ZDNet UK


Skip to Main Content

ZDNet.co.uk - Winner of Best Business Website 2007
  1. Home
  2. News
  3. Blogs
  4. Reviews
  5. Prices
  6. Resources
  7. Community
  8. My ZDNet

 

ZDNet UK RSS Feeds


Desktop platforms Toolkit in association with http://ad.doubleclick.net/clk;205413468;14699245;m?http://adfarm.mediaplex.com/ad/ck/2397-58840-22058-14

Windows HTML flaw persists

Matt Hines CNET News.com

Published: 25 Jan 2005 09:10 GMT

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Antivirus specialist GeCad Net is warning that it has found a problem with Microsoft's most recent software patch for Windows.

The Bucharest-based security service provider said that a critical patch issued by Microsoft in its MS05-001 bulletin earlier this month fails to resolve all of the security issues surrounding the HTML Help ActiveX control in Windows. Microsoft distributed the fix, along with additional security updates, to address the threat of attackers placing and executing malicious programs such as spyware on affected computers.

GeCad, which sold its antivirus software business to Microsoft in 2003, said that the patch has not addressed at least one so-called attack vector, or weakness, that could allow an exploit of the HTML Help ActiveX control vulnerability.

A Microsoft representative said on Monday that the company is already working to close the loophole reported by GeCad, and emphasised that the January patch had fixed the original reported problem.

"Microsoft issued an update to address a vulnerability in the HTML help control in Windows, and this update does protect against the publicly reported vulnerability," the representative said.

Moreover, the software maker disagreed that it overlooked a potential exploit with its patch. Instead, it said that the problem is a new flaw in HTML Help control that was not tackled in the update.

"Microsoft has been made aware of a publicly reported exploit of a different vulnerability than the one addressed," the representative said. "This vulnerability could be exploited in such a way as to cause the HTML Help control to execute code on a user's computer."

Microsoft did not say whether the fix would be released before its February patch bulletin.

GeCad said it is not disclosing technical details of the attack method right now for "security reasons". Microsoft has butted heads with security researchers in the past when they have disclosed information about flaws before the company has been able to patch them.

The antivirus company said the potential for attack is opened up if a computer is updated with Microsoft's Windows XP Service Pack 1 or Windows 2000 Service Pack 4, along with the most recent security patches. It also noted that updating with Microsoft's Windows XP Service Pack 2 seems to prevent the problem.

In 2003, Microsoft purchased GeCad Software, GeCad's antivirus software development business, but the remaining company continues to operate as a security researcher and consultancy. Microsoft is expected to release its own antivirus software sometime later this year.

  • Email
  • Trackback
  • Clip Link
  • Print friendly
  • Post Comment

Did you find this article useful?
27 out of 62 people found this useful


Talkback

Post a comment


Full Talkback thread

0 comments

Related Links

More In Desktop platforms



Company/Topic Alerts

Create a new alert from the list below:






Desktop Management Benchmarking

Test Your Desktop Management Systems

How good are your company's desktop management solutions? How do they compare with those of your peers?

Take two minutes to complete our new Desktop Management and Energy Consumption benchmark, and find out what issues your business needs to focus on.