Three weeks after a user discovered and disclosed information about a dangerous security hole in Windows 2000 and Windows NT, Microsoft still hasn't uttered a peep to its customers about the problem. The exploit, known as DebPloit, lets an intruder gain system-level access—-even with the Guest account.
On March 14, Radim Picha discovered the security flaw and reported it to Microsoft. He then posted a message to the NTBugTraq mailing list about his discovery. Picha's post includes a link to a .zip file that contains complete source code that demonstrates the problem, as well as text files that explain how the exploit works.
In December 2001, we reported that Microsoft had launched a new Gold Certified Partner Program for Security Solutions, which, among other things, requires that program participants report security problems to Microsoft and not alert the public until Microsoft has a fix available. Noticeably missing from Microsoft's security strategy is a contingency plan about how or when to alert customers of security problems when nonparticipants in the program make those problems public. Apparently, the current opinion in Redmond is to remain silent until a fix is available. Meanwhile millions of users remain at risk.
According to Picha, the DebPloit exploit is similar to the "SecHole" problem we reported in July 1998. Researchers have made an effort to provide a temporary fix while the world waits for Microsoft to respond, and users are discussing the exploit on our Web-based forums as well as other forums. Microsoft did inform us that they're working on a fix but gave no timeframe when that fix is expected to become available.