Microsoft warns of denial-of-service vulnerability

17.11.2005
Microsoft Corp. has issued an out-of-cycle advisory warning users about a newly disclosed denial-of-service vulnerability in Windows 2000 Service Pack 4 and Windows XP Service Pack 1.

The company was prompted to issue the advisory because of reports about proof-of-concept code that seeks to exploit the flaw, the company said in its advisory. 'Microsoft is concerned that this new report of a vulnerability in Windows 2000 Service Pack 4 and Windows XP Service Pack 1 was not disclosed responsibly, potentially putting computer users at risk.'

The advisory added that Microsoft is currently not aware of any attacks that have resulted from the exploit code. However, 'Microsoft is actively monitoring this situation to keep customers informed and to provide customer guidance as necessary' the company said.

In the meantime, companies need to ensure that their systems are properly updated and have all recommended patches installed, Microsoft said.

The advisory states that 'on Windows XP Service Pack 1, an attacker must have valid log-on credentials to try to exploit this vulnerability. The vulnerability could not be exploited remotely by anonymous users. However, the affected component is available remotely to users who have standard user accounts. Customers who have installed Windows XP Service Pack 2 are not affected by this vulnerability. Additionally, customers running Windows Server 2003 and Windows Server 2003 Service Pack 1 are not affected by this vulnerability.'

Since Microsoft moved to a monthly patch release cycle about two years ago, the company has rarely issued out-of-cycle patches such as the one announced Thursday. The company has been working with security researchers and bug hunters to agree on a practice by which vulnerabilities are reported directly to the software vendor, giving it a chance to fix flaws before details are released publicly.