Moments before a top Microsoft executive told Congress about efforts to improve security, the company warned yesterday of new flaws that leave its flagship Windows software vulnerable to Internet attacks similar to the “Blaster” worm that infected hundreds of thousands of computers last month.
Microsoft urged customers to immediately apply a free repair patch from its Web site, www.microsoft.com.
The company cautioned that hackers could seize control over a victim’s computer by attacking these flaws, which affect Windows technology that allows computers to communicate with others across a network.
“We definitely want people to apply this one,” said Jeff Jones, Microsoft’s senior director for trustworthy computing. Outside researchers and Microsoft’s own internal reviews discovered the new flaws after the Blaster infection, he said.
Outside experts said some flaws were nearly identical to problems exploited by the Blaster worm, which spread last month with devastating damage. Computer users who applied an earlier patch in July to protect themselves still must install the new patch from Microsoft.
“They’re as close as you can be without being the same,” said Marc Maiffret, an executive at eEye Digital Security Inc. of Aliso Viejo, Calif., one of three research groups credited with discovering some of the new problems. “It’s definitely a big oversight on Microsoft’s part that they missed these.”
Mr. Maiffret speculated that because of the similarities, hackers could start attacks against unprotected systems as early as day’s end.
A vice president at Network Associates Inc., Robin Matlock, agreed that corporations, government agencies and home users will race the clock before the next attack. “Without a doubt, this is a nasty vulnerability. It could easily be exploited,” she said. “Administrators are under more pressure here to move quickly.”
The disclosure by Microsoft came just moments before its senior security strategist, Phil Reitinger, told lawmakers on the House Government Reform technology subcommittee about the company’s efforts to help consumers defend themselves against viruses and other Internet attacks.
“Microsoft is committed to continuing to strengthen our software to make it less vulnerable to attack,” said Mr. Reitinger, a former deputy chief in the Justice Department’s cyber-crime division. Still, he acknowledged, “There is no such thing as completely secure software.”
Mr. Reitinger told lawmakers about the new flaws and said that Microsoft is considering changing Windows to install software repairs automatically; currently, computer users are notified when updates are available and reminded to manually click to install them.
Microsoft said Windows users who follow the company’s new security guidelines it published on its Web site at www.microsoft.com/protect should be safe until they install the latest patch. The company plans a Webcast tomorrow to discuss the latest threat.