Security researcher accuses Redmond of misleading customers

By Sam Varghese
May 30 2003

Security researcher Marc Maiffret of eEye digital Security has accused
Microsoft of misleading customers in its advisory issued on Wednesday
about a vulnerability in Windows Media Services.

Maiffret said that, contrary to Microsoft's advice, "this...  
vulnerability is exploitable, as confirmed in the labs at eEye, and by
the discoverer of this vulnerability, Brett Moore."

He said: "I am not sure why Microsoft misidentified this
vulnerability... maybe it is just a typo, maybe its a lack of
technical know-how. Either way they need to re-release this advisory
so that the correct information is given to customers."

Maiffret said there was a a big difference in telling customers 'Ahh,
its a denial of service, and your web server will automatically
restart' compared to the reality of the situation: 'If you're running
Windows Media Services on IIS, attackers can spawn a remote shell
'command prompt' on your vulnerable system.'

He said Moore, the researcher from New Zealand who had identified the
flaw, would be releasing an advisory soon with more details on the how
and why of the matter.

Maiffret said he was "not sure how you can have 'Trust'worthy
Computing when your misinforming customers on a regular basis or
releasing patches that disable their Internet access. "

Meanwhile, Microsoft has revised two advisories issued earlier this

An updated Windows XP Service Pack 1 patch was issued to fix a local
elevation of privilege as the original patch had caused some
performance issues.

Additionally, patches were released for NT 4.0 and XP to fix a
vulnerability that would enable an attacker to run code of his or her
choice. Earlier, this vulnerability had been said to be present only
in Windows 2000.

main page ATTRITION feedback