Updated Nov. 30 at 12:13 p.m. EST.
A just discovered vulnerability in
Microsoft's FTP client can allow a malicious user to crash the application via a malware-laced
social engineering attack.
Researcher Rajesh Sethumadhavan said Wednesday that the
buffer overflow flaw, which he discovered on Nov. 20, can allow a
DoS attack or the execution of
arbitrary code on a victimized computer.
However, other researchers on Thursday downplayed the threat.
The vulnerability exists within the FTP Client application on
Windows 2000 Server,
Windows 2000 Professional and
XP operating systems. Other versions may also be affected, according to the Bangalore, India-based researcher, who provided
proof-of-concept code.
The flaw is caused by an error when the client validates commands, such as “mget,” “dir,” “user” and “ils.” For exploitation, an attacker would have to craft a malicious payload with those commands, Sethumadhavan said.
“This vulnerability is hard to exploit since it requires social engineering, and shellcode has to be injected as an argument in vulnerable commands,” he said.
Ben Greenbaum, senior research manager at
Symantec Security Response, said the flaw takes so much work to exploit that it should not be a concern for administrators.
“Exploitation of this issue would require a fair amount of social engineering, and it would require the user to take actions that are patently unsafe,” he said. “It would be unfortunate, with all the other threats and vulnerabilities out there that need patching, if users or IT staffs spent too much time worrying about this one.”
Mark Miller, director of security response for Microsoft, said on Friday that his company is unaware of any attacks trying to exploit the flaw, but is investigating the vulnerability claims.