Hacking fear over new Windows security flaw
Microsoft is attempting to plug a glaring hole in some versions of its Windows software, a weakness similar to those exploited by the devastating “Blaster” and “Sasser” attacks, a security expert says.
The patch, included in the company’s monthly security bulletin, fixes a hole that could allow hackers to take complete control of computer systems, Microsoft said.
The problem is most serious on Windows 2000 systems, which could be accessed remotely through the operating system’s “Plug and Play” hardware detection feature.
Windows Server 2003 and Windows XP systems with major security updates are less vulnerable, but still could be affected by certain remote users or those within local systems, the company said.
Marc Maiffret, chief hacking officer for eEye Digital Security, said yesterday that the hole resembled weaknesses that allowed the Blaster and Sasser worms to infect hundreds of thousands of computers worldwide.
“This is the type of vulnerability that’s been exploited many times, and those two worms are the biggest examples because they had the biggest impact,” Maiffret said.
In its security briefing yesterday, Microsoft said it had no indication the vulnerability had been publicly disclosed or exploited before the patch was issued.
Microsoft rated the patch “critical”, its most serious designation, for Windows 2000. Two other upgrades in this month’s bulletin also received the critical rating.
Stephen Toulouse, a program manager for Microsoft’s Security Response Centre, said the particular weakness disclosed yesterday differed from the Sasser worm because it was less vulnerable on newer operating systems.
Security practices had also improved since the last major worm attacks were unleashed, Toulouse said.
“I think it’s a pretty different environment right now,” he said. “More and more customers are applying updates more quickly, more customers have better firewall protection.”
The flaw’s less-serious effect on Windows XP systems suggests the company may have tried to address the problem, but left users with older software mostly unprotected, Maiffret said.
“This bug has existed in code that’s over four years old,” he said. “It can’t be the first time that somebody finally looked at it.”
Improved security can be expected on newer software, but Toulouse said a wider hole in Windows 2000 did not signal any effort to avoid fixing problems with the older software.
“When something is reported to us and it’s a vulnerability that needs to be addressed, we address it on all platforms,” he said.
Maiffret said he expected hackers to quickly take advantage of the weakness, possibly jeopardising security at large companies where software updates can take several days or weeks to install.
“The race is definitely going to be won by the exploit writers, because they’re going to be able to publish an exploit in the next couple of days,” Maiffret said. “It’s such a glaring bug, I don’t know how anybody else didn’t discover it.”
A major worm, however, is less likely because such an attack prompts users to seal any remaining holes in vulnerable computers, Maiffret says.
