Microsoft Warns: Critical Flaw in Windows

[Lorenzo]

Technology - Reuters

SEATTLE/SAN FRANCISCO (Reuters) - Microsoft Corp. (Nasdaq:MSFT - news) said on Tuesday a "critical" flaw in most versions of its flagship Windows operating system could allow hackers to break into personal computers and snoop on sensitive data.

Although no computers were reported to have been compromised, the world's largest software maker warned that Windows NT, Windows 2000 (news - web sites), Windows XP (news - web sites) and Windows Server 2003 were at risk. Microsoft announced the flaw in its monthly security bulletin.

The company offered software updates to fix the software flaw, which it assigned its most severe rating of "critical."

"It does affect all (current) versions of Windows," said Stephen Toulouse, security program manager for Microsoft's Security Response Center. "We're not aware of anyone affected by this at this time."

Marc Maiffret, co-founder of eEye Digital Security, the company that discovered the flaw, criticized Microsoft for taking more than six months to come up with a patch to fix the problem.

The flaw could allow a hacker to break into a computer running Microsoft's Windows operating system in several ways and then use the compromised machine to run malicious programs and steal or delete key data, Maiffret and other experts said.

Last year Microsoft adopted a new monthly patch release program, which it said would let customers more easily apply software fixes for security bugs.

"We contacted Microsoft about these vulnerabilities 200 days ago, which is insane," he said. "Even the most secure Windows networks are going to be vulnerable to this flaw, which is very unique."

Microsoft's Toulouse said the company needed time to make sure it got the fix right, especially given how pervasive the vulnerability is in the software.

"We wanted to make absolutely sure we were doing as broad an investigation as possible," he said.

Windows users can download the patch for the vulnerability from http://www.microsoft.com/security/


WINDOWS UPDATE


"The obvious steps to take are to run Windows Update and install the patches to fix the vulnerabilities as soon as possible," said Craig Schmugar, a virus research manager at Network Associates Inc.'s (NYSE:NET - news) McAfee anti-virus unit.

The latest fixes for Microsoft's software are unrelated to the recent virus attacks called MyDoom and its variants, Schmugar said.

Microsoft also released a critical update a week ago, ahead of Tuesday's scheduled release, to fix a patch in its Explorer Web browser that could make PCs vulnerable to attackers.

In addition, Microsoft announced a mid-grade security warning for the latest version of its server products for networked computers.

Two years ago, the Redmond, Washington-based company pledged to make its software products more secure and reliable under an initiative, dubbed "Trustworthy Computing" by Chairman Bill Gates (news - web sites).

But computers running the company's software have been hit by several high-profile attacks since, such as the SQL Slammer, Nimda and SoBig attacks.

On Monday, a new worm called "Doomjuice," an offshoot of the MyDoom worm, emerged, which used personal computers compromised by the original MyDoom worm to attack and attempt to hobble parts of Microsoft's Web site, according to security experts.

The MyDoom worm, as well as its variant MyDoom.B, were designed to entice e-mail recipients to click open an attachment, which then installed malicious software on a personal computer. The worms instructed infected PCs to flood the Web sites of the SCO Group Inc. (Nasdaq:SCOX - news) and Microsoft in an effort to shut them down.

[fiddling_tenor]

And MS wonders why there are actually people who DON'T use their software! :roll:

I love my Mac!

[Dana]

Me too!

[IDAwHOa]

OK, so this is NEWS? More like ancient history?

Considering the size and complexity of the program though, it does not surprise me that there are issues like this that crop up.

[peeplj]

No matter what operating system you are using, these days it's a really good idea to have at least a software firewall installed.

That said, Linux is a much more "hardened" platform than Windows will ever likely be. That's primarilly because when a vulnerability is found in Linux, it gets fixed within a few hours (or even minutes) of its discovery. Microsoft cannot match this speed, and without having a few million programmers to work on it like Linux has, never will be able to.

--James

[The Weekenders]

Well, my impression has always been that Bill has so many more user-enemies that his system is the target of choice. I guess if more people used and hated Macs, then we would have the problem.

Even if we are NEVER supposed to hate our beloved Macs. (Yes, I have issues with recent developments and historic behavior by Apple.)

[Chuck_Clark]

Windows is by definition a critical flaw.

It's also like the republicrats. We may not LIKE relying on them, but unless you want to be a crackpot adhering to a third party that is in effect an organizational eunuch, you're sorta stuck.

Macs and Linux are nice ideas that are the computational equivalents of the Greens and Libertarans. They sound good, but aren't a viable alternative for most of us.

[OutOfBreath]

Linux, Unix, VAX/VMS, Mac OS X all have the potential for the same kind of viruses and worms that clobber windows -- none of them have a high enough market share to draw the interest of the sad little attention-starved dweebs that write viruses and worms. Yes, Windows has a little more vulnerability due to the scriptable integration of MS Office products and the like (i.e. it has capabilities none of the others have, and the very presence of those capabilites is somewhat of a security challenge) but the biggest threat to Windows is simply the attractiveness of its market share.

Don't get the idea that I like Windows or MS, quite the opposite is true; but if you're going to bash something, do so on its true faults, like it's incredible inefficiency and its "the user is stupid so change what he typed to what he should have typed" philosophy rather than on its strengths, such as deep product integration, that by their nature tend to be exploitable by the useless dregs of society.

[peeplj]

There's no way to hide a process in Linux.

A worm or virus process would be visible with a simple ps command.

It sounds good to say Linux / Unix doesn't have viruses because they don't have enough market share, but it's not true.

They don't have many viruses because they are more secure and because there is no facility to hide a running process.

--James

[ciberspiff]

Let's think about this for a second...

If you count the total number of people who use Linux or Mac on a regular basis you come up with (being generous counting downloads and sales) around 10 million. If you count the total number of users who use Windows on a regular basis the number is around 250 million based on licenses sold. Does the name "Custer" mean anything to you?

It's not a religion and it's not politics. It's a tool. Get over it already. Use whatever you prefer, but give others the same right.

[ciberspiff]

There's no way to hide a process in Linux.

A worm or virus process would be visible with a simple ps command.

It sounds good to say Linux / Unix doesn't have viruses because they don't have enough market share, but it's not true.

They don't have many viruses because they are more secure and because there is no facility to hide a running process.

Actually, you're wrong. There are very simple ways to hide processes on any UNIX system that have been used for decades by hackers. Is it more secure than MacOS or Winders, absolutely. Is it absolutely secure, not only no but heck no.

[fancypiper]

IIRC the viruses that may infect Linux systems is in the teens, but current releases aren't vulnurable.

Some facts for the ignorant:

# Linux and virus
The Virus Writing HOWTO reference: Should I get anti-virus software for my Linux box?

# Basic Linux security
Linux Questions Security references
Security Help Files
Linux Administrator's Security Guide
Security Focus
Linux Security
Firewalls and Security

[fancypiper]

Actually, you're wrong. There are very simple ways to hide processes on any UNIX system that have been used for decades by hackers.

Have you any references to post about hiding processes in Linux?

[Kuranes]

Actually, you're wrong. There are very simple ways to hide processes on any UNIX system that have been used for decades by hackers.

Have you any references to post about hiding processes in Linux?

Well, let's see :

Trojan top, ps, etc so that they don't show the processes that you're trying to hide.

Name the process something easily ignored like kjournald so that you won't notice it.

etc.

[ciberspiff]

Have you any references to post about hiding processes in Linux?

None that I can share (I did computer security for a living and giving out things like that are a no-no) but here's the way it works. When a process manages to gain root access or ring0 capabilities (by stack overwrite, flawed system call, etc), it forks and zeros out the process name and PPID field in the PCB. Then, when a ps(1) command is done if skips those processes with a zero-length name. Makes 'em virtually untraceable.

Another trick is to create threads then zero the link to the parent process. Again, if you have gained root access you can pretty much do what you want to the PCB