Microsoft has issued a warning to users about a newly
disclosed denial-of-service vulnerability in Windows 2000 Service
Pack 4 and Windows XP Service Pack 1.
The advisory, which followed reports about proof-of-concept code
that seeks to exploit the flaw, claimed that Microsoft is currently
unaware of any attacks that have resulted from the exploit code.
The company said, however, that it would be ‘actively monitoring’
the situation to keep customers informed.
It advised companies to ensure that their systems are properly
updated and have all recommended patches installed.
According to the advisory, any attacker on Windows XP Service
Pack 1 must have valid log-on credentials to try to exploit the
vulnerability, which could not be exploited remotely by anonymous
users. The vulnerability doesn’t affect users who’ve installed
Windows XP Service Pack 2 nor anyone running Windows Server 2003
and Windows Server 2003 Service Pack 1.
Microsoft has been working with security specialists to try and
ensure that vulnerabilities are reported directly to the software
vendor, and are not disclosed publicly, giving it a chance to fix
flaws before details are released. In this case, Microsoft sounds
pretty miffed that the process appeared to have broken down. Seems
like a case of another security company looking for its
day-in-the-sun.