11 February 2004 A security hole found in all recent versions of Microsoft’s Windows operating system could leave users vulnerable to hacking or virus attacks worse than the Code Red or Blaster worms, security experts have warned.
Microsoft has described the flaw as ‘critical’, its most severe rating. It released a patch for the flaw with its monthly security bulletin.
But the Redmond, Seattle-based software giant has been criticised for the length of time that it has taken to issue the fix. According to security services supplier eEye Digital Security, Microsoft was informed of the flaw more than six months ago. Companies normally take about three months to fix such problems before announcing them to the public.
“We contacted Microsoft about these vulnerabilities 200 days ago, which is insane,” said Marc Maiffret, co-founder of eEye. “Even the most secure Windows networks are going to be vulnerable to this flaw, which is very unique.”
The flaw is particularly significant due to the protocol it affects and the massive number of computers that it affects. If a hacker were to execute a simple buffer overflow attack, he or she could take control of the computer or steal data, for example, by surreptitiously installing a keystroke logger or a Trojan horse application.
“This is broader than any vulnerability that’s been identified before,” said Sal Viveros, a security specialist with McAfee Security. “Typically flaws are specific to an individual version of an individual operating system, but this affects everything since Windows 98. Code Red just used a hole in a specific version of Windows 2000 Server and we all know how far that went.”
The problem resides in the basic networking protocol called Abstract Syntax Notation One (ASN.1). This helps govern how machines communicate with one another and how they establish a secure communication.
It affects computers using Windows versions NT, 2000 and XP, Windows NT Server, Server 2000 and Server 2003 — “the largest breadth of systems affected I can remember,” said Viveros.
Viveros warned that hackers will be quick to take advantage of Microsoft’s specification of the flaw and users’ tendency to be slow to install patches and recommended users ensure antivirus software and firewalls are installed.
But he admitted the only sure way to prevent a virus or hacker gaining access to the computer was to install Microsoft’s patch.
Only a week ago, Microsoft released another patch to fix a critical flaw in its Internet Explorer web browser.
All patches can be downloaded from www.microsoft.com/security