B
Baphomet
Guest
N.Y. Times
Microsoft Warns Software Users of ’Critical’ Flaw
February 11, 2004
By JOHN SCHWARTZ
Microsoft announced yesterday that people who use its
operating system software must patch their computers yet
again, or their PC's will be vulnerable to attacks that
could cede control to hackers.
The company called the software flaw a "critical"
vulnerability, its highest rating. It is the second major
security flaw announced this month by Microsoft, which
recently began issuing regularly scheduled security patches
for its software. "We urge all of our customers to apply
this update," said Stephen Toulouse, a security program
manager with Microsoft's security response center.
The flaw, one of three announced yesterday by Microsoft,
affects a fundamental building block of network operating
systems known as Abstract Syntax Notation One, and helps
govern how machines communicate with one another and how
they establish secure communications. Microsoft's version
of that protocol is flawed, and could be used to gain
control of the target machine. The company said there was
no evidence that any attacks based on the flaw had
occurred.
Russ Cooper, a security expert with TruSecure Corporation,
said that the latest vulnerability was especially insidious
because it could allow attacks on the equivalent of the
computer's immune system. "It's like AIDS," he said. "This
is the stuff that's supposed to protect us."
For now, Mr. Cooper said, computer users are probably safe
because the flaw "is not exactly a simple one" to take
advantage of, and no attack that would exploit the flaw had
appeared on the hacker sites where such code is freely
circulated. But once such an attack method is created, he
said he expected to see a malicious program that could
circulate via e-mail messaging and which would have as
profound an effect on computer networks as the widespread
"Blaster" worm of last year.
A security company, eEye Digital Security, reported the
problem to Microsoft last July. Because the flaw is common
to so many operating systems and applications, "this is one
of the biggest ones ever," said Marc Maiffret, an executive
at eEye whose title is chief hacking officer.
Mr. Maiffret said that he was surprised that it took
Microsoft so long to issue a patch. "All the reason
Microsoft gave us was 'extra testing,' but it doesn't take
that long to test something this simple," he said.
Mr. Toulouse of Microsoft disagreed, saying "We don't just
produce a fix, we produce a comprehensive fix." A quick
response that does not work for every user, or which
introduces new vulnerabilities, "would almost be worse than
no fix at all," he said.
Microsoft urged users of virtually all of its current
operating systems - Windows NT, Windows 2000 or Windows XP
versions of its software, as well as Windows NT Server,
Server 2000 and Server 2003 - to go to
windowsupdate.microsoft.com to download the patch.
Microsoft Warns Software Users of ’Critical’ Flaw
February 11, 2004
By JOHN SCHWARTZ
Microsoft announced yesterday that people who use its
operating system software must patch their computers yet
again, or their PC's will be vulnerable to attacks that
could cede control to hackers.
The company called the software flaw a "critical"
vulnerability, its highest rating. It is the second major
security flaw announced this month by Microsoft, which
recently began issuing regularly scheduled security patches
for its software. "We urge all of our customers to apply
this update," said Stephen Toulouse, a security program
manager with Microsoft's security response center.
The flaw, one of three announced yesterday by Microsoft,
affects a fundamental building block of network operating
systems known as Abstract Syntax Notation One, and helps
govern how machines communicate with one another and how
they establish secure communications. Microsoft's version
of that protocol is flawed, and could be used to gain
control of the target machine. The company said there was
no evidence that any attacks based on the flaw had
occurred.
Russ Cooper, a security expert with TruSecure Corporation,
said that the latest vulnerability was especially insidious
because it could allow attacks on the equivalent of the
computer's immune system. "It's like AIDS," he said. "This
is the stuff that's supposed to protect us."
For now, Mr. Cooper said, computer users are probably safe
because the flaw "is not exactly a simple one" to take
advantage of, and no attack that would exploit the flaw had
appeared on the hacker sites where such code is freely
circulated. But once such an attack method is created, he
said he expected to see a malicious program that could
circulate via e-mail messaging and which would have as
profound an effect on computer networks as the widespread
"Blaster" worm of last year.
A security company, eEye Digital Security, reported the
problem to Microsoft last July. Because the flaw is common
to so many operating systems and applications, "this is one
of the biggest ones ever," said Marc Maiffret, an executive
at eEye whose title is chief hacking officer.
Mr. Maiffret said that he was surprised that it took
Microsoft so long to issue a patch. "All the reason
Microsoft gave us was 'extra testing,' but it doesn't take
that long to test something this simple," he said.
Mr. Toulouse of Microsoft disagreed, saying "We don't just
produce a fix, we produce a comprehensive fix." A quick
response that does not work for every user, or which
introduces new vulnerabilities, "would almost be worse than
no fix at all," he said.
Microsoft urged users of virtually all of its current
operating systems - Windows NT, Windows 2000 or Windows XP
versions of its software, as well as Windows NT Server,
Server 2000 and Server 2003 - to go to
windowsupdate.microsoft.com to download the patch.