The bug, discovered recently by an Indian team and reported Friday to Microsoft by Mark Edwards, a security consultant, has the same effects as a bug discovered last year, but Microsoft spokespeople say the two bugs are unrelated. Microsoft says it will release a fix Monday evening.
Despite the potential harm that could be inflicted by someone who takes advantage of such a flaw, the software giant downplayed the security risks of the new bug. A Microsoft official emphasised the hole can only be exploited by a user with an account on, and physical access to, a local network run on Windows NT. Microsoft also denied that the "issue" could be taken advantage of over the Internet. "It's automatically limited in scope," said Karan Khanna, product manager with the Windows NT security group. "You have to have a valid user account, and if you have [that]... you have to have local rights and physical access."
The flaw is activated by a piece of software a user can run after logging onto an NT network locally. A security hole discovered last year also allowed users to impersonate system administrator privileges, but that bug operated in completely different fashion, Khanna said.