http://www.smh.com.au/news/technology/microsoft-flaw-a-massive-shock/2007/11/23/1195975914416.html By Patrick Gray The Sydney Morning Herald November 26, 2007 MICROSOFT engineers worked frantically over the US Thanksgiving holiday to fix a design flaw in Windows that has exposed millions of computers to hijacking by computer criminals. By exploiting the design flaw a lone miscreant could take control of vast numbers of home or office PCs around the world in a single attack. They could read data, steal passwords and monitor internet use or use them to distribute spam or viruses. The bug was demonstrated at the Kiwicon hacker conference in New Zealand last week by an ethical hacker, Beau Butler. "This whole presentation came about from me telling a story to a bunch of my computer security friends down the pub one night," he said on the phone from New Zealand. "They basically said, 'You're going to have to step up and talk about that'." While testing the flaw, Mr Butler found more than 160,000 computers in NZ were vulnerable. Computers in the US are not vulnerable to the flaw, but many countries are potentially wide open. It was decided not to publish details of the vulnerability after bringing it to the attention of Microsoft this week. The software giant confirmed the issue was serious and asked this newspaper not to publish the details over fears they could be used by cyber criminals to seize control of workstations. Microsoft's engineers in Australia and the US scrambled to replicate and confirm the issue, with the security team working over this week's Thanksgiving holiday to begin work on a fix. "Now that we understand the issue we're researching comprehensive mitigations and workarounds to protect customers," Microsoft's general manager of product security, George Stathakopoulos, said by email. The flaw is an old one, first exposed and apparently fixed more than five years ago. But it appears Microsoft's fix was only partially effective. The problem affects all versions of Windows, including the company's most recent release, Vista software. However, it does not affect every Windows computer, Mr Stathakopoulos said. It depends on how it is configured. Mr Butler said he tried to alert Microsoft to the problem by email before going public with his research. "I didn't get any reply — I assumed they were aware of the issue," he said. He was surprised to discover the bug was still a problem in Microsoft's most recent operating system products. "It was a massive shock," he said. Patrick Gray is a contributor to the Next liftout and publishes a weekly podcast at ITRadio.com.au/security Copyright © 2007. The Sydney Morning Herald. __________________________________________________________________ Visit InfoSec News http://www.infosecnews.org/
This archive was generated by hypermail 2.1.3 : Mon Nov 26 2007 - 22:34:29 PST