August 3, 2005 1:40 PM PDT

Worm hole found in Windows 2000

A serious flaw has been discovered in a core component of Windows 2000, with no possible work-around until it gets fixed, a security company said.

The vulnerability in Microsoft's operating system could enable remote intruders to enter a PC via its Internet Protocol address, Marc Maiffret, chief hacking officer at eEye Digital Security, said on Wednesday. As no action on the part of the computer user is required, the flaw could easily be exploited to create a worm attack, he noted.

What may be particularly problematic with this unpatched security hole is that a work-around is unlikely, he said.

"You can't turn this (vulnerable) component off," Maiffret said. "It's always on. You can't disable it. You can't uninstall."

eEye declined to give more details on the flaw or the Windows 2000 component in question. As part of company policy, it does not release technical details of the vulnerabilities it finds until the software's maker has released either a patch or an advisory.

"Researchers report vulnerabilities to Microsoft all the time through our established channels in the (Microsoft Security Response Center)," a company representative said. "This is really business as usual...Microsoft investigates all reports and will take the appropriate action for all vulnerability reports depending on customer needs."

The vulnerabilities affect Windows 2000, but Maiffret noted eEye is still conducting tests, and he anticipates other versions of Microsoft's OS will likely be affected.

For Microsoft, this marks the second eEye advisory it's received this week. On Monday, eEye notified the software giant it had found critical vulnerabilities in Internet Explorer.

The IE vulnerabilities could allow malicious attackers to launch a remote buffer overflow attack should users click on a malicious Web site link.

The flaw, which is rated as a "high" risk, affects IE, Windows XP and SP1, Windows 2003 and Windows 2000.

Microsoft confirmed it received the eEye advisory regarding IE through its standard vulnerability reporting system.


Join the conversation!
Add your comment
IIS clone.
Looks like they are pulling an IIS, where security vulnerabilities are now considered intellectual property.
Posted by (28 comments )
Reply Link Flag
This isn't exactly news...
... for any OS. If someone searches long enough, every OS will be
found to have similar flaws. The flaws aren't the problem, it's what
the OS source does about the flaws. But. maybe this time, there is
no fix ??????
Posted by Earl Benser (4310 comments )
Reply Link Flag
There are several workarounds for this
1/Don't use Windows 2000 - sounds obvious and I don't necessarily mean switch to a non-Microsoft OS. WinXP is essentially the same OS with uptodate security fixes and a few extra features, Linux is free and you could switch to Apple, although this is an extremely expensive option.
2/Use commercial firewall and antivirus software, keeping both uptodate and switching off as many ports as possible while still having access to the net for browsing and email.
3/Don't connect to the internet - although recent studies have shown that some people actually get withdrawal symptoms from lack of net access, and obviously you are seriously curtailing the usefulness of your computer, it is an option for those that like to live in a closed world of nothingness and depressive-like darkness. Angst ridden teenagers are an example of a subset of this neurotic group of losers, right wing Christian republican extremists another, polically correct do-gooder liberals a third. The world would be better off without any of these people inflicting their drivel in the form of blogs or forums on the rest of us more perfectly minded and correctly attituded beings.
Posted by ajbright (447 comments )
Reply Link Flag
Looks funny...
But works... :D
Posted by Mendz (519 comments )
Link Flag
Wow...Now I can traverse the space-time continuum!
So then Windows 2000 is like a time-space transferance system. Damn, and I upgraded to Windows XP.

Posted by fred dunn (793 comments )
Reply Link Flag
Windows will never be secure
Is there such a thing as a secure windows os? I am behind 2 NAT's and Sygate, never use IE, encrypt my hard drives file system and I still wonder? Windows should come with a warning: This software will enable hackers to gain control of your PC if connected to the Internet.
Posted by jmaximus9 (86 comments )
Reply Link Flag
mr gates is he smart or not
he should be spending more money on fixing the os he all ready dreated pie in the face again should think so maybe every one should change operating system becouse windows has too many holes in it maybe linux is the go

gates fix it or lose money then again you might be in court from one of your customers
Posted by (1 comment )
Reply Link Flag

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot



RSS Feeds

Add headlines from CNET News to your homepage or feedreader.