ZDNet UK / News and Analysis / Infrastructure / Networking

Security flaw in key Microsoft services

By Joe Wilcox, CNet, 21 August, 2002 07:38

Daily Newsletters

Sign up to ZDNet UK's daily newsletter.

Topics

Microsoft, network manager, Security

NEWS
Microsoft on Tuesday warned users of a number of its subscription programmes, including product testing and volume licensing, of a potential security flaw affecting the software they use for downloads. The Redmond, Washington-based software giant strongly urged customers using the File Transfer Manager (FTM) program to upgrade to the newest version. Microsoft released the new version, FTM 4.0.0.72, in late June. Affected customers can download the update from Microsoft's FTM Web site. FTM is used to automatically download software for use with some Microsoft services. Microsoft distributes FTM to beta testers, companies participating in volume licensing programs and Microsoft Developer Network (MSDN) subscribers, among others. In its email to customers, Microsoft thanked Russian programmer Andrew Tereschenko for identifying the security flaw, which the company would not clearly identify. Lynn Terwoerds, senior program manager for Microsoft's Security Response Center, said the flaw was originally reported to another division within the company. "The security response centre has been handling this for about a month," she added. "There's a vulnerability in the File Transfer Manager," Terwoerds said. "In that component there's a way for a person to take over the machine. In most cases here, we are dealing simply with a bug that is of a security class that would allow a user or attacker to gain higher privileges than what would be appropriate." Terwoerds downplayed the number of affected customers because the new version of the software has been available for two months. "We think it's a fairly small number, because not a lot of customers use (the older version)...or have (it) installed on their machines," she said. "I don't know the exact number, but not everyone will have this." Terwoerds said that's the reason Microsoft did not post a broader bulletin or distribute a warning to the 500,000 people subscribing to the company's security alerts service. "We let the people who really needed to know about this, know about this," Terwoerds said. "It was a focussed mailing." But analysts were not convinced the unidentified vulnerability would be so limited, because of how infrequently companies update software. In fact, one of Microsoft's biggest ongoing security problems has been companies waiting months or even years to install important patches or security updates. "By and large, there are a good number of businesses that don't regularly update their software nor send updates to their end users," said Technology Business Research analyst Bob Sutherland. "Something like this provides Microsoft an opportunity to get back in touch with their customers and get them to pay more attention when there's a security bulletin." Grappling with security
Microsoft has been issuing security alerts on a fairly frequent basis since January, when company chairman Bill Gates made security a top priority for the company. Microsoft's security Web site lists 41 alerts issued so far this year compared to about 46 for the same period a year ago. But, as with the FTM flaw, Microsoft issues other security alerts to specific customers rather than posting bulletins for everyone. Among recent incidents: Last week, Microsoft issued a cumulative patch for security problems affecting SQL Server. A day earlier, the company warned of a critical flaw in Windows 2000's Connection Manager. A mid-August security bug potentially exposed credit card transactions made using Internet Explorer. In early August, the software giant identified a bug affecting Commerce Server 2001. A few weeks earlier, Microsoft issued four security alerts. The most serious addressed a hole that would allow hackers to take over SQL Server 2000. In early July, Microsoft warned of an email bug with Outlook. A late June security patch plugged a hole that could have allowed hackers to seize control of a computer using Windows Media Player. Weeks earlier, Microsoft warned of a Gopher security hole in Internet Explorer that also could allow hackers to take control of computers or servers. Microsoft also incorporates cumulative security patches with the release of service packs, which are software bug-fix and update packages. Microsoft released Windows 2000 Service Pack 3 at the end of July. The software giant could release Windows XP Service Pack 1 as early as next Wednesday. The company is nearing the final testing stage for the important update, which introduces changes mandated by Microsoft's antitrust settlement with the Justice Department and nine of 18 states. According to the settlement, Microsoft must also disclose technical information about application programming interfaces (APIs) by the time Windows XP Service Pack 1 ships. Microsoft plans to disclose the API information on Wednesday.
For all security-related news, including updates on the latest viruses, hacking exploits and patches, check out ZDNet UK's Security News Section. Have your say instantly, and see what others have said. Go to the Security forum. Let the editors know what you think in the Mailroom.

Related stories

Can Microsoft take the lead in security?

Windows API 'flaw' sparks security debate

Microsoft stomps on Media Player bug

PGP flaw lets hackers pick Outlook locks

Ofcom to make it easier to change broadband service

Post your comment

In order to post a comment you need to be registered and logged in.

You can also log in with Facebook. Log in or create your ZDNet UK account below

  • Login

Will not be displayed with your comment

By signing up for this service, you indicate that you agree to our Terms and Conditions and have read and understood our Privacy Policy. Questions about membership? Find the answers in the Community FAQ

Get ZDNet UK's daily newsletter

Enter your email address to sign up

ZDNet UK Live

JCB33

How dare film makers, artists or anybody that invests in creativity stop us pirating their works for free. I want to be able to walk into my local...

1 hour ago by JCB33 on ACTA stumbles in Germany
Moley

@GrueMaster. I prefer horses for courses rather than one size fits all. I, and I suspect most other computer users, do not really wish to have...

3 hours ago by Moley on A tale of two distros: Ubuntu and Linux Mint
greycynic

The product that scares me every time I have to use it is the Office 2007 version of Excel. The first bug that I found was applying the median...

3 hours ago by greycynic on Ten flawed products that derail productivity
GrueMaster

Nice review and very informative. One thing I'd like to add (in reply to whs001's 1st question), the main reason to have the same interface from...

5 hours ago by GrueMaster on A tale of two distros: Ubuntu and Linux Mint
Frederick Wrigley

I'be been using Mint 12 since the RC came out, and I am far more happy with the Cinnamon, the Mate, and, yes (with extensions), theGnome 3...

6 hours ago by Frederick Wrigley via Facebook on A tale of two distros: Ubuntu and Linux Mint
bdantas

Excellent article. One small correction, though--although a fresh installation of Linux Mint 12 will, indeed, provide the user with a version of...

6 hours ago by bdantas on A tale of two distros: Ubuntu and Linux Mint
Alan Ralph

In related news, the ISPs club together to get the members of the Home Affairs Select Committee (ya goofed on that part, ZDNet UK) copies of "The...

7 hours ago by Alan Ralph via Facebook on MPs urge ISPs to take down terrorist material
Alan Ralph

In related news, the ISPs club together to get the members of the Home Affairs Select Committee (ya goofed on that part, ZDNet UK) copies of "The...

7 hours ago by Alan Ralph via Facebook on MPs urge ISPs to take down terrorist material
Moley

For Gnome 2 die-hards, it is possible to add icons to the bottom panel (or top top panel, if you prefer) which provide the exact Gnome 2...

8 hours ago by Moley on A tale of two distros: Ubuntu and Linux Mint
ramwellian

Your comments would seem pretty naive and immature. Your 'solution' appears to be, "gee, let's all just give in to the hackers and give them...

8 hours ago by ramwellian on Cloud computing security: no more oxymoron?
BugStalker

"Interesting thought ... If you installed Win7 as a dual boot on a machine that previously only had Linux, and it wrecked your Linux installation,...

8 hours ago by BugStalker on Windows 7 Declares War on GRUB
whs001

This is an excellent summary of Ubuntu and Mint and the interface differences between them. Most such articles take a very partisan position for...

8 hours ago by whs001 on A tale of two distros: Ubuntu and Linux Mint
Moley

@ewallace. Not so clear. Anyone can obtain the text, for example from here http://www.ustr.gov/webfm_send/2379. I support ACTA so long as it and...

9 hours ago by Moley on ACTA: Facts, misconceptions and questions
45283

I think WinRT is fantastic. I just wish it was an option for people that didn't want to go through Microsoft's App Store with its attendant...

12 hours ago by 45283 on Why Windows 8 needs architectural hygiene for WOA
Burn-IT

Nine people? £30m? Who's back pocket is that lot going in? And IF they say it is for new buildings, what about all the ones the government has...

13 hours ago by Burn-IT on Police set to launch three £30m e-crime hubs
ewallace

Just to be clear, nobody knows what is in the text of ACTA, here is a photograph of the text of ACTA http://twitpic.com/8h9iju as submitted to the...

13 hours ago by ewallace on ACTA: Facts, misconceptions and questions
fgvrg56

Unfortunately main issue is that ASUS is refusing to accept that they make some mistake on this version of asus Transformer prime. 1 - GPS sensor...

14 hours ago by fgvrg56 on Asus Eee Pad Transformer Prime Wi-Fi & GPS problems?
Ben Woods

@Marcus A fair question. Just talked with Archos which said it was working on an announcement for next week....

15 hours ago by Ben Woods on Archos confirms G9 Ice Cream Sandwich update schedule
Marcus Karlsson

Any update on this, considering the claimed "first week of February"?

16 hours ago by Marcus Karlsson via Facebook on Archos confirms G9 Ice Cream Sandwich update schedule
apexwm

Bill Goodrich : Just as al_langevin pointed out, with Windows Server 2008 there is no Services for Macintosh anymore. It's gone, not available....

1 day ago by apexwm on Windows Server 2008 drops the ball for Mac compatibility

Latest in Networking

Ofcom to make it easier to change broadband service

Google set to build backbone of its 1Gbps fibre network

Nicira reveals network virtualisation details

Featured white papers

Six iPad tests for multimedia-grade Wi-Fi

Aruba Networks

Six iPad tests for multimedia-grade Wi-Fi

The University of Ottawa, Apple, Aruba Networks and others validate a multimedia grade Wi-Fi environment for scaling voice and video... Read more

Enterprise wireless networks add speed with 802.11n

Aruba Networks

Enterprise wireless networks add speed with 802.11n

This Aruba white paper explains the advanced technology introduced in the 'final' 802.11n certification, allowing enterprise network managers to understand its benefits and to plan their own upgrade... Read more

Solution Brief: Top 5 Reasons to Choose Blue Coat WAN Optimization

Blue Coat Systems

Solution Brief: Top 5 Reasons to Choose Blue Coat WAN Optimization

There's a pretty good chance your wide area network (WAN) looks like a mess right now. The rapid adoption of... Read more

Inside ZDNet UK

A tale of two distros: Ubuntu and Linux Mint

A tale of two distros: Ubuntu and Linux Mint

2012 Predictions: VCE FastPath, VI SAN Probe & Hadoop

2012 Predictions: VCE FastPath, VI SAN Probe & Hadoop

BlackBerry Bold 9790

BlackBerry Bold 9790

Case study: How cloud enables growth

Case study: How cloud enables growth

Ten factors that make Ubuntu 11.10 a hit

Ten factors that make Ubuntu 11.10 a hit

Toshiba Portégé Z830-10P Review

Toshiba Portégé Z830-10P Review

BT's archive: Pictures from the vault

BT's archive: Pictures from the vault