Interesting People mailing list archives

Previous By Date Next
Previous By Thread Next

There goes the Homeland....

From: Dave Farber <dave () farber net>
Date: Thu, 17 Jul 2003 08:46:01 -0400

------ Forwarded Message
From: "Mike O'Dell" <mo () ccr org>
Date: Thu, 17 Jul 2003 08:32:10 -0400
To: dave () farber net
Subject: There goes the Homeland....

http://www.securityfocus.com/news/6397




NEWS 

< http://www.securityfocus.com/news/6397 >

 


Microsoft admits critical flaw in nearly all Windows software

By Ted Bridis ,The Associated Press Jul 16 2003  1:25PM
Microsoft Corp. acknowledged a critical vulnerability Wednesday in nearly
all versions of its flagship Windows operating system software, the first
such design flaw to affect its latest Windows Server 2003 software.

Microsoft said the vulnerability could allow hackers to seize control of a
victim's Windows computer over the Internet, stealing data, deleting files
or eavesdropping on e-mails. The company urged customers to immediately
apply a free software repairing patch available from Microsoft's Web site.

The disclosure was unusually embarrassing for Microsoft because it
demonstrated the first such serious flaw in the company's powerful new
computer server software, billed as its safest ever.

The software is aimed at large corporate customers and was the first product
sold under a high-profile "Trustworthy Computing" initiative organized last
year by Microsoft founder Bill Gates.

At the product's launch in late April, Microsoft Chief Executive Steve
Ballmer declared the new version of Windows to be a "breakthrough in terms
of what it means, in terms of its built-in security and reliability."

The flaw, discovered by researchers in western Poland, also affected Windows
versions popular among home users.

"This is one of the worst Windows vulnerabilities ever," said Marc Maiffret,
an executive at eEye Digital Security Inc. of Aliso Viejo, Calif., whose
researchers discovered similarly dangerous flaws in at least three earlier
versions of Windows.

Microsoft said corporate firewalls commonly block the type of data
connections that hackers outside a company would need for these attacks. The
flaw affects Windows technology used to share data files across computer
networks. 

Maiffret said that inside vulnerable corporations, "until they have this
patch installed, it will be Swiss cheese -- anybody can walk in and out of
their servers." 

Microsoft spent hundreds of millions of dollars on security improvements for
its latest Windows software and included new technology to defend against a
category of hacker attacks known as "buffer overflows," which can trick
software into accepting dangerous commands.

But four Polish researchers, known as the "Last Stage of Delirium Research
Group," said they discovered how to bypass the additional protections
Microsoft added, just three months after the software went on sale.

The head of Microsoft's security response center, Kevin Kean, said improving
Windows software is an ongoing process. "We continue to try to make it
better and when we find a situation where techniques we've built into the
system are not perfect, we go out and fix them," Kean said.

Microsoft also acknowledged a separate design flaw affecting only Windows
XP, but it was deemed less serious because hackers would have to already
have broken into a corporate network to attack victims. The company also
released a patch for it.

Although the Polish researchers created a tool to demonstrate the more
serious vulnerability and break into victim computers, they promised not to
release blueprints for such software onto the Internet.

"We're fully aware of the potential impact," group member Tomasz Ostwald
said in a telephone interview. "We don't plan to publish this code at the
moment. It's too dangerous."

Ostwald said the group, which other experts said was highly regarded in the
security community, expected to disclose additional details during technical
presentations at upcoming security seminars.

Some experts said they expected hackers to begin using this new
vulnerability to break into computers within months. Even without detailed
blueprints from researchers, hackers typically break apart the patches
Microsoft provides for clues about how to exploit a new flaw.

"We could see it in a week or a year or not at all, but I expect we would
see something in a three-month time frame," said Russ Cooper of Herndon,
Va.,-based TruSecure Corp.

Internet Security Systems Inc. said the Windows flaw "poses an enormous
threat" and raised its alert level to its second notch, reflecting
"increased vigilance." The Atlanta-based company operates an early warning
network for the technology industry, the Information Technology Information
Sharing and Analysis Center.

The announcement came one day after the Department of Homeland Security
announced that it awarded a five-year, $90-million contract for Microsoft to
supply all its most important desktop and server software for about 140,000
computers inside the new federal agency.


-------------------------------------
You are subscribed as interesting-people () lists elistx com
To manage your subscription, go to
  http://v2.listbox.com/member/?listname=ip

Archives at: http://www.interesting-people.org/archives/interesting-people/
Previous By Date Next
Previous By Thread Next

Current thread: