A group in China released a program in late July that lets hackers exploit a critical flaw in Microsoft software and take over a victim’s computer over the internet. The program, released nine days after Microsoft Corp. warned of the flaw, has turned an embarrassment for the company and inconvenience for customers into a near-emergency.
The program, posted on the group’s web site, takes advantage of a vulnerability in nearly all versions of Microsoft’s Windows operating system, including Windows Server 2003, touted as Microsoft’s safest ever.
The Redmond, Wash., software giant has urged all Windows users to download a free software fix, but many consumers–particularly companies and school systems with hundreds or thousands of computers at risk–probably have not yet done so, said Marc Maiffret, co-founder of eEye Digital Security Inc. of Aliso Viejo, Calif.
“Three times a year, there are [flaws] this bad,” Maiffret said. “This is one of those times.” He added that until vulnerable enterprises install the patch, “it will be Swiss cheese–anybody can walk in and out of their servers.”
The flaw, discovered by western Poland researchers who call themselves the “Last Stage of Delirium Research Group,” affects Windows technology used to share data files across computer networks. It can allow attackers to seize control of a victim’s computer, letting them steal data, delete files, and access eMail messages.
The flaw is an embarrassment to a company that has dedicated millions of dollars to its highly trumpeted Trustworthy Computing initiative, in which Microsoft has been emphasizing security in writing code.
The Chinese group, Xfocus, did not contact Microsoft before posting the sample code, said Jeff Jones, Microsoft’s senior director of Trustworthy Computing security.
“We continue to believe that publication of exploit code in cases like this is not good for customers,” Jones said.
Xfocus, described on its web site as a nonprofit and free technology organization founded in 1998, did not immediately return an eMail request for comment sent by the Associated Press.
Russ Cooper, of Herndon, Va.-based TruSecure Corp., questioned why the group chose to post the code. “I don’t understand the point behind doing this,” he said. “This isn’t healthy for the ‘net at all.”
So far, Microsoft has not heard of any instances of the code being used. Microsoft said companies and school systems with strong firewalls commonly block the type of data connections that outside hackers would need for such attacks.
But Cooper said there are other ways to breach firewalls. He said attackers could gain access by targeting legitimate users who connect into the computer network from an unsecured remote location.
He added that the code can be used to attack one site at a time, but that he expects someone will soon “make the leap to turn this code to a worm” that could attack internet sites randomly, en masse.
Microsoft acknowledged the presence of the flaw on July 16, one day after the Department of Homeland Security announced that it had awarded a five-year, $90-million contract for Microsoft to supply all its most important desktop and server software for about 140,000 computers inside the new federal agency.
The head of Microsoft’s security response center, Kevin Kean, said improving Windows software is an ongoing process. “We continue to try to make it better, and when we find a situation where techniques we’ve built into the system are not perfect, we go out and fix them,” he said.
See these related links:
eEye Digital Security