Microsoft Corp. has acknowledged a critical vulnerability in nearly all versions of its flagship Windows operating system software, the first such design flaw to affect its latest Windows Server 2003 software.
The weakness was discovered by a team of researchers who said they were keeping details under wraps. As a result, no Windows users were reported to have been immediately affected by the flaw. Microsoft urged customers to immediately install a free software repairing patch available from its web site.
Microsoft said the vulnerability could allow hackers to seize control of a victim’s Windows computer over the internet, stealing data, deleting files, or eavesdropping on eMails.
The disclosure on July 16 was unusually embarrassing for Microsoft because it represented the first such serious flaw in the company’s powerful new computer server software, billed as its safest ever.
The software is aimed at large enterprise customers and was the first product sold under a high-profile “Trustworthy Computing” initiative organized last year by Microsoft founder Bill Gates.
At the product’s launch in late April, Microsoft Chief Executive Steve Ballmer declared the new version of Windows to be a “breakthrough in terms of what it means, in terms of its built-in security and reliability.”
The flaw, discovered by researchers in western Poland, also affects Windows versions popular among home users.
“This is one of the worst Windows vulnerabilities ever,” said Marc Maiffret, an executive at eEye Digital Security Inc. of Aliso Viejo, Calif., whose researchers discovered similarly dangerous flaws in at least three earlier versions of Windows.
Microsoft said firewalls commonly block the type of data connections that hackers outside a large enterprisesuch as a company or school districtwould need for these attacks. The flaw affects Windows technology used to share data files across computer networks.
Maiffret said that inside vulnerable enterprises, “until they have this patch installed, it will be Swiss cheeseanybody can walk in and out of their servers.”
Microsoft spent hundreds of millions of dollars on security improvements for its latest Windows software and included new technology to defend against a category of hacker attacks known as “buffer overflows,” which can trick software into accepting dangerous commands.
But four Polish researchers, known as the “Last Stage of Delirium Research Group,” said they discovered how to bypass the additional protections Microsoft added, just three months after the software went on sale.
The head of Microsoft’s security response center, Kevin Kean, said improving Windows software is an ongoing process. “We continue to try to make it better, and when we find a situation where techniques we’ve built into the system are not perfect, we go out and fix them,” Kean said.
Microsoft also acknowledged a separate design flaw affecting only Windows XP, but it was deemed less serious because hackers would have to already have broken into a network to attack victims. The company also released a patch for it.
Although the Polish researchers created a tool to demonstrate the more serious vulnerability and break into victim computers, they promised not to release blueprints for such software onto the internet.
“We’re fully aware of the potential impact,” group member Tomasz Ostwald said in a telephone interview. “We don’t plan to publish this code at the moment. It’s too dangerous.”
Ostwald said the group, which other experts said was highly regarded in the security community, expected to disclose additional details during technical presentations at upcoming security seminars.
Some experts said they expected hackers to begin using this new vulnerability to break into computers within months. Even without detailed blueprints from researchers, hackers typically break apart the patches Microsoft provides for clues about how to exploit a new flaw.
“We could see it in a week or a year or not at all, but I expect we would see something in a three-month time frame,” said Russ Cooper of Herndon, Va.,-based TruSecure Corp.
Internet Security Systems Inc. said the Windows flaw “poses an enormous threat” and raised its alert level to its second notch, reflecting “increased vigilance.” The Atlanta-based company operates an early warning network for the technology industry, the Information Technology Information Sharing and Analysis Center.
The announcement came one day after the Department of Homeland Security announced that it awarded a five-year, $90-million contract for Microsoft to supply all its most important desktop and server software for about 140,000 computers inside the new federal agency.