Skip to main content
CNN EditionTechnology
The Web    CNN.com     
Powered by
 
Home Page
 
World
 
U.S.
 
Weather
 
Business at CNN/Money
 
Sports at SI.com
 
Politics
 
Law
 
Technology
 
Science & Space
 
Health
 
Entertainment
 
Travel
 
Education
 
Special Reports
SERVICES
 
Video
 
E-mail Newsletters
 
CNNtoGO
SEARCH
Web CNN.com
powered by Yahoo!

Microsoft admits another critical flaw

Story Tools

WASHINGTON (AP) -- Microsoft acknowledged a critical vulnerability Wednesday in nearly all versions of its flagship Windows operating system software, the first such design flaw to affect its latest Windows Server 2003 software.

Microsoft said the vulnerability could allow hackers to seize control of a victim's Windows computer over the Internet, stealing data, deleting files or eavesdropping on e-mails. The company urged customers to immediately apply a free software repairing patch available from Microsoft's Web site.

Truly trustworthy?

The disclosure was unusually embarrassing for Microsoft because it demonstrated the first such serious flaw in the company's powerful new computer server software, billed as its safest ever.

The software is aimed at large corporate customers and was the first product sold under a high-profile "Trustworthy Computing" initiative organized last year by Microsoft founder Bill Gates.

At the product's launch in late April, Microsoft Chief Executive Steve Ballmer declared the new version of Windows to be a "breakthrough in terms of what it means, in terms of its built-in security and reliability."

Found in Poland

The flaw, discovered by researchers in western Poland, also affected Windows versions popular among home users.

"This is one of the worst Windows vulnerabilities ever," said Marc Maiffret, an executive at eEye Digital Security Inc. of Aliso Viejo, California, whose researchers discovered similarly dangerous flaws in at least three earlier versions of Windows.

Microsoft said corporate firewalls commonly block the type of data connections that hackers outside a company would need for these attacks. The flaw affects Windows technology used to share data files across computer networks.

Maiffret said that inside vulnerable corporations, "until they have this patch installed, it will be Swiss cheese -- anybody can walk in and out of their servers."

Spending millions

Microsoft spent hundreds of millions of dollars on security improvements for its latest Windows software and included new technology to defend against a category of hacker attacks known as "buffer overflows," which can trick software into accepting dangerous commands.

But four Polish researchers, known as the "Last Stage of Delirium Research Group," said they discovered how to bypass the additional protections Microsoft added, just three months after the software went on sale.

The head of Microsoft's security response center, Kevin Kean, said improving Windows software is an ongoing process. "We continue to try to make it better and when we find a situation where techniques we've built into the system are not perfect, we go out and fix them," Kean said.

Released patch for XP

Microsoft also acknowledged a separate design flaw affecting only Windows XP, but it was deemed less serious because hackers would have to already have broken into a corporate network to attack victims. The company also released a patch for it.

Although the Polish researchers created a tool to demonstrate the more serious vulnerability and break into victim computers, they promised not to release blueprints for such software onto the Internet.

"We're fully aware of the potential impact," group member Tomasz Ostwald said in a telephone interview. "We don't plan to publish this code at the moment. It's too dangerous."

Ostwald said the group, which other experts said was highly regarded in the security community, expected to disclose additional details during technical presentations at upcoming security seminars.

Poses 'enormous threat'

Some experts said they expected hackers to begin using this new vulnerability to break into computers within months. Even without detailed blueprints from researchers, hackers typically break apart the patches Microsoft provides for clues about how to exploit a new flaw.

"We could see it in a week or a year or not at all, but I expect we would see something in a three-month time frame," said Russ Cooper of Herndon, Virginia,-based TruSecure Corp.

Internet Security Systems Inc. said the Windows flaw "poses an enormous threat" and raised its alert level to its second notch, reflecting "increased vigilance." The Atlanta-based company operates an early warning network for the technology industry, the Information Technology Information Sharing and Analysis Center.

The announcement came one day after the Department of Homeland Security announced that it awarded a five-year, $90-million contract for Microsoft to supply all its most important desktop and server software for about 140,000 computers inside the new federal agency.


Copyright 2003 The Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

Story Tools
Subscribe to Time for $1.99 cover
Top Stories
Burgers, lattes and CD burners
• CNN/Money: Britney Spears No. 1 name used by hackers
• CNN/Money: Atari's future in question
• CNN/Money: Report: Cingular opposes calls on planes
Top Stories
CNN/Money: Security alert issued for 40 million credit cards
• Bin Laden deputy sends message
• U.S. House votes to keep U.N. dues
• Iran poll to go to run-off
 
 
 
 

International Edition
CNN TV CNN International Headline News Transcripts Advertise With Us About Us
SEARCH
   The Web    CNN.com     
Powered by
© 2005 Cable News Network LP, LLLP.
A Time Warner Company. All Rights Reserved.
Terms under which this service is provided to you.
Read our privacy guidelines. Contact us.
external link
All external sites will open in a new browser.
CNN.com does not endorse external sites.
Premium content icon Denotes premium content.
Add RSS headlines.