Microsoft
apparently sat on a serious Windows OS vulnerability for six months
before announcing the availability of a fix today. One analysts calls
the latest exploit one of the "most serious Microsoft
vulnerabilities ever released". "The breadth of systems
affected is probably the largest ever," says Marc Maiffret of eEye
Digital Security, the firm that first discovered
the vulnerabilities. "This is something that will let you get into
Internet servers, internal networks, pretty much any system."
The Microsoft advisory
warns that a ASN.1 (abstract syntax notation) vulnerability could allow
remote code execution on versions of the company's XP/NT/2000 operating
systems. While there are no documented cases of attacks yet, security
experts expect hackers to take advantage of the vulnerabilities in a
matter of weeks or less. They also warn that the exploit's severity
(and the potential in some cases for attackers to bypass firewalls)
could make worms like Nimda and Code Red look like heavily sedated
kittens compared to what's coming.
Maiffret tells the Associated
Press the 6 month delay after the group notified Microsoft was "just
totally unacceptable" because Windows users were left vulnerable.
Microsoft security executive Stephen Toulouse says the company "took
the steps to make sure our investigation was as broad and deep as
possible." The patch is available via Windows Update. The exploit
may bring renewed debate over whether or not making Windows Update an automatic feature
is a good idea.
See: security
trouble
