Microsoft says its systems since '96 have security flaw

Company releases patch to address software glitch affecting e-mail, sites

August 30, 2002|By BLOOMBERG NEWS

REDMOND, Wash. - Microsoft Corp. said yesterday that all versions of its Windows operating system released since 1996 have a security flaw that may bar users from encrypting e-mail and using some Web sites.

The world's biggest software maker called the vulnerability "critical," its most serious rating, in a security bulletin. Microsoft urged users to download a software patch to immediately fix the glitch. The problem won't cause a computer to crash or let a hacker take over a machine, Microsoft said.

Windows runs more than 90 percent of the world's personal computers. The weakness also affects versions that run server computers, which distribute data for networks and Web sites. Security consultant Marc Maiffret said the flaw "isn't a big deal" and is unlikely to be used by many hackers because it doesn't give them control of the computer or access to user data.

The latest flaw may let a hacker delete so-called digital certificates from a user's system. The certificates contain codes that let users make e-mails unreadable to unauthorized persons and view secure Web pages, such as electronic-commerce sites.

The error affects products beginning with the Windows NT 4.0 server program that went on sale in July 1996. The earliest PC version with the problem is Windows 98, released in June 1998. Windows 2000 and Windows XP, the most recent versions of the operating system, also are affected, the company said.

"This isn't really critical; it's more like critically annoying," said Maiffret, a former hacker and co-founder of security research company eEye Digital Security. "There are so many other hacks that let you do much more."

Nevertheless, the weakness is the latest in a string of problems for Microsoft, which is working to make its software more secure after holes in it let worms and viruses enter the company's programs repeatedly during the past two years, angering customers.

In January, Chairman Bill Gates ordered workers to focus on security instead of new features, and Microsoft stopped work on some products for almost two months to train engineers in better security practices. That cost the company more than $100 million.

Microsoft generally releases several security bulletins and software patches a month. Each flaw is rated low, moderate or critical. In December, Microsoft fixed a glitch in its Windows XP program that was found the day after the product reached store shelves. Also last year, the Code Red and Nimda worms attacked computers running Microsoft software.

Microsoft sent yesterday's security bulletin by e-mail to customers subscribed to receive such notices from the company and posted it on the company's Web site.

The software fix can be downloaded from w/default.asp?url=/technet/security/bulletin/ms02-048.asp.

Customers who have Windows XP set up to automatically receive software updates will receive the fix today, Microsoft said.

Microsoft's shares rose $1.20 to $50.58 yesterday in Nasdaq stock market trading. The stock has declined 24 percent this year.

Baltimore Sun Articles
Please note the green-lined linked article text has been applied commercially without any involvement from our newsroom editors, reporters or any other editorial staff.