[ISN] Flaw leaves Microsoft looking like a turkey

From: InfoSec News (alerts@private)
Date: Mon Nov 26 2007 - 22:18:14 PST


http://www.smh.com.au/news/technology/microsoft-flaw-a-massive-shock/2007/11/23/1195975914416.html

By Patrick Gray
The Sydney Morning Herald
November 26, 2007

MICROSOFT engineers worked frantically over the US Thanksgiving holiday 
to fix a design flaw in Windows that has exposed millions of computers 
to hijacking by computer criminals.

By exploiting the design flaw a lone miscreant could take control of 
vast numbers of home or office PCs around the world in a single attack. 
They could read data, steal passwords and monitor internet use or use 
them to distribute spam or viruses.

The bug was demonstrated at the Kiwicon hacker conference in New Zealand 
last week by an ethical hacker, Beau Butler.

"This whole presentation came about from me telling a story to a bunch 
of my computer security friends down the pub one night," he said on the 
phone from New Zealand. "They basically said, 'You're going to have to 
step up and talk about that'."

While testing the flaw, Mr Butler found more than 160,000 computers in 
NZ were vulnerable. Computers in the US are not vulnerable to the flaw, 
but many countries are potentially wide open.

It was decided not to publish details of the vulnerability after 
bringing it to the attention of Microsoft this week.

The software giant confirmed the issue was serious and asked this 
newspaper not to publish the details over fears they could be used by 
cyber criminals to seize control of workstations.

Microsoft's engineers in Australia and the US scrambled to replicate and 
confirm the issue, with the security team working over this week's 
Thanksgiving holiday to begin work on a fix.

"Now that we understand the issue we're researching comprehensive 
mitigations and workarounds to protect customers," Microsoft's general 
manager of product security, George Stathakopoulos, said by email.

The flaw is an old one, first exposed and apparently fixed more than 
five years ago. But it appears Microsoft's fix was only partially 
effective.

The problem affects all versions of Windows, including the company's 
most recent release, Vista software. However, it does not affect every 
Windows computer, Mr Stathakopoulos said. It depends on how it is 
configured.

Mr Butler said he tried to alert Microsoft to the problem by email 
before going public with his research. "I didn't get any reply — I 
assumed they were aware of the issue," he said.

He was surprised to discover the bug was still a problem in Microsoft's 
most recent operating system products. "It was a massive shock," he 
said.

Patrick Gray is a contributor to the Next liftout and publishes a weekly 
podcast at ITRadio.com.au/security

Copyright © 2007. The Sydney Morning Herald.



__________________________________________________________________      
Visit InfoSec News
http://www.infosecnews.org/



This archive was generated by hypermail 2.1.3 : Mon Nov 26 2007 - 22:34:29 PST