Both ZDNet and IIS Resources are reporting a newly discovered “worm hole” in Windows 2000, one for which they say there is no workaround. According to the reports, the Windows security company eEye discovered the flaw this week, indicating that the flaw was in a core component which was on by default, and could not be switched off.

Said Marc Maiffret, Chief Hacking Officer (now there’s an interesting title) for eEye, “You can’t turn this (vulnerable) component off. It’s always on. You can’t disable it. You can’t uninstall.”

In keeping with eEye’s stated policy, it is not releasing further information about the flaw until a fix is available, presumably so as to not facilitate exploitation of the flaw.

Crawling around eEye’s site, however, does provide some interesting information, and gives rise to some interesting questions. eEye’s offerings to the public include security products with cute names like Retina, Blink, and Iris. Many of its products are aimed directly at Windows protection and issues, and eEye is hardly alone in that field. But eEye seems to have taken to a new level not only protecting users from malicious attackers, but protecting users from problems with Windows itself. “eEye Digital Security is a leading vulnerability management software developer with a unique approach to enterprise security - eliminate vulnerabilities, rather than just…

[Continue reading Worm Hole in Win2k, and Windows Protection as a Business Model]