eEye Digital Security Announces Discovery of New Security Flaw in Microsoft Windows

(ALISO VIEJO, CA) June 14, 2005 — eEye® Digital Security, a leading developer of network security software which enables businesses to protect and manage their network infrastructure, today announced the discovery of a new critical vulnerability related to Microsoft (NASDAQ: MSFT) Windows®. The discovery uncovers a serious flaw in Microsoft’s HTML Help. This critical security flaw affects unpatched Windows 2003, XP, 2000 and 98 machines. The patch for this vulnerability comes 90 days after eEye’s discovery.

The critical vulnerability could potentially allow an attacker to take complete control of an affected system. Specifically, any anonymous attacker who could display a specially crafted Web page to a user could attempt to exploit this vulnerability. If left unpatched, an attacker could then take harmful action including installing programs; viewing, changing, or deleting data; or creating new accounts with full privileges.

As a service to the network security community, eEye conducts a monthly Vulnerability Expert Forum webinar during the second week of each month. The Vulnerability Expert Forums are conducted by eEye’s Research Team, headed by Marc Maiffret, eEye’s Chief Hacking Officer and explore the impact of high-risk vulnerabilities, such as those announced today.

The next Forum is scheduled to take place Thursday, 16 June 2005 @ 3.30pm UK / 4.30pm Central Europe.
To register for the VEF, please visit:

eEye Digital Security is one of the leading contributors to network security research, and worked in conjunction with Microsoft to identify this vulnerability and develop the appropriate fix. eEye’s Retina® Network Security Scanner already has audits for these new vulnerabilities incorporated into the Retina audit database, in addition to coverage for all of the security bulletins announced today. Retina users should scan their networks for vulnerable machines and follow the remediation instructions provided.

For organizations where immediate patching is not an option, eEye’s Blink Endpoint Vulnerability Prevention solution offers preemptive protection for each of the vulnerabilities announced by Microsoft today, in the absence of patches. Through its innovative approach to intrusion prevention, Blink allows businesses to maintain regularly scheduled patching cycles, avoiding the resource drain associated with “panic patching’. By protecting against entire classes of attacks, Blink does not require the burden of constant updates, as is the case with signature-based solutions.

“Companies should ensure they are protected from these vulnerabilities without delay.” said Firas Raouf, chief operating officer, eEye Digital Security. “As the window to remediate continues to shrink, both Retina and Blink allow security teams to stay ahead of the next attack by providing proactive measures.”

About Retina Enterprise Suite
Retina is integrated into the Retina Enterprise Suite, which also includes the Retina® Remediation Manager and the REM Security Management Console. As a fully integrated vulnerability management solution, the Retina Enterprise Suite provides IT administrators with the ability to identify known security vulnerabilities, assist in prioritizing threats for remediation and aggregate information from multiple Retina scanners in a distributed enterprise. Further, the Retina Enterprise Suite delivers vulnerability assessment, remediation management and sophisticated workflow integration that allows IT and security departments to work together effectively to optimize resources and mitigate threats. As a result, the Retina Enterprise Suite gives enterprises the means to automate protection strategies that will ensure business continuity.

The Retina Enterprise Suite with Retina is available now. Interested parties can learn more at

About Blink
Designed to be implemented on individual assets such as servers, PCs and laptops, Blink is the first endpoint product to combine multiple layers of security technologies to protect enterprises from zero-day attacks that leverage yet unknown vulnerabilities within enterprise networks. This comprehensive security solution allows enterprises to defer patching vulnerable machines until regularly scheduled maintenance cycles, thereby saving millions of dollars in business disruption and the associated IT resource drain caused by “panic” patching. Additionally, Blink eliminates the problem of so-called “socially engineered” security threats in which hackers trick individuals into downloading malware or otherwise making their own machines vulnerable to attack. As a result, Blink uniquely protects assets from vulnerabilities, as opposed to only thwarting attacks.

For more information on Blink please visit:

About eEye Digital Security
eEye Digital Security is a leading developer of network security software, and the foremost contributor to security research and education. eEye’s award-winning software products provide a complete vulnerability management solution that addresses the full lifecycle of security threats: before, during and after attacks. eEye’s customers, Citigroup and US Department of Defense, represent the largest deployments of vulnerability assessment and prevention technology in the private and public sector. eEye protects the networks and digital assets of more than 8,400 corporate and government deployments worldwide, including Avon, Continental Airlines, Dow Jones, Prudential, University of Miami, Viacom, Vodafone, Warner Music and Wyeth. Founded in 1998, eEye Digital Security is a privately held, venture-backed firm with headquarters in Orange County, California. For more information, please go to

Don't miss