Microsoft Warns on Windows Developer Tool Vulnerability
Microsoft puts users and developers on notice that the Windows Foundation Classes have a security flaw -- making some apps vulnerable to attackers.
Microsoft's security team warned customers and developers about a vulnerability that's been found in one of the company's key Windows development components.
The flaw -- located in the Microsoft Foundation Classes, also referred to as MFC -- affects Windows 2000 and Windows XP, and could potentially imperil applications that are built using the component. MFC is a set of Windows libraries that wrap Windows application programming interfaces (API) in C++ classes, giving C++ developers access to Windows APIs.
However, Microsoft hasn't said much about the threat thus far. "We are investigating reports of a vulnerability in mfc42.dll affecting Windows 2000 and XP," Microsoft's (NASDAQ: MSFT) Security Response Center (MSRC) said in a tweet. "Will update when we have more information."
Company spokespeople said in a later e-mail to InternetNews.com that Microsoft has not seen attacks based on the vulnerability -- at least not yet.
"Once were done investigating, we will take appropriate action to help protect customers," Jerry Bryant, group manager for response communications in the MSRC, said in the e-mail. "This may include providing a security update through the monthly release process, an out-of-cycle update, or additional guidance to help customers protect themselves."
While Microsoft officials didn't provide much in the way of background on the vulnerability, security firm Secunia did offer a few additional details.
According to the company, the MFC vulnerability consists of a boundary error that can be exploited to cause a buffer overflow, thus letting an attacker execute his or her own code. It's a fairly common attack vector, although such holes are not often found in Microsoft development tools.
"The vulnerability is confirmed in fully patched versions of Windows 2000 Professional SP4 (Service Pack 4) including mfc42.dll version 6.0.9586.0 and Windows XP SP2/SP3 including mfc42.dll version 6.2.4131.0," Secunia said in an advisory. "Other versions may also be affected."