April 5th, 2007

eEye spies new Windows code-execution hole

Posted by Ryan Naraine @ 6:07 am

Categories: Browsers, Data theft, Exploit code, Hackers, Microsoft, Patch Watch, Pen testing, Responsible disclosure, Spam and Phishing, Spyware and Adware, Viruses and Worms, Vulnerability research, Windows Vista, Zero-day attacks

Tags: Advisory, Vulnerability, eEye Digital Security, Microsoft Windows, Microsoft Corp., Ryan Naraine

Researchers at eEye Digital Security have flagged a remote code-execution vulnerability in Microsoft's dominant Windows operating system.

The flaw "allows for remote execution of arbitrary code with minimal user interaction," eEye said in a barebones advisory.

The bug carries a "high severity" rating and affects Windows 2000, Windows XP and Windows 2003.

According to the company's upcoming advisories page, there are four unpatched issues in Microsoft software products. eEye's zero day tracker page lists another four unfixed flaws that have already been used in hacker attacks.

eEye's latest warning comes less than 24 hours after Microsoft shipped an emergency fix for the under-attack animated cursor (.ani) flaw and a week before Redmond is due to release its scheduled batch of Patch Tuesday fixes. 

Later today, Microsoft will announce the number of bulletins on tap for next Tuesday and the severity rating attached to each advisory. 

So far this year, Microsoft has released 17 advisories with patches for a total of 37 different vulnerabilities.  Microsoft usually includes silent fixes that are discovered internally and these are never publicly announced. 

This means that the actual patch count for the first four months of 2007 could be much higher.

[UPDATE: April 5, 2007 at 2:28 PM Eastern] Microsoft has confirmed receipt of eEye's discovery though a spokesman who issued the following statement:

I can tell you that Microsoft is aware of  a public report of a responsibly disclosed possible vulnerability in Microsoft Windows. The company is not aware of any public discussion of the report itself. The company is not aware of any attacks attempting to use the reported vulnerability or of customer impact at this time, and will continue to investigate the public reports to help provide additional guidance for customers as necessary.

This issue is still under investigation. Once completed, Microsoft will take the appropriate action to protect our customers, which may include issuing a security advisory or providing a security update through our monthly release process, depending on customer needs.