07/17 - Microsoft admits critical flaw in Windows software - East Valley Tribune: Business

07/17 - Microsoft admits critical flaw in Windows software

Print
Font Size:
Default font size
Larger font size

Posted: Thursday, July 17, 2003 6:28 am | Updated: 1:04 pm, Thu Oct 6, 2011.

WASHINGTON - Microsoft Corp. acknowledged a critical vulnerability Wednesday in nearly all versions of its flagship Windows operating system software, the first such design flaw to affect its latest Windows Server 2003 software.

Microsoft said the vulnerability could allow hackers to seize control of a victim’s Windows computer over the Internet, stealing data, deleting files or eavesdropping on e-mails. The company urged customers to immediately apply a free software repairing patch available from Microsoft’s Web site.

The disclosure was unusually embarrassing for Microsoft because it demonstrated the first such serious flaw in the company’s powerful new computer server software, billed as its safest ever.

The software is aimed at large corporate customers and was the first product sold under a high-profile ‘‘Trustworthy Computing’’ initiative organized last year by Microsoft founder Bill Gates.

At the product’s launch in late April, Microsoft Chief Executive Steve Ballmer declared the new version of Wi ndows to be a ‘‘breakthrough in terms of what it means, in terms of its built-in security and reliability.’’

The flaw, discovered by researchers in western Poland, also affected Windows ve rs ions popular among home users.

‘‘This is one of the worst Windows vulnerabilities ever,’’ said Marc Maiffret, an executive at eEye Digital Security Inc. of Aliso Viejo, Calif., whose researchers discovered similarly dangerous flaws in at least three earlier versions of Windows.

Microsoft said corporate firewalls commonly block the type of data connections that hackers outside a company would need for these attacks. The flaw affects Windows technology used to share data files across computer networks.

Maiffret said that inside vulnerable corporations, ‘‘until they have this patch installed, it will be Swiss cheese — anybody can walk in and out of their servers.’’

Microsoft spent hundreds of millions of dollars on security improvements for its latest Windows software and included new technology to defend against a category of hacker attacks known as ‘‘buffer overflows,’’ which can trick software into accepting dangerous commands.

But four Polish researchers, known as the ‘‘Last Stage of Delirium Research Group,’’ said they discovered how to bypass the additional protections Microsoft added, just three months after the software went on sale.

The head of Microsoft’s security response center, Kevin Kean, said improving Windows software is an ongoing process. ‘‘We continue to try to make it better and when we find a situation where techniques we’ve built into the system are not perfect, we go out and fix them,’’ Kean said.

Microsoft also acknowledged a separate design flaw affecting only Windows XP, but it was deemed less serious because hackers would have to already have broken into a corporate network to attack victims. The company also released a patch for it.

Although the Polish researchers created a tool to demonstrate the more serious vulnerability and break into victim computers, they promised not to release blueprints for such software onto the Internet.

‘‘We’re fully aware of the potential impact,’’ group member Tomasz Ostwald said in a telephone interview. ‘‘We don’t plan to publish this code at the moment. It’s too dangerous.’’

  • Discuss

Attorney General Forum - Question 1

Attorney General candidates Republican Mark Brnovich and Democrat Felecia Rotellini debate at ...

'EV Women in Business'

A PDF of the Tribune special section, featuring a mix of sponsored content from our loyal advertisers and newsroom coverage of the East Valley business community.

Your Az Jobs