need for a different type of disclosure model. What's needed is better code-development standards to catch these vulnerabilities before they are released."