Post by Salem6 on Feb 11, 2004 19:28:44 GMT
Microsoft has warned that a "critical" flaw in the latest versions of its Windows operating system could leave computers vulnerable to hackers.
The flaw affects systems running Windows NT, Windows 2000, Windows XP or Windows Server 2003 software.
Microsoft has admitted to "critical" security flaws
It has urged all home users and firms to download a software repairing patch free from its website to fix it.
The flaw was found by a net security firm in July 2003. Microsoft announced it in its monthly security bulletin.
'Extremely deep problem'
Experts have warned that if home users and companies with these operating systems do not download the fix, hackers could, in theory, break into computers and take files, delete or steal valuable data, or snoop on what that user is doing.
It could also leave systems open to worm and virus threats.
"It does affect all [current] versions of Windows," said Stephen Toulouse, security program manager for Microsoft's Security Response Center.
He added the problem was "an extremely deep and pervasive technology in Windows" which affects the language standard that computers use to communicate with each other.
Marc Maiffret of US company eEye Digital Security, who informed Microsoft of the vulnerability over six months ago, has criticised Microsoft for taking so long to come up with a patch to fix it.
"This is one of the most serious Microsoft vulnerabilities ever released," said Mr Maiffret.
"The breadth of systems affected is probably the largest ever." He added that, unusually, even the most secure Windows networks would be vulnerable.
But Sal Viveros, security expert with McAfee Security, told BBC News Online this delay was standard practice within the industry.
"Typically if someone identifies a flaw, they give the vendor a certain amount of time to fix it. If people don't know about it, virus writers are less likely to write something to take advantage of it."
If Microsoft had announced the flaw without having a fix for it, the potential damage would have been much much worse, he added.
Steven Philippsohn, who chairs a government fraud and cybercrime panel, said the delay could be a headache for Microsoft.
"I have no doubt that if manufacturers in cases like this know about a flaw in their system and don't inform at earliest opportunity possible, they could be liable for losses," Mr Philippsohn told BBC News Online.
"It has been made more serious by the fact Microsoft have accepted that they were told about the flaw months ago.
"If a company can prove they suffered losses because of this, they have a good chance of making a claim," he said.
Microsoft said it took months because it wanted to ensure a single patch solved any related problems.
Open to worms
According to security experts, many home users are not aware they should fix flaws and download patches when they are identified.
This leaves computers vulnerable to attack from malicious software. Historically, Mr Viveros said, net security firms have seen an increase in mass-mailing worm and virus attacks which try to take advantage of unpatched systems after flaws are discovered.
"There is no evidence that the recent worms [Mydoom and its variants] took advantage of this flaw," he said.
"But historically, what we have seen is that computer users do not patch their systems, which is why we continue to see such worm attacks."
He urged computer users to download the patch and to make sure they keep anti-virus software and firewalls up-to-date.
The flaw affects systems running Windows NT, Windows 2000, Windows XP or Windows Server 2003 software.
Microsoft has admitted to "critical" security flaws
It has urged all home users and firms to download a software repairing patch free from its website to fix it.
The flaw was found by a net security firm in July 2003. Microsoft announced it in its monthly security bulletin.
'Extremely deep problem'
Experts have warned that if home users and companies with these operating systems do not download the fix, hackers could, in theory, break into computers and take files, delete or steal valuable data, or snoop on what that user is doing.
It could also leave systems open to worm and virus threats.
"It does affect all [current] versions of Windows," said Stephen Toulouse, security program manager for Microsoft's Security Response Center.
He added the problem was "an extremely deep and pervasive technology in Windows" which affects the language standard that computers use to communicate with each other.
Marc Maiffret of US company eEye Digital Security, who informed Microsoft of the vulnerability over six months ago, has criticised Microsoft for taking so long to come up with a patch to fix it.
"This is one of the most serious Microsoft vulnerabilities ever released," said Mr Maiffret.
"The breadth of systems affected is probably the largest ever." He added that, unusually, even the most secure Windows networks would be vulnerable.
But Sal Viveros, security expert with McAfee Security, told BBC News Online this delay was standard practice within the industry.
"Typically if someone identifies a flaw, they give the vendor a certain amount of time to fix it. If people don't know about it, virus writers are less likely to write something to take advantage of it."
If Microsoft had announced the flaw without having a fix for it, the potential damage would have been much much worse, he added.
Steven Philippsohn, who chairs a government fraud and cybercrime panel, said the delay could be a headache for Microsoft.
"I have no doubt that if manufacturers in cases like this know about a flaw in their system and don't inform at earliest opportunity possible, they could be liable for losses," Mr Philippsohn told BBC News Online.
"It has been made more serious by the fact Microsoft have accepted that they were told about the flaw months ago.
"If a company can prove they suffered losses because of this, they have a good chance of making a claim," he said.
Microsoft said it took months because it wanted to ensure a single patch solved any related problems.
Open to worms
According to security experts, many home users are not aware they should fix flaws and download patches when they are identified.
This leaves computers vulnerable to attack from malicious software. Historically, Mr Viveros said, net security firms have seen an increase in mass-mailing worm and virus attacks which try to take advantage of unpatched systems after flaws are discovered.
"There is no evidence that the recent worms [Mydoom and its variants] took advantage of this flaw," he said.
"But historically, what we have seen is that computer users do not patch their systems, which is why we continue to see such worm attacks."
He urged computer users to download the patch and to make sure they keep anti-virus software and firewalls up-to-date.