[Marxism] Windows flaws

Charles Brown cbrown at michiganlegal.org
Wed Feb 11 07:15:19 MST 2004


Tuesday, February 10, 2004 (AP)
Microsoft warns consumers about major Windows security flaws
TED BRIDIS, AP Technology Writer


(02-10) 11:26 PST WASHINGTON (AP) --
Microsoft Corp. warned customers Tuesday about unusually serious security
problems with its Windows software that could let hackers quietly break
into their computers to steal files, delete data or eavesdrop on sensitive
information.
Microsoft, which learned about the flaws more than six months ago from
researchers, said the only protective solution was to apply a repairing
patch it offered on its Web site. It assessed the threat to computer users
as "critical," its highest rating.
A Microsoft security executive, Stephen Toulouse, said the flawed software
was "an extremely deep and pervasive technology in Windows," and urged
customers to apply the patch immediately.
The disclosure comes just weeks before Microsoft Chairman Bill Gates
delivers a keynote speech in San Francisco at one of the industry's most
important security trade conferences. Microsoft has struggled in recent
months against a tide of renewed criticism about security risks in its
software, the engine for computers in most of the world's governments,
corporations and homes.
"This is one of the most serious Microsoft vulnerabilities ever released,"
said Marc Maiffret of eEye Digital Security Inc. of Aliso Viejo, Calif.,
which discovered the new Windows flaws. "The breadth of systems affected
is probably the largest ever. This is something that will let you get into
Internet servers, internal networks, pretty much any system."
Maiffret said some computer systems that control critically important
power or water utilities were vulnerable.
Maiffret predicted hackers will try to unleash a damaging Internet
infection within weeks. Unlike earlier vulnerabilities that spawned such
attacks, hackers can exploit the newly disclosed flaws to break into
susceptible computers using dozens of methods, making any defense far more
difficult.
"The race will be on," agreed Marcus Sachs, a former White House adviser
on cybersecurity.
Researchers at eEye discovered the problems last July and agreed to keep
quiet about them until Microsoft could fix them. Maiffret complained that
the delay between eEye's discovery and Tuesday's public disclosure by
Microsoft was "just totally unacceptable" because Windows users were
broadly vulnerable during the period.
Toulouse said Microsoft took months because it wanted to ensure that a
single repairing patch solved any related problems. "We really took the
steps to make sure our investigation was as broad and deep as possible,"
he said.
Maiffret and Microsoft said they were unaware anyone had yet attacked
Windows computers using the technique, although eEye had successfully
tested the method to break into its own computers.
Microsoft's disclosure occur just days before a presidential advisory
council submits recommendations to the White House about ways technology
companies should respond to major software vulnerabilities that could
affect national security. The 54-page report, obtained by The Associated
Press, cautions that "long delays in remediation can result in prolonged
risk to end users."
The problems affected a technology in the newest versions of Windows known
as "abstract syntax notation," a way to share data across different
computers. Some of Microsoft's built-in security features -- such as its
Kerberos cryptography system -- rely on the flawed software.
Microsoft urged consumers to apply the repairing patch immediately if they
were using Windows NT, Windows 2000 or Windows XP versions of its
software, or its Windows NT Server, Server 2000 and Server 2003 software
commonly found in corporations.

On the Net:
Microsoft: www.microsoft.com/security
eEye Digital Security: www.eeye.com
U.S. Computer Emergency Response Team: www.us-cert.gov

----------------------------------------------------------------------
Copyright 2004 AP





More information about the Marxism mailing list