Microsoft Owns Up To Win2000 Bug

Earlier in the week, private security research firm GreyMagic posted details about the vulnerability to Windows 2000, and offered up proof-of-concept code. A day later, Danish security firm Secunia -- which like GreyMagic has come under criticism from Microsoft for releasing vulnerability information before a patch is ready -- added its own alert to the mix.

According to GreyMagic, Windows 2000 features a flaw in how Windows Explorer, the shell interface for looking at drive and directory contents, previews files. Hackers , said GreyMagic's advisory, could exploit this with specially-crafted files to "perform any action the currently logged on user can perform. This includes reading, deleting and writing files, as well as executing arbitrary commands."

Victims tricked into downloading a malicious file, then selecting it in Windows Explorer -- Windows 2000 has the preview pane enabled by default -- would be at risk, added GreyMagic.

Secunia tagged the issue as "moderately critical," and said that even the most up-to-date Windows 2000 systems were vulnerable.

Microsoft, which usually remains mum about vulnerabilities -- at least until a patch is provided and released -- spoke out Wednesday on its Security Response Center blog.

"Our initial investigation has found that significant user interaction would be required for an attacker to exploit this vulnerability," wrote Microsoft program manager Stephen Toulouse on the blog. "We're looking into reports of proof of concept code that has been made public that could seek to exploit this reported vulnerability. On that note, we're not currently aware of any customer impact as a result or an attack that seeks to exploit this vulnerability."

Toulouse recommended that users block SMB (Server Message Block) traffic at the firewall. If enterprises do that, "Windows 2000 customers connected to the Internet would be at reduced risk from an attack," he added.

He also said that Microsoft will continue its investigation, and may end up with a fix, either one provided in its monthly schedule (May 10 is the next patch date) or one offered up in an out-of-cycle update.