Security flaw in key Microsoft services

[InfoSec News <isn () c4i org>]

http://news.com.com/2100-1001-954590.html?tag=fd_top

By Joe Wilcox 
Staff Writer, CNET News.com
August 20, 2002, 1:58 PM PT

Microsoft on Tuesday warned users of a number of its subscription
programs, including product testing and volume licensing, of a
potential security flaw affecting the software they use for downloads.

The Redmond, Wash.-based software giant strongly urged customers using
the File Transfer Manager (FTM) program to upgrade to the newest
version. Microsoft released the new version, FTM 4.0.0.72, in late
June. Affected customers can download the update from Microsoft's FTM
Web site.

FTM is used to automatically download software for use with some
Microsoft services. Microsoft distributes FTM to beta testers,
companies participating in volume licensing programs and Microsoft
Developer Network (MSDN) subscribers, among others.

In its e-mail to customers, Microsoft thanked Russian programmer
Andrew Tereschenko for identifying the security flaw, which the
company would not clearly identify.

Lynn Terwoerds, senior program manager for Microsoft's Security
Response Center, said the flaw was originally reported to another
division within the company. "The security response center has been
handling this for about a month," she added.

"There's a vulnerability in the File Transfer Manager," Terwoerds
said. "In that component there's a way for a person to take over the
machine. In most cases here, we are dealing simply with a bug that is
of a security class that would allow a user or attacker to gain higher
privileges than what would be appropriate."

Terwoerds downplayed the number of affected customers because the new
version of the software has been available for two months. "We think
it's a fairly small number, because not a lot of customers use (the
older version)...or have (it) installed on their machines," she said.  
"I don't know the exact number, but not everyone will have this."

Terwoerds said that's the reason Microsoft did not post a broader
bulletin or distribute a warning to the 500,000 people subscribing to
the company's security alerts service.

"We let the people who really needed to know about this, know about
this," Terwoerds said. "It was a focused mailing."

But analysts were not convinced the unidentified vulnerability would
be so limited, because of how infrequently companies update software.  
In fact, one of Microsoft's biggest ongoing security problems has been
companies waiting months or even years to install important patches or
security updates.

"By and large, there are a good number of businesses that don't
regularly update their software nor send updates to their end users,"  
said Technology Business Research analyst Bob Sutherland. "Something
like this provides Microsoft an opportunity to get back in touch with
their customers and get them to pay more attention when there's a
security bulletin."

Grappling with security

Microsoft has been issuing security alerts on a fairly frequent basis
since January, when company Chairman Bill Gates made security a top
priority for the company. Microsoft's security Web site lists 41
alerts issued so far this year compared to about 46 for the same
period a year ago. But, as with the FTM flaw, Microsoft issues other
security alerts to specific customers rather than posting bulletins
for everyone.

Among recent incidents: Last week, Microsoft issued a cumulative patch
for security problems affecting SQL Server. A day earlier, the company
warned of a critical flaw in Windows 2000's Connection Manager.

A mid-August security bug potentially exposed credit card transactions
made using Internet Explorer. In early August, the software giant
identified a bug affecting Commerce Server 2001. A few weeks earlier,
Microsoft issued four security alerts. The most serious addressed a
hole that would allow hackers to take over SQL Server 2000.

In early July, Microsoft warned of an e-mail bug with Outlook. A late
June security patch plugged a hole that could have allowed hackers to
seize control of a computer using Windows Media Player. Weeks earlier,
Microsoft warned of a Gopher security hole in Internet Explorer that
also could allow hackers to take control of computers or servers.

Microsoft also incorporates cumulative security patches with the
release of service packs, which are software bug-fix and update
packages. Microsoft released Windows 2000 Service Pack 3 at the end of
July. The software giant could release Windows XP Service Pack 1 as
early as next Wednesday.

The company is nearing the final testing stage for the important
update, which introduces changes mandated by Microsoft's antitrust
settlement with the Justice Department and nine of 18 states.  
According to the settlement, Microsoft must also disclose technical
information about application programming interfaces (APIs) by the
time Windows XP Service Pack 1 ships. Microsoft plans to disclose the
API information Wednesday.



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn'
in the BODY of the mail.