The Spokesman-Review Newspaper
The Spokesman-Review Newspaper The Spokesman-Review
Spokane, Washington  Est. May 19, 1883
Current Temperature
59°F
Current Conditions
Broken clouds
View complete weather report
Subscribe now

Microsoft admits ‘severe’ Windows flaw

Washington Post

A previously unknown flaw in Microsoft Corp.’s Windows operating system is leaving computer users vulnerable to spyware, viruses and other programs that could overtake their machines and has sent the company scrambling to come up with a fix.

Microsoft said in a statement this week that it is investigating the vulnerability and plans to issue a software patch to fix the problem. The company could not say how soon that patch would be available.

Mike Reavey, operations manager for Microsoft’s Security Response Center, called the flaw “a very serious issue.”

Security researchers revealed the flaw on Tuesday and posted instructions online that showed how would-be attackers could exploit the flaw. Within hours, computer virus and spyware authors were using the flaw to distribute malicious programs that could allow them to take over and remotely control afflicted computers.

Unlike with previously revealed vulnerabilities, computers can be infected simply by visiting one of the Web sites or viewing an infected image in an e-mail through the preview pane in older versions of Microsoft Outlook, even if users did not click on anything or open any files. Operating system versions ranging from the current Windows XP to Windows 98 are affected.

An estimated 90 percent of personal computers run on Microsoft Windows operating systems. Microsoft has found itself under attack on several instances and has been forced to issue a number of patches to keep computers running Windows safe. Mac and Linux computer users are not at risk with this attack, even if their computers run Microsoft programs such as Office or the Internet Explorer Web browser.

Reavey encouraged users to update their anti-virus software, ensure all Windows security patches are installed, avoid visiting unfamiliar Web sites, and refrain from clicking on links that arrive via e-mail or instant message.

“The problem with this attack is that it is so hard to defend against for the average user,” said Johannes Ullrich, chief research officer for the SANS Internet Storm Center in Bethesda, Md.

Dean Turner, a senior manager at anti-virus firm Symantec Corp. of Cupertino, Calif., said the company has seen the vulnerability exploited to install software that intercepts personal and financial information when users of infected computers enter the data at certain banking or e-commerce sites.

Eric Sites, vice president of research and development for anti-spyware firm Sunbelt Software, said he has spotted spyware being downloaded to a user’s machine by online banner advertisements.

“Pretty much all of the spyware guys who normally use other techniques for pushing this stuff down to your machine are now picking this exploit up,” Sites said.