Microsoft brings forward latest NT security fix

Microsoft will make a fix available next week for a Windows NT security flaw that opens access to the operating system's registry - after initially planning only to include it in NT 5.0, next year. The fix for the 'red button bug' will prevent unauthorised users who have gained registry access from seeing any sensitive data, and those users will not be able to alter any of the information.

Microsoft will make a fix available next week for a Windows NT security flaw that opens access to the operating system's registry - after initially planning only to include it in NT 5.0, next year.

The so-called red button bug gives remote users unauthorised access to part of Windows NT that includes the registry and file system, according to NTsecurity.com, a division of Midwestern Commerce (MWC), a software publisher in Columbus, Ohio, that found the flaw. MWC posted on its Web site a program that demonstrates the flaw (http://www.NTsecurity.com/RedButton/).

This bug is not the only security problem of late to plague Windows NT; earlier this month a programmer developing software for managing Windows NT and Unix files unintentionally opened the door to Windows NT's Security Accounts Manager file, where system passwords are kept.

Microsoft's fix for the red button bug will prevent unauthorised users who have gained registry access from seeing any sensitive data, and those users will not be able to alter any of the information, according to Mike Nash, Windows NT product manager with Microsoft.

"By defining the access control and restricting access, it basically eliminates [unauthorised users] from viewing anything important," Nash says. "They will see things like print spooling information ... that's fairly benign information."

Despite NT's recent security problems, one analyst says he believes Microsoft's operating system is reasonably secure.

"Microsoft does as good a job as any other vendor, and they are all doing ... a pretty darn good job of coming up with systems that are difficult to compromise," says Tom Harris, research director at International Data Corp.

The red button bug fix was initially slated for inclusion in Windows NT 5.0, which is due to ship in 1998. Microsoft is speeding its availability, according to Nash, and will post a fix next week on its Web site.

The red button bug fix will also be included in Windows NT Service Pack 3.0, which is currently in beta testing.

Join the newsletter!

Error: Please check your email address.
Show Comments
[]