N.Y. Times
Microsoft Warns Software Users of ’Critical’ Flaw
February 11, 2004 By JOHN SCHWARTZ
Microsoft announced yesterday that people who use its operating system software must patch their computers yet again, or their PC's will be vulnerable to attacks that could cede control to hackers.
The company called the software flaw a "critical" vulnerability, its highest rating. It is the second major security flaw announced this month by Microsoft, which recently began issuing regularly scheduled security patches for its software. "We urge all of our customers to apply this update," said Stephen Toulouse, a security program manager with Microsoft's security response center.
The flaw, one of three announced yesterday by Microsoft, affects a fundamental building block of network operating systems known as Abstract Syntax Notation One, and helps govern how machines communicate with one another and how they establish secure communications. Microsoft's version of that protocol is flawed, and could be used to gain control of the target machine. The company said there was no evidence that any attacks based on the flaw had occurred.
Russ Cooper, a security expert with TruSecure Corporation, said that the latest vulnerability was especially insidious because it could allow attacks on the equivalent of the computer's immune system. "It's like AIDS," he said. "This is the stuff that's supposed to protect us."
For now, Mr. Cooper said, computer users are probably safe because the flaw "is not exactly a simple one" to take advantage of, and no attack that would exploit the flaw had appeared on the hacker sites where such code is freely circulated. But once such an attack method is created, he said he expected to see a malicious program that could circulate via e-mail messaging and which would have as profound an effect on computer networks as the widespread "Blaster" worm of last year.
A security company, eEye Digital Security, reported the problem to Microsoft last July. Because the flaw is common to so many operating systems and applications, "this is one of the biggest ones ever," said Marc Maiffret, an executive at eEye whose title is chief hacking officer.
Mr. Maiffret said that he was surprised that it took Microsoft so long to issue a patch. "All the reason Microsoft gave us was 'extra testing,' but it doesn't take that long to test something this simple," he said.
Mr. Toulouse of Microsoft disagreed, saying "We don't just produce a fix, we produce a comprehensive fix." A quick response that does not work for every user, or which introduces new vulnerabilities, "would almost be worse than no fix at all," he said.
Microsoft urged users of virtually all of its current operating systems - Windows NT, Windows 2000 or Windows XP versions of its software, as well as Windows NT Server, Server 2000 and Server 2003 - to go to windowsupdate.microsoft.com to download the patch.