Microsoft has issued a warning to users about a newly disclosed denial-of-service vulnerability in Windows 2000 Service Pack 4 and Windows XP Service Pack 1.
The advisory, which followed reports about proof-of-concept code that seeks to exploit the flaw, claimed that Microsoft is currently unaware of any attacks that have resulted from the exploit code. The company said, however, that it would be ‘actively monitoring’ the situation to keep customers informed.
It advised companies to ensure that their systems are properly updated and have all recommended patches installed.
According to the advisory, any attacker on Windows XP Service Pack 1 must have valid log-on credentials to try to exploit the vulnerability, which could not be exploited remotely by anonymous users. The vulnerability doesn’t affect users who’ve installed Windows XP Service Pack 2 nor anyone running Windows Server 2003 and Windows Server 2003 Service Pack 1.
Microsoft has been working with security specialists to try and ensure that vulnerabilities are reported directly to the software vendor, and are not disclosed publicly, giving it a chance to fix flaws before details are released. In this case, Microsoft sounds pretty miffed that the process appeared to have broken down. Seems like a case of another security company looking for its day-in-the-sun.