Home » Topics » Cybersecurity » Windows security flaw ‘worst ever’

Windows security flaw ‘worst ever’

Avatar photoby Ben Rossi

11 February 2004 A security hole found in all recent versions of Microsoft’s Windows operating system could leave users vulnerable to hacking or virus attacks worse than the Code Red or Blaster worms, security experts have warned.

Microsoft has described the flaw as ‘critical’, its most severe rating. It released a patch for the flaw with its monthly security bulletin.

But the Redmond, Seattle-based software giant has been criticised for the length of time that it has taken to issue the fix. According to security services supplier eEye Digital Security, Microsoft was informed of the flaw more than six months ago. Companies normally take about three months to fix such problems before announcing them to the public.

“We contacted Microsoft about these vulnerabilities 200 days ago, which is insane,” said Marc Maiffret, co-founder of eEye. “Even the most secure Windows networks are going to be vulnerable to this flaw, which is very unique.”

The flaw is particularly significant due to the protocol it affects and the massive number of computers that it affects. If a hacker were to execute a simple buffer overflow attack, he or she could take control of the computer or steal data, for example, by surreptitiously installing a keystroke logger or a Trojan horse application.

“This is broader than any vulnerability that’s been identified before,” said Sal Viveros, a security specialist with McAfee Security. “Typically flaws are specific to an individual version of an individual operating system, but this affects everything since Windows 98. Code Red just used a hole in a specific version of Windows 2000 Server and we all know how far that went.”

The problem resides in the basic networking protocol called Abstract Syntax Notation One (ASN.1). This helps govern how machines communicate with one another and how they establish a secure communication.

It affects computers using Windows versions NT, 2000 and XP, Windows NT Server, Server 2000 and Server 2003 — “the largest breadth of systems affected I can remember,” said Viveros.

Viveros warned that hackers will be quick to take advantage of Microsoft’s specification of the flaw and users’ tendency to be slow to install patches and recommended users ensure antivirus software and firewalls are installed.

But he admitted the only sure way to prevent a virus or hacker gaining access to the computer was to install Microsoft’s patch.

Only a week ago, Microsoft released another patch to fix a critical flaw in its Internet Explorer web browser.

All patches can be downloaded from www.microsoft.com/security

Avatar photo

Ben Rossi

Ben was Vitesse Media's editorial director, leading content creation and editorial strategy across all Vitesse products, including its market-leading B2B and consumer magazines, websites, research and...

Related Topics

Related Stories

Cybersecurity

How AI will shift the security landscape in 2024

The impact of AI within cybersecurity is expected to grow significantly this year, says Alex Holland, senior malware analyst at HP

AI & Machine Learning

NCSC releases guidelines for secure AI development

New guidance from the National Cyber Security Centre (NCSC) aims to help businesses securely innovate with AI and minimise risks

Cybersecurity

3 cybersecurity compliance challenges and how to address them

Earning those trust seals can strengthen relationships with board members and prospective customers, but it sure isn’t easy.

Cybersecurity

70% of UK firms reported cyber insurance changes in past year

According to research from Databarracks, seven in 10 UK businesses have seen changes to their cyber insurance in the past 12 months, as requirements rise