Want CNET to notify you of price drops and the latest stories?

Security flaw in key Microsoft services

A hole in software used by subscribers to the giant's volume licensing program, developer network and other services leaves computers vulnerable to takeover.

3 min read
Microsoft on Tuesday warned users of a number of its subscription programs, including product testing and volume licensing, of a potential security flaw affecting the software they use for downloads.

The Redmond, Wash.-based software giant strongly urged customers using the File Transfer Manager (FTM) program to upgrade to the newest version. Microsoft released the new version, FTM, in late June. Affected customers can download the update from Microsoft's FTM Web site.

FTM is used to automatically download software for use with some Microsoft services. Microsoft distributes FTM to beta testers, companies participating in volume licensing programs and Microsoft Developer Network (MSDN) subscribers, among others.

In its e-mail to customers, Microsoft thanked Ukranian programmer Andrew Tereschenko for identifying the security flaw, which the company would not clearly identify.

Lynn Terwoerds, senior program manager for Microsoft's Security Response Center, said the flaw was originally reported to another division within the company. "The security response center has been handling this for about a month," she added.

"There's a vulnerability in the File Transfer Manager," Terwoerds said. "In that component there's a way for a person to take over the machine. In most cases here, we are dealing simply with a bug that is of a security class that would allow a user or attacker to gain higher privileges than what would be appropriate."

Terwoerds downplayed the number of affected customers because the new version of the software has been available for two months. "We think it's a fairly small number, because not a lot of customers use (the older version)...or have (it) installed on their machines," she said. "I don't know the exact number, but not everyone will have this."

Terwoerds said that's the reason Microsoft did not post a broader bulletin or distribute a warning to the 500,000 people subscribing to the company's security alerts service.

"We let the people who really needed to know about this, know about this," Terwoerds said. "It was a focused mailing."

But analysts were not convinced the unidentified vulnerability would be so limited, because of how infrequently companies update software. In fact, one of Microsoft's biggest ongoing security problems has been companies waiting months or even years to install important patches or security updates.

"By and large, there are a good number of businesses that don't regularly update their software nor send updates to their end users," said Technology Business Research analyst Bob Sutherland. "Something like this provides Microsoft an opportunity to get back in touch with their customers and get them to pay more attention when there's a security bulletin."

Grappling with security
Microsoft has been issuing security alerts on a fairly frequent basis since January, when company Chairman Bill Gates made security a top priority for the company. Microsoft's security Web site lists 41 alerts issued so far this year compared to about 46 for the same period a year ago. But, as with the FTM flaw, Microsoft issues other security alerts to specific customers rather than posting bulletins for everyone.

Among recent incidents: Last week, Microsoft issued a cumulative patch for security problems affecting SQL Server. A day earlier, the company warned of a critical flaw in Windows 2000's Connection Manager.

A mid-August security bug potentially exposed credit card transactions made using Internet Explorer. In early August, the software giant identified a bug affecting Commerce Server 2001. A few weeks earlier, Microsoft issued four security alerts. The most serious addressed a hole that would allow hackers to take over SQL Server 2000.

In early July, Microsoft warned of an e-mail bug with Outlook. A late June security patch plugged a hole that could have allowed hackers to seize control of a computer using Windows Media Player. Weeks earlier, Microsoft warned of a Gopher security hole in Internet Explorer that also could allow hackers to take control of computers or servers.

Microsoft also incorporates cumulative security patches with the release of service packs, which are software bug-fix and update packages. Microsoft released Windows 2000 Service Pack 3 at the end of July. The software giant could release Windows XP Service Pack 1 as early as next Wednesday.

The company is nearing the final testing stage for the important update, which introduces changes mandated by Microsoft's antitrust settlement with the Justice Department and nine of 18 states. According to the settlement, Microsoft must also disclose technical information about application programming interfaces (APIs) by the time Windows XP Service Pack 1 ships. Microsoft plans to disclose the API information Wednesday.