[prev in list] [next in list] [prev in thread] [next in thread]
List: isn
Subject: [ISN] Flaw leaves Microsoft looking like a turkey
From: InfoSec News <alerts () infosecnews ! org>
Date: 2007-11-27 6:18:14
Message-ID: Pine.LNX.4.61.0711270018010.21611 () conundrum ! infosecnews ! org
[Download RAW message or body]
http://www.smh.com.au/news/technology/microsoft-flaw-a-massive-shock/2007/11/23/1195975914416.html
By Patrick Gray
The Sydney Morning Herald
November 26, 2007
MICROSOFT engineers worked frantically over the US Thanksgiving holiday
to fix a design flaw in Windows that has exposed millions of computers
to hijacking by computer criminals.
By exploiting the design flaw a lone miscreant could take control of
vast numbers of home or office PCs around the world in a single attack.
They could read data, steal passwords and monitor internet use or use
them to distribute spam or viruses.
The bug was demonstrated at the Kiwicon hacker conference in New Zealand
last week by an ethical hacker, Beau Butler.
"This whole presentation came about from me telling a story to a bunch
of my computer security friends down the pub one night," he said on the
phone from New Zealand. "They basically said, 'You're going to have to
step up and talk about that'."
While testing the flaw, Mr Butler found more than 160,000 computers in
NZ were vulnerable. Computers in the US are not vulnerable to the flaw,
but many countries are potentially wide open.
It was decided not to publish details of the vulnerability after
bringing it to the attention of Microsoft this week.
The software giant confirmed the issue was serious and asked this
newspaper not to publish the details over fears they could be used by
cyber criminals to seize control of workstations.
Microsoft's engineers in Australia and the US scrambled to replicate and
confirm the issue, with the security team working over this week's
Thanksgiving holiday to begin work on a fix.
"Now that we understand the issue we're researching comprehensive
mitigations and workarounds to protect customers," Microsoft's general
manager of product security, George Stathakopoulos, said by email.
The flaw is an old one, first exposed and apparently fixed more than
five years ago. But it appears Microsoft's fix was only partially
effective.
The problem affects all versions of Windows, including the company's
most recent release, Vista software. However, it does not affect every
Windows computer, Mr Stathakopoulos said. It depends on how it is
configured.
Mr Butler said he tried to alert Microsoft to the problem by email
before going public with his research. "I didn't get any reply — I
assumed they were aware of the issue," he said.
He was surprised to discover the bug was still a problem in Microsoft's
most recent operating system products. "It was a massive shock," he
said.
Patrick Gray is a contributor to the Next liftout and publishes a weekly
podcast at ITRadio.com.au/security
Copyright © 2007. The Sydney Morning Herald.
__________________________________________________________________
Visit InfoSec News
http://www.infosecnews.org/
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic