A major new security vulnerability in Windows NT has been discovered and the company that found it, called Eeye, has actually posted programs to the Internet that actually allows users to take advantage of this vulnerability. This action has drawn the ire of Microsoft, which says that releasing such files is irresponsible. Eeye CEO Firas Bushnaq, however, says that Microsoft stopped responding to email from the company when they told them about it on June 8th.
And the bug appears to be serious: Bushnaq says that hackers can exploit this vulnerability to execute code on any NT Web server, effectively taking control of the system.
"You can send a 'malformed' or very long request to a Web server. It could cause a buffer overflow, which means you can embed application code that will execute on the server," Bushnaq says. "Anything that is residing on the Web server and everything connected to that--back-end databases, eCommerce information, credit card information--could be accessible. It is extremely important for \[Microsoft\] to fix it."
Microsoft, however, is understandably upset about the way Eeye released code on the Net that takes advantage of the vulnerability.
"We've got a security response process that we set up a year ago so that customers would have a place to report bugs and so that we could respond to it quickly," says Microsoft security product manager Scott Culp. "For reasons we don't understand, at the beginning of this week \[Eeye\] suddenly went public with the bug. It's contrary to all of the normal rules of responsible security professionals. You don't provide tools that malicious users can use to hurt innocent people."
While the dust clears, NT administrators can implement a temporary workaround for the vulnerability until Microsoft supplies a full fix. You can find this workaround on the Microsoft Web site