SRO: A Busy Week For Microsoft SecurityFeb 27, 2000, 17:20 (1 Talkback[s])
(Other stories by David Raikow)
"Since Feb. 16--the day before Microsoft officially launched Windows 2000--Microsoft has issued five separate official security bulletins, with independent analysts delivering several more. To top the week off, antivirus vendors announced the discovery of the first confirmed Windows-based distributed denial-of-service (DDoS) tool."
"Perhaps the most dangerous of these issues, first announced by veteran bug-spotter Juan Cuartago, may present a threat to Internet Explorer (IE) and Outlook users. The problem lies in an ActiveX control called MS Active Setup, which can automatically install Microsoft-authenticated code onto a Windows-based machine. The install process can be triggered without any warning simply by visiting a Web page or viewing an e-mail containing the code."
"But according to the Microsoft Security Response Team, this automatic installation is a feature, rather than a bug. In an e-mail to the BugTraq mailing list, the Microsoft team states the feature was included 'in order to improve our customers' experience while downloading software from Microsoft Web sites.' "