/ciol/media/agency_attachments/c0E28gS06GM3VmrXNw5G.png)
Follow UsReed Stevenson and Elinor Mills Abreu
SEATTLE/SAN FRANCISCO: Microsoft Corp. said on Tuesday a "critical" flaw in most versions of its flagship Windows operating system could allow hackers to break into personal computers and snoop on sensitive data.
Although no computers were reported to have been compromised, the world's largest software maker warned that Windows NT, Windows 2000, Windows XP and Windows Server 2003 were at risk. Microsoft announced the flaw in its monthly security bulletin.
The company offered software updates to fix the software flaw, which it assigned its most severe rating of "critical."
"It does affect all (current) versions of Windows," said Stephen Toulouse, security program manager for Microsoft's Security Response Center. "We're not aware of anyone affected by this at this time."
Marc Maiffret, co-founder of eEye Digital Security, the company that discovered the flaw, criticized Microsoft for taking more than six months to come up with a patch to fix the problem.
The flaw could allow a hacker to break into a computer running Microsoft's Windows operating system in several ways and then use the compromised machine to run malicious programs and steal or delete key data, Maiffret and other experts said.
Last year Microsoft adopted a new monthly patch release program, which it said would let customers more easily apply software fixes for security bugs.
"We contacted Microsoft about these vulnerabilities 200 days ago, which is insane," he said. "Even the most secure Windows networks are going to be vulnerable to this flaw, which is very unique."
Microsoft's Toulouse said the company needed time to make sure it got the fix right, especially given how pervasive the vulnerability is in the software.
"We wanted to make absolutely sure we were doing as broad an investigation as possible," he said.
Windows users can download the patch for the vulnerability from http://www.microsoft.com/security.
"The obvious steps to take are to run Windows Update and install the patches to fix the vulnerabilities as soon as possible," said Craig Schmugar, a virus research manager at Network Associates Inc.'s McAfee anti-virus unit.
The latest fixes for Microsoft's software are unrelated to the recent virus attacks called MyDoom and its variants, Schmugar said.
Microsoft also released a critical update a week ago, ahead of Tuesday's scheduled release, to fix a patch in its Explorer Web browser that could make PCs vulnerable to attackers.
In addition, Microsoft announced a mid-grade security warning for the latest version of its server products for networked computers.
Two years ago, the Redmond, Washington-based company pledged to make its software products more secure and reliable under an initiative, dubbed "Trustworthy Computing" by Chairman Bill Gates.
But computers running the company's software have been hit by several high-profile attacks since, such as the SQL Slammer, Nimda and SoBig attacks.
On Monday, a new worm called "Doomjuice," an offshoot of the MyDoom worm, emerged, which used personal computers compromised by the original MyDoom worm to attack and attempt to hobble parts of Microsoft's Web site, according to security experts.
The MyDoom worm, as well as its variant MyDoom.B, were designed to entice e-mail recipients to click open an attachment, which then installed malicious software on a personal computer. The worms instructed infected PCs to flood the Web sites of the SCO Group Inc. and Microsoft in an effort to shut them down.
© Reuters