3Com's Security Team Discloses Security Flaws in Microsoft Products

WebKnowHow
Wednesday, July 12, 2006; 02:28 AM

3Com and its TippingPoint division announced that its security research team discovered a critical vulnerability in Microsoft Windows operating system. Additionally, 3Com's Zero Day Initiative (ZDI) discovered another critical Microsoft vulnerability in its Excel software.

Upon validating the vulnerabilities, 3Com reported the issues to Microsoft, which in turn applied the necessary resources to address the vulnerability and promtly issued the patch. 3Com said its customers using the TippingPoint Intrusion Prevention Systems (IPS) were preemptively protected against potential zero day attacks targeting the vulnerability through its Digital Vaccine update service.

The critical vulnerability (CVE-2006-1314), discovered by the TippingPoint Security Research Team (TSRT), allows remote attackers to execute arbitrary code on vulnerable installations of the Microsoft Windows operating system. This vulnerability can lead to a network worm that could have a widespread impact. The critical vulnerability (CVE-2006-2388), discovered through the ZDI, allows remote attackers to execute arbitrary code if a malformed Excel spreadsheet is opened by a victim.

The TSRT consists of industry recognized security researchers that apply their cutting-edge engineering, reverse engineering and analysis talents in TippingPoint's daily operations. The by-product of these efforts fuels the creation of vulnerability filters that are automatically delivered to TippingPoint customers through the Digital Vaccine service. 

The goal of the ZDI program is to enable the responsible disclosure of vulnerabilities in order to make technology more secure for users and businesses. A zero day vulnerability is one that is unknown or one that has been publicly disclosed without a corresponding patch. Through the program, 3Com rewards security researchers for responsibly informing 3Com of newly discovered zero day vulnerabilities. Once its security experts validate that authenticity of the vulnerability, 3Com notifies the affected vendor so a patch can be developed, and the researcher agrees to keep the information confidential until the patch is issued so affected organizations are not at risk. In addition to protecting all users from zero day threats by ensuring information is kept confidential until a patch is issued, TippingPoint customers are also protected against zero day attacks through security filters delivered through the Digital Vaccine service.

In addition to protecting customers from the two aforementioned vulnerabilities, TippingPoint Intrusion Prevention Systems were inoculated against issues in all of the critical Microsoft bulletins through the Digital Vaccine service.