Researcher discloses Microsoft FTP client flaw

By

A just discovered vulnerability in Microsoft's FTP client can allow a malicious user to crash the application via a malware-laced social engineering attack.

Researcher discloses Microsoft FTP client flaw
Researcher Rajesh Sethumadhavan said Wednesday that the buffer overflow flaw, which he discovered on Nov. 20, can allow a DoS attack or the execution of arbitrary code on a victimized computer.

However, other researchers on Thursday downplayed the threat.

The vulnerability exists within the FTP Client application on Windows 2000 Server, Windows 2000 Professional and XP operating systems. Other versions may also be affected, according to the Bangalore, India-based researcher, who provided proof-of-concept code.

The flaw is caused by an error when the client validates commands such as “mget,” “dir,” “user” and “ils.” For exploitation, an attacker would have to craft a malicious payload with those commands, Sethumadhavan said.

“This vulnerability is hard to exploit since it requires social engineering and shellcode has to be injected as argument in vulnerable commands,” he said.

Ben Greenbaum, senior research manager at Symantec Security Response, said the flaw takes so much work to exploit that it should not be a concern for administrators.

“Exploitation of this issue would require a fair amount of social engineering, and it would require the user to take actions that are patently unsafe,” he said. “It would unfortunate, with all the other threats and vulnerabilities out there that need patching, if users or IT staffs spent too much time worrying about this one.”

A Microsoft representative could not be reached for comment today.

See original article on SC Magazine US
Got a news tip for our journalists? Share it with us anonymously here.
Copyright © SC Magazine, US edition
Tags:
microsoft securitysecurity

Sponsored Whitepapers

Digital Transformation That Works in the Real World
Digital Transformation That Works in the Real World
Beyond the Breach: Logicalis Delivers Scalable, Business-Aligned MXDR Security
Beyond the Breach: Logicalis Delivers Scalable, Business-Aligned MXDR Security
Transforming IT for the Hybrid Era
Transforming IT for the Hybrid Era
Powering secure AI at the Edge: What you need to know before it’s too late
Powering secure AI at the Edge: What you need to know before it’s too late
Ditch the Spreadsheets. Build a System That Grows With You.
Ditch the Spreadsheets. Build a System That Grows With You.

Events

Most Read Articles

Microsoft knew of SharePoint security flaw in May, initial patch ineffective

Microsoft knew of SharePoint security flaw in May, initial patch ineffective
Gov to encourage vuln research, puts insurers and NFPs on notice

Gov to encourage vuln research, puts insurers and NFPs on notice
Palo Alto Networks in talks to buy CyberArk

Palo Alto Networks in talks to buy CyberArk
Allianz Life says majority of US customers' data stolen in hack

Allianz Life says majority of US customers' data stolen in hack
techpartner.news logo
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Dave Stevens on Brennan's evolution and the need for Aussie tech unity
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
Sydney's ITKnocks on contact centre AI and the slow death of the IVR
"It's an exciting time to be part of the health and aged care sector"
"It's an exciting time to be part of the health and aged care sector"
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Insicon founder Matt Miller on the coming 'tsunami' of compliance and educating boards about cyber security
Orro claims Australia first with managed digital asset discovery service
Orro claims Australia first with managed digital asset discovery service

Log In

  |  Forgot your password?