- Related Stories
-
Microsoft plugs critical holes in Windows
April 12, 2005 -
Critical Windows patch on the way
April 7, 2005
The vulnerability, which was not one of eight patched by Microsoft on Tuesday, is in the Jet database engine component, according to an advisory posted the same day by security company Secunia. It could enable an intruder to remotely execute malicious code on a vulnerable PC, Secunia said.
Microsoft has not confirmed the existence of the security hole, which potentially affects software including Microsoft Office and the Microsoft Access database program.
Secunia rated the problem "highly critical," noting that exploit code for the flaw had been shared on a public mailing list.
"The vulnerability is caused due to a memory handling error when...parsing database files," Secunia said in its advisory. "This can be exploited to execute arbitrary code by tricking a user into opening a specially crafted '.mdb' file in Microsoft Access."
A Microsoft representative said on Tuesday that the company has not heard of any attacks on customers' systems using the unpatched security hole.
"We are aware of the exploit code that has been released," the Microsoft representative said, adding that the software maker would take appropriate action once it has completed its investigation of the problem.
The original alert regarding the flaw came from a security research firm called HexView, Secunia said.
Continuing an ongoing debate about when and how flaw finders should disclose vulnerabilities, Microsoft criticized the researchers for going public with the vulnerability, rather than privately contacting the software maker so a patch could be released when the flaw was disclosed.
"It is unfortunate that this researcher decided to post publicly," the Microsoft representative said.
HexView said in its own advisory that it notified Microsoft of the flaw on March 30, but had received no response.
A Microsoft representative said the company had no record of any contact from HexView before the flaw was publicized.
Word of the problem comes on the same day Microsoft released fixes for eight other flaws, several of them critical, and some of them revealed publicly for the first time in the company's monthly security bulletin.
CNET News.com's David Becker contributed to this report.
See more CNET content tagged:
flaw, advisory, representative, Microsoft Access, software company
- Flaw in MS argument
- by Tex Murphy PI April 12, 2005 11:33 PM PDT
- Normally, I would agree with MS when flaws are publicly announced prior to a work-around fix...
- Like this Reply to this comment
-
-
- typical
- by pcLoadLetter April 13, 2005 12:13 AM PDT
- This is typical behavior in Microsoft.
- Like this View reply
Processing -
(5 Comments)HOWEVER, this flaw is already well known among the HACKER community, and with a working code already in circulation, I'd say that Secunia didn't do anything wrong by letting the rest of us know about it.
Their action helped "even" the uneven playing field in this case.
They would rather not have these sorts of things made public so they can ignore it and fix it at their discretion.
Perhaps they should turn their attention away from a legit security alert and place it on the programmers who made this amatuer error. There is simply no excuse for memory handling errors. They are easily avoided with a bit of attention to detail.