Microsoft warns of major Windows security flaw

Houston Chronicle ^ | Feb. 10, 2004 | AP

[zeugma]

Microsoft warns of (yet another) major Windows security flaw

WASHINGTON -- Microsoft Corp. warned customers today about unusually serious security problems with its Windows software that could let hackers quietly break into their computers to steal files, delete data or eavesdrop on sensitive information.

Microsoft, which learned about the flaws more than six months ago from researchers, said the only protective solution was to apply a repairing patch it offered on its Web site. It assessed the threat to computer users as "critical," its highest rating.

A Microsoft security executive, Stephen Toulouse, said the flawed software was "an extremely deep and pervasive technology in Windows," and urged customers to apply the patch immediately.

The disclosure comes just weeks before Microsoft Chairman Bill Gates delivers a keynote speech in San Francisco at one of the industry's most important security trade conferences. Microsoft has struggled in recent months against a tide of renewed criticism about security risks in its software, the engine for computers in most of the world's governments, corporations and homes.

"This is one of the most serious Microsoft vulnerabilities ever released," said Marc Maiffret of eEye Digital Security Inc. of Aliso Viejo, Calif., which discovered the new Windows flaws. "The breadth of systems affected is probably the largest ever. This is something that will let you get into Internet servers, internal networks, pretty much any system."

Maiffret said some computer systems that control critically important power or water utilities were vulnerable.

Maiffret predicted hackers will try to unleash a damaging Internet infection within weeks. Unlike earlier vulnerabilities that spawned such attacks, hackers can exploit the newly disclosed flaws to break into susceptible computers using dozens of methods, making any defense far more difficult.

"The race will be on," agreed Marcus Sachs, a former White House adviser on cybersecurity.

Researchers at eEye discovered the problems last July and agreed to keep quiet about them until Microsoft could fix them. Maiffret complained that the delay between eEye's discovery and Tuesday's public disclosure by Microsoft was "just totally unacceptable" because Windows users were broadly vulnerable during the period.

Toulouse said Microsoft took months because it wanted to ensure that a single repairing patch solved any related problems. "We really took the steps to make sure our investigation was as broad and deep as possible," he said.

Maiffret and Microsoft said they were unaware anyone had yet attacked Windows computers using the technique, although eEye had successfully tested the method to break into its own computers.

Microsoft's disclosure occur just days before a presidential advisory council submits recommendations to the White House about ways technology companies should respond to major software vulnerabilities that could affect national security. The 54-page report, obtained by The Associated Press, cautions that "long delays in remediation can result in prolonged risk to end users."

The problems affected a technology in the newest versions of Windows known as "abstract syntax notation," a way to share data across different computers. Some of Microsoft's built-in security features -- such as its Kerberos cryptography system -- rely on the flawed software.

Microsoft urged consumers to apply the repairing patch immediately if they were using Windows NT, Windows 2000 or Windows XP versions of its software, or its Windows NT Server, Server 2000 and Server 2003 software commonly found in corporations.

[zeugma]

Yeah, I know that posting news of yet another defect of microsoft's operating system is hardly 'breaking news', but it will be important to a lot of people that are vulnerable.

Prediction: Bush2000 and Golden Eagle, will somehow determine that Open Source Software is really the problem.

Click HERE for the ultimate service pack, and you can join me in laughing at the carnage to come.

[Prime Choice]

Prediction: Bush2000 and Golden Eagle, will somehow determine that Open Source Software is really the problem.

Dang, man. Miss Cleo ain't got nothin' on you! ; )

And for the Microsoft users: BOHICA!

[Uncle Miltie]

In a game of "King of the Hill," why is it surprising that only the King is attacked?

[Glenn]

.

[chance33_98]

Bump

[Huck]

I am just a semi-normal pc consumer. Maybe a little better than the average moron. I use a Gateway PC at home that I got from my job several years back. Windows 98 SE, P III. It is about time to get a new one, but I am hesitant to do it. These new operating systems seem really messed up. Mine crashes like every other day, but I am used to that. But I am afraid to upgrade to a new PC because it'll come with XP and I think it'll be a worse situation. So I am probablyjust gonna drop a second hard drive into the gateway and keep going.

[xJones]

Thank you for this article.

[isthisnickcool]

The rumor is B2K actually works for Gates himself. At the Gates house. See this spy photo of him at work.*

*Just funning with ya B2K...

[bmwcyle]

bttt

[JoJo Gunn]

How can it not be breaking news since this is solely a forum of computer users?

Let 'em gripe. Better to bring them out in the open.

[js1138]

Ther's abit ofhperverntelation going on over the word "critical". MS labels all security updates critical. At one or two a month. This one takes about five minutes todownload and install.

[Capt. Tom]

Mine crashes like every other day, but I am used to that. But I am afraid to upgrade to a new PC because it'll come with XP and I think it'll be a worse situation.

I had a new computer made and it came through with windows XP.

I have 9/24/03 the date I started it up, marked on the side of the case. I have not had a crash yet. - Tom

[tdadams]

There's nothing unusual about security flaws in Windows. They're as common as mosquitos on the Mississippi delta.

[tdadams]

XP is actually a pretty good improvement over 98. It's much smarter and more stable. I'd recommend the upgrade.

[Texas_Jarhead]

Don't let a fear of XP keep you from upgrading. It is far superior to Win98. IMO, of course.

[Nick Danger]

I am probablyjust gonna drop a second hard drive into the gateway and keep going.

You're in trouble now. To spend money on additional hardware instead of sending it to the all-American patriotic American software developers here in America (with offices in China and India), reveals you to be a communist, a foreigner from Finland, and a music pirate as well.

How dare you look after your own interests instead of sending your money to Mr. Gates? He needs every dime you've got so he can continue to donate to NPR and the UN.

[Steely Tom]

I do software development. I use MS C++ Version 6. I run Windows 98, second edition, Version 4.10. Never have had a problem with it. No BSOD, no viruses, no crashes.

My business partner went out and bought a top-end laptop (an IBM Thinkpad) last summer; it had Windows XP. I can't tell you how many times he's re-formatted the HD and reloaded everything. XP is pretty, but, man, what a set of problems.

I have a simple rule, that I apply to every computer in my company (we have a lot of them): never use the latest version of anything. Not if you need to use your computers everyday.

Of course, we don't have an IT staff, and none of us are particularly interested in spending time sniffing out the latest patches for everything and installing them. We like to write new software, not figure out how to install Microsoft's.

(steely)

[zeugma]

If the system just needs disk space, but otherwise does everything else you want, then there is no need not to just drop a drive in. I'm not one to advocate living on the bleeding edge of technology unless you just like to play with the stuff. Regardless of what you do with your PC, I'd advise that you have a hardware firewall to protect you from the evil folks out there. This is especially important if you use any version of windows given how weak windows is security-wise.

You might try a linux distribution as an alternative. If you download and burn a copy of Knoppix, you can actually run the distro straight from a CDRom drive, without having to install anything. That way, you can see if you like it, and also if it will work with your hardware. be warned though, they just announced a new Knoppix release, so the servers are likely to be fairly slow for a while until the ruch to download abates somewhat.

[bmwcyle]

bttt

[NRA2BFree]

Mine crashes like every other day, but I am used to that. But I am afraid to upgrade to a new PC because it'll come with XP and I think it'll be a worse situation.

You are not alone. I thought I was the only one who crashed my computer. :) I have considered buying a new one but I'm not going to until I learn how to use it. I suppose reading the directions would help. LOL!