Microsoft Corp has warned computer users about a new critical security hole in its Windows operating system that could allow an attacker to gain control over a computer, delete data and install unwanted programs.
Microsoft Warns of New Critical Hole in Windows Wed 10 September, 2003 20:26 BST
The vulnerability is similar to one that Microsoft warned about in July, which experts called one of the worst to hit a software program in years because of the broad number of Windows systems affected.
Within a month, the Blaster Internet worm surfaced, taking advantage of that security hole in Windows. The worm eventually infected an estimated hundreds of thousands of machines.
Hackers apparently have not yet targeted the newly announced vulnerability, said Jeff Jones, senior director of Trustworthy Computing security at Microsoft.
But with any critical flaw, "we have a worry that history has shown us there are malicious individuals out there that could create an attack of some sort against it," he said.
Blaster, also dubbed MSBlast and LovSan, crashed many of the computers it infected and tried to launch an unsuccessful attack on a Microsoft software download Web site.
The operating systems affected by the latest security vulnerabilities are Windows NT 4.0, Windows 2000, Windows XP and Windows Server 2003. Older versions of Windows, including Windows Millennium, Windows 98 and Windows 95, are not affected, the company said.
Both the software flaw targeted by the Blaster worm and the new security hole are related to the Distributed Component Object Model service that is hosted by a Remote Procedure Call feature in Windows. Those features allow software applications to work with each other across a computer network.
Since early last year, Microsoft has made software security a top priority in an attempt to address rising customer concerns about the spread of viruses and hacker attacks.
Last week Microsoft warned of a critical flaw in its Office software that could enable a malicious programmer to create documents that would launch attacks on unsuspecting users.
Jones advised Windows users to get information and download a patch that fixes the critical vulnerabilities, as well as other less-serious ones the company discovered. The patch is available from www.microsoft.com/security.
Microsoft is also urging customers to install a firewall to block out intruders and enable the Windows auto update feature, which allows security and other software to be updated and installed automatically. The Web site for that is www.microsoft.com/protect.
Microsoft credited outside researchers for finding the new critical and non-critical vulnerabilities. They include eEye Digital Security, NSFOcus Security Team and Xue Yong Zhi and Renaud Deraison from Tenable Network Security.