Severe Microsoft Vulnerability Awaits Patch
A security firm has notified Microsoft of severe, remotely exploitable vulnerabilities in its software.
Security firm eEye says it has notified Microsoft of a pair of severe vulnerabiities in its software, the details of which won't be disclosed until Redmond has time to act.
eEye posted both vulnerabilities to its upcoming advisories page, but offered little comment on them beyond noting the affected software, Outlook and Internet Explorer, and how many days have passed since it notified Microsoft of the vulnerabilities (16 days since the first vulnerability, 9 since the second).
According to eEye, both vulnerabilities allow for remote execution of code on a vulnerable system. Affected systems include all NT 4, Windows 2000, and Windows XP systems. The company has not yet determined the vulnerability of Windows 2003 systems.
While eEye hasn't published many details on its Web site, it has commented in published reports that the vulnerabilities could allow malicious software to be installed on a user's system with no more interaction required than following a link.
Microsoft has confirmed that it has received notification of the flaws, but has offered no timetable for a patch. The company could either wait until its next scheduled security update, on the second Tuesday of the month, or it could release a special patch if an exploit is discovered and creates an emergency for vulnerable users.