Microsoft admits flaw in Windows software (Your Kidding...)

NJ.com

[Sub-Driver]

Microsoft admits flaw in Windows software

By TED BRIDIS The Associated Press 7/17/2003, 7:49 a.m. ET

WASHINGTON (AP) — Microsoft Corp. acknowledged a critical vulnerability Wednesday in nearly all versions of its flagship Windows operating system software, the first such design flaw to affect its latest Windows Server 2003 software.

Microsoft said the vulnerability could allow hackers to seize control of a victim's Windows computer over the Internet, stealing data, deleting files or eavesdropping on e-mails. The company urged customers to immediately apply a free software repairing patch available from Microsoft's Web site.

The disclosure was unusually embarrassing for Microsoft because it demonstrated the first such serious flaw in the company's powerful new computer server software, billed as its safest ever.

The software is aimed at large corporate customers and was the first product sold under a high-profile "Trustworthy Computing" initiative organized last year by Microsoft founder Bill Gates.

At the product's launch in late April, Microsoft Chief Executive Steve Ballmer declared the new version of Windows to be a "breakthrough in terms of what it means, in terms of its built-in security and reliability."

The flaw, discovered by researchers in western Poland, also affected Windows versions popular among home users.

"This is one of the worst Windows vulnerabilities ever," said Marc Maiffret, an executive at eEye Digital Security Inc. of Aliso Viejo, Calif., whose researchers discovered similarly dangerous flaws in at least three earlier versions of Windows.

Microsoft said corporate firewalls commonly block the type of data connections that hackers outside a company would need for these attacks. The flaw affects Windows technology used to share data files across computer networks.

Maiffret said that inside vulnerable corporations, "until they have this patch installed, it will be Swiss cheese — anybody can walk in and out of their servers."

Microsoft spent hundreds of millions of dollars on security improvements for its latest Windows software and included new technology to defend against a category of hacker attacks known as "buffer overflows," which can trick software into accepting dangerous commands.

But four Polish researchers, known as the "Last Stage of Delirium Research Group," said they discovered how to bypass the additional protections Microsoft added, just three months after the software went on sale.

The head of Microsoft's security response center, Kevin Kean, said improving Windows software is an ongoing process. "We continue to try to make it better and when we find a situation where techniques we've built into the system are not perfect, we go out and fix them," Kean said.

Microsoft also acknowledged a separate design flaw affecting only Windows XP, but it was deemed less serious because hackers would have to already have broken into a corporate network to attack victims. The company also released a patch for it.

Although the Polish researchers created a tool to demonstrate the more serious vulnerability and break into victim computers, they promised not to release blueprints for such software onto the Internet.

"We're fully aware of the potential impact," group member Tomasz Ostwald said in a telephone interview. "We don't plan to publish this code at the moment. It's too dangerous."

Ostwald said the group, which other experts said was highly regarded in the security community, expected to disclose additional details during technical presentations at upcoming security seminars.

Some experts said they expected hackers to begin using this new vulnerability to break into computers within months. Even without detailed blueprints from researchers, hackers typically break apart the patches Microsoft provides for clues about how to exploit a new flaw.

"We could see it in a week or a year or not at all, but I expect we would see something in a three-month time frame," said Russ Cooper of Herndon, Va.,-based TruSecure Corp.

Internet Security Systems Inc. said the Windows flaw "poses an enormous threat" and raised its alert level to its second notch, reflecting "increased vigilance." The Atlanta-based company operates an early warning network for the technology industry, the Information Technology Information Sharing and Analysis Center.

The announcement came one day after the Department of Homeland Security announced that it awarded a five-year, $90-million contract for Microsoft to supply all its most important desktop and server software for about 140,000 computers inside the new federal agency.

___

On the Net:

Microsoft Security: www.microsoft.com/security

[Sub-Driver]

I just installed it, 4 update packages..

[Support Free Republic]

LOOK! Another Freeper Just Gave To The Cause! WAY TO GO!
	We Salute Free Republic's Donors! Be one! Donate Here By Secure Server Or mail checks to FreeRepublic , LLC PO BOX 9771 FRESNO, CA 93794 or you can use PayPal at Jimrob@psnw.com
STOP BY AND BUMP THE FUNDRAISER THREAD- It is in the breaking news sidebar!

[RedBloodedAmerican]

Isn't it possible anyone could alter code on any operating system? When it's open source, they're called "programmers". When it is not open source, they're called "hackers".

[afraidfortherepublic]

Is this just for MS servers? I'm using a Novell server that links a small network of Win98 desktops. Does this apply to me?

[afraidfortherepublic]

Ping!

[aardvark1]

I think I saw Bill Gates wringing his hands in the bank yesterday standing behind a wheel-barrow full of $100 bills.

[Bruce Kurtz]

I installed 2 for Win XP Pro

Bruce

[Ronin]

Not knowing a lot about computers I just install the Win-Update when the system prompts me to do so. Since it is all in Japanese I have to hope they know what they are doing.

Oh well, it's not like there is anything on my computer to steal.

[Clara Lou]

As I read the documentation (technical material is not my strong point), it indicated that all systems except ME needed these patches. Read the documentation-- there's a link provided when you look at the updates provided.

[=Intervention=]

Well if you needed another reason to not use M$, you've got one...

[Bruce Kurtz]

Yea, that is the scary thing. I got ADSL, and turned on my computer went downstairs to get a cup of coffee, come back and see my Internet connection is very busy. A little message was on the screen that said I had two critical updates to install, just click the left mouse button. I did not do that, but went to the start button and did the Windows update manually. And they had the same two updates. I don't know how they do it, but I don't like Microsoft downloading files without me telling it to. I thought my firewall (zone alarm) would stop that

Bruce

[Richard Kimball]

As I read the documentation (technical material is not my strong point), it indicated that all systems except ME needed these patches.

Yeah, no one's been able to keep a copy of ME running long enough for anyone to hack it.

[marshmallow]

Flaws? Yes it will have flaws. Anything with over 30 million lines of code, made by human hands, will definitely have flaws. If the authors of the code are not infallible and are prone to error, how could the work of their hands be perfect? We're talking about a level of complexity which is totally unfamiliar to the average person

Talk of flawless code is stupid and reminiscent of "unsinkable Titanic" rhetoric. Just empty human boasting.

[zeugma]

Flaws? Yes it will have flaws. Anything with over 30 million lines of code, made by human hands, will definitely have flaws. If the authors of the code are not infallible and are prone to error, how could the work of their hands be perfect? We're talking about a level of complexity which is totally unfamiliar to the average person

Here, we have the typical excuse for the shoddy software that typically comes out of Redmond from microsoft. It's just so hard! I don't buy it. You might recall a few years back when people all over freaked out about a bug in a really obscure floating-point operation performed by Pentium computers. This was a small rounding error in a function used by less than one in 10,000 people, but Intel, due to media uproar had to replace the CPUs in hundreds of thousands (if not millions) of systems.

If Intel (or IBM or Sun, or AMD) designed their CPUs which are incredibly complex - containing millions of transistors, that all have to interoperate perfectly with the same quality standards as are evidently set by microsoft (and most of the rest of the software industry I'm afraid), you'd not be able to get a computer to pass a POST more than 10% of the time.

Microsoft and their apologists should quit whining about how hard it is. Other people manage to engineer their products appropriately. They should be expected to as well.

Talk of flawless code is stupid and reminiscent of "unsinkable Titanic" rhetoric. Just empty human boasting.

Flawless code is probably impossible, but having gaping holes in your software that allow someone to remotely comandeer your machine is not something to be expected out of a multibillion dollar organization.

[BlueLancer]

"...no one's been able to keep a copy of ME running long enough for anyone to hack it."

Ahem ... I'll have you know that I have ME on my laptap. I bought it about two years ago with ME pre-installed, just before XP was released. I use it when I am traveling TDY, using it for email, internet surfing, word processing, and playing games on it. It has never gone down while I was using it. No blue-screens-of-death, no "overflow", no freezing, no hiccups ... nothing.

Is that a record?

[Johnny Gage]

Installed 3 on Tuesday, and 1 more this morning.

[Fire_on_High]

I've had ME on my gaming rig since it came out...same install, too. This machine gets lots of heavy use...I'm a hardcore Everquest player, several hours a day every day, and it's left on 24/7. Rock solid. Nothing crashes, nothing gives me trouble. I wouldn't even consider another version for that box....ME is perfect.

[lelio]

Is that a record?
Dunno, how many days do you keep your laptop running? I rarely leave mine on for more than half a day.

[dvwjr]

What version of Windows are you running? If you are running Windows XP, the go to the Control Panel, Select "System" and there will be an "Automatic Updates" page that allows you to configure how and if Automatic updating is performed.

The default mode is to download the updates automatically and notify you when the updates are ready to be installed. You evidently have not aquainted yourself with Win XP.

RTFM.

dvwjr

[Bruce Kurtz]

Thanks, I just got a new computer in June running Win XP pro. I'll have to change the default.