Microsoft Warns on Windows Developer Tool Vulnerability

Share it on Twitter  
Share it on Facebook  
Share it on Linked in  

Microsoft's security team warned customers and developers about a vulnerability that's been found in one of the company's key Windows development components.

The flaw -- located in the Microsoft Foundation Classes, also referred to as MFC -- affects Windows 2000 and Windows XP, and could potentially imperil applications that are built using the component. MFC is a set of Windows libraries that wrap Windows application programming interfaces (API) in C++ classes, giving C++ developers access to Windows APIs.

However, Microsoft hasn't said much about the threat thus far. "We are investigating reports of a vulnerability in mfc42.dll affecting Windows 2000 and XP," Microsoft's (NASDAQ: MSFT) Security Response Center (MSRC) said in a tweet. "Will update when we have more information."

Company spokespeople said in a later e-mail to InternetNews.com that Microsoft has not seen attacks based on the vulnerability -- at least not yet.

"Once we’re done investigating, we will take appropriate action to help protect customers," Jerry Bryant, group manager for response communications in the MSRC, said in the e-mail. "This may include providing a security update through the monthly release process, an out-of-cycle update, or additional guidance to help customers protect themselves."

While Microsoft officials didn't provide much in the way of background on the vulnerability, security firm Secunia did offer a few additional details.

According to the company, the MFC vulnerability consists of a boundary error that can be exploited to cause a buffer overflow, thus letting an attacker execute his or her own code. It's a fairly common attack vector, although such holes are not often found in Microsoft development tools.

"The vulnerability is confirmed in fully patched versions of Windows 2000 Professional SP4 (Service Pack 4) including mfc42.dll version 6.0.9586.0 and Windows XP SP2/SP3 including mfc42.dll version 6.2.4131.0," Secunia said in an advisory. "Other versions may also be affected."

Secunia also said the hole had first been found in compression utility PowerZip from Trident Software.

Stuart J. Johnston is a contributing writer at InternetNews.com, the news service of Internet.com, the network for technology professionals. Follow him on Twitter @stuartj1000