MICROSOFT Windows flaw affects security



The flaw could allow hackers to seize control of a user's computer over the Net.
WASHINGTON (AP) -- Microsoft Corp. acknowledged a critical vulnerability in nearly all versions of its flagship Windows operating system software, the first such design flaw to affect its latest Windows Server 2003 software.
Microsoft said the vulnerability could allow hackers to seize control of a victim's Windows computer over the Internet, stealing data, deleting files or eavesdropping on e-mails. The company urged customers to immediately apply a free software repairing patch available from Microsoft's Web site.
Touted as secure
The disclosure Wednesday was unusually embarrassing for Microsoft because it demonstrated the first such serious flaw in the company's powerful new computer server software, billed as its safest ever.
The software is aimed at large corporate customers and was the first product sold under a high-profile "Trustworthy Computing" initiative organized last year by Microsoft founder Bill Gates.
At the product's launch in late April, Microsoft Chief Executive Steve Ballmer declared the new version of Windows to be a "breakthrough in terms of what it means, in terms of its built-in security and reliability."
The flaw, discovered by researchers in western Poland, also affected Windows versions popular among home users.
"This is one of the worst Windows vulnerabilities ever," said Marc Maiffret, an executive at eEye Digital Security Inc. of Aliso Viejo, Calif., whose researchers discovered similarly dangerous flaws in at least three earlier versions of Windows.
Firewall protection
Microsoft said corporate firewalls commonly block the type of data connections that hackers outside a company would need for these attacks. The flaw affects Windows technology used to share data files across computer networks.
Maiffret said that inside vulnerable corporations, "until they have this patch installed, it will be Swiss cheese -- anybody can walk in and out of their servers."
Microsoft spent hundreds of millions of dollars on security improvements for its latest Windows software and included new technology to defend against a category of hacker attacks known as "buffer overflows," which can trick software into accepting dangerous commands.
But four Polish researchers, known as the "Last Stage of Delirium Research Group," said they discovered how to bypass the additional protections Microsoft added, just three months after the software went on sale.
Microsoft also acknowledged a separate design flaw affecting only Windows XP, but it was deemed less serious because hackers would have to already have broken into a corporate network to attack victims. The company also released a patch for it.
The Polish researchers created a tool to break into victim computers but promised not to release blueprints for such software onto the Internet.

By using this site, you agree to our privacy policy and terms of use.

» Accept
» Learn More