Microsoft said the vulnerability could allow hackers to seize
control of a victim's Windows computer over the Internet, stealing
data, deleting files or eavesdropping on e-mails. The company urged
customers to immediately apply a free software repairing patch
available from Microsoft's Web site.
The disclosure was unusually embarrassing for Microsoft because
it demonstrated the first such serious flaw in the company's
powerful new computer server software, billed as its safest ever.
The software is aimed at large corporate customers and was the
first product sold under a high-profile "Trustworthy Computing"
initiative organized last year by Microsoft founder Bill Gates (news
- web
sites).
At the product's launch in late April, Microsoft Chief Executive
Steve Ballmer declared the new version of Windows to be a
"breakthrough in terms of what it means, in terms of its built-in
security and reliability."
The flaw, discovered by researchers in western Poland, also
affected Windows versions popular among home users.
"This is one of the worst Windows vulnerabilities ever," said
Marc Maiffret, an executive at eEye Digital Security Inc. of Aliso
Viejo, Calif., whose researchers discovered similarly dangerous
flaws in at least three earlier versions of Windows.
Microsoft said corporate firewalls commonly block the type of
data connections that hackers outside a company would need for these
attacks. The flaw affects Windows technology used to share data
files across computer networks.
Maiffret said that inside vulnerable corporations, "until they
have this patch installed, it will be Swiss cheese — anybody can
walk in and out of their servers."
Microsoft spent hundreds of millions of dollars on security
improvements for its latest Windows software and included new
technology to defend against a category of hacker attacks known as
"buffer overflows," which can trick software into accepting
dangerous commands.
But four Polish researchers, known as the "Last Stage of Delirium
Research Group," said they discovered how to bypass the additional
protections Microsoft added, just three months after the software
went on sale.
The head of Microsoft's security response center, Kevin Kean,
said improving Windows software is an ongoing process. "We continue
to try to make it better and when we find a situation where
techniques we've built into the system are not perfect, we go out
and fix them," Kean said.
Microsoft also acknowledged a separate design flaw affecting only
Windows XP (news
- web
sites), but it was deemed less serious because hackers would
have to already have broken into a corporate network to attack
victims. The company also released a patch for it.
Although the Polish researchers created a tool to demonstrate the
more serious vulnerability and break into victim computers, they
promised not to release blueprints for such software onto the
Internet.
"We're fully aware of the potential impact," group member Tomasz
Ostwald said in a telephone interview. "We don't plan to publish
this code at the moment. It's too dangerous."
Ostwald said the group, which other experts said was highly
regarded in the security community, expected to disclose additional
details during technical presentations at upcoming security
seminars.
Some experts said they expected hackers to begin using this new
vulnerability to break into computers within months. Even without
detailed blueprints from researchers, hackers typically break apart
the patches Microsoft provides for clues about how to exploit a new
flaw.
"We could see it in a week or a year or not at all, but I expect
we would see something in a three-month time frame," said Russ
Cooper of Herndon, Va.,-based TruSecure Corp.
Internet Security Systems Inc. said the Windows flaw "poses an
enormous threat" and raised its alert level to its second notch,
reflecting "increased vigilance." The Atlanta-based company operates
an early warning network for the technology industry, the
Information Technology Information Sharing and Analysis Center.
The announcement came one day after the Department of Homeland
Security announced that it awarded a five-year, $90-million contract
for Microsoft to supply all its most important desktop and server
software for about 140,000 computers inside the new federal agency.
___
On the Net:
Microsoft Security: www.microsoft.com/security
Polish researchers: http://us.rd.yahoo.com/dailynews/ap/ap_on_hi_te/storytext/SIG=hq6vqs/*http://lsd-pl.net/special.html
