Posted on 01/02/2006 3:54:03 PM PST by Swordmaker
Computer security experts were grappling with the threat of a newweakness in Microsoft’s Windows operating system that could put hundreds of millions of PCs at risk of infection by spyware or viruses.
The news marks the latest security setback for Microsoft, the world’s biggest software company, whose Windows operating system is a favourite target for hackers.
“The potential [security threat] is huge,” said Mikko Hyppönen, chief research officer at F-Secure, an antivirus company. “It’s probably bigger than for any other vulnerability we’ve seen. Any version of Windows is vulnerable right now.”
The flaw, which allows hackers to infect computers using programs maliciously inserted into seemingly innocuous image files, was first discovered last week. But the potential for damaging attacks increased dramatically at the weekend after a group of computer hackers published the source code they used to exploit it. Unlike most attacks, which require victims to download or execute a suspect file, the new vulnerability makes it possible for users to infect their computers with spyware or a virus simply by viewing a web page, e-mail or instant message that contains a contaminated image.
“We haven’t seen anything that bad yet, but multiple individuals and groups are exploiting this vulnerability,” Mr Hyppönen said. He said that every Windows system shipped since 1990 contained the flaw.
Microsoft said in a security bulletin on its website that it was aware that the vulnerability was being actively exploited. But by early yesterday, it had not yet released an official patch to correct the flaw. “We are working closely with our antivirus partners and aiding law enforcement in its investigation,” the company said. In the meantime, Microsoft said it was urging customers to be careful opening e-mail or following web links from untrusted sources.
Meanwhile, some security experts were urging system administrators to take the unusual step of installing an unofficial patch created at the weekend by Ilfak Guilfanov, a Russian computer programmer.
Concerns remain that without an official patch, many corporate information technology systems could remain vulnerable as employees trickle back to work after the holiday weekend.
“We’ve received many e-mails from people saying that no one in a corporate environment will find using an unofficial patch acceptable,” wrote Tom Liston, a researcher at the Internet Storm Center, an antivirus research group. Both ISC and F-Secure have endorsed the unofficial fix.
Microsoft routinely identifies or receives reports of security weaknesses but most such vulnerabilities are limited to a particular version of the Windows operating system or other piece of Microsoft software. In recent weeks, the company has been touting its progress in combating security threats.
The company could not be reached on Monday for comment.
I hear MACs work well with AOL. </grin>
Singing and dancing cause this don't bither me a bot!!!
Just got my Linux Fedora Core 4 up and running like a champ.
BY BY WINDOWS, SEE YOU ON THE ASH HEAP OF HISTORY!!
tippity tappety, tippety tappety.
nyuk nyuk nyuk.
GOT ROOT, GAVE BILLY THE BOOT!!
first night with my RED HAT, kinda excited.
I'm running Windows FU06, but there is no fix.
I like the Mac, but we computer users are up against a new generation of packet-crafting tools (e.g., Metasploit), and greatly expanded and more accessible information about buffer overflows, etc.
What folks are missing here is that the race against expliots by using conventional security measures (firewalls, IDS, VA) is soon to come to an end. Companies will have to run massively parallel firewalls just to keep up with them.
Go over to the Steve Gibson page and read the alert; the possibility of maxing-out processors is inherent in this new exploit, and it will be a more common technique this year (Metaspolit was released in 2005, and there will be other exploit tools of its type).
We are looking at exploits that operate at the single bit and byte level, and the patch makers won't be able to keep up with attacks that are launched by the hundreds with single bit variations, or that might even be self-modifying.
It's going to be an exciting decade. And Mac users won't be exempt.
bttt
Sorry I forgot to put the /sarcasm tag. I don't think you have anything to worry about.
That's great!
Don't be too complacent. The new hacker tools and exploits will make mincement of all existing firewalls, intrusion detection, and antivirus.
Interesting. I thought the clip art exploit was addressed in 97 or 98.
Secure sites, FR, never open unexpected e-mails e-mails and don't download much of anything.
Whew (I think ?)
I just loaded Xandros on my laptop...it's pretty slick and it only took 12 minutes to install it (Dual-boot).
http://www.xandros.com/products/home/desktopdlx/dsk_dlx_intro.html
Ahhh, the end of the Internet.....no programmers could possibly counter the new "exploits" with new firewalls, intrusion detection and anti-virus programs.....we're doomed.....
This is news?
I'm never complacent in the cyberworld.
You never know who is lurking and what their potential. Usually, I expect to get bugged. Then I'm not surprised when it happens.
Linux is a tool for geeks like me. Not everyone will like to work with it, and work with it you must.
Hackers are like all lowlife slugs, if its too much effort, f-it! They go for the easy and most.
Linux is just too hard with too few people using it, therefore, too few rewards for too hard work.
Slug repellent.
Duh. That's like saying the sky is dark at night.
Do you know how Metaspolit works? We are talking at the byte level. "Programmers" will be fighting hackers for processor cycles (on firewalls, IDS platforms, etc).
Suggest you go over to the Steve Gibson site and read about the exploit. What I've just stated is implied in the decsiption of processor racing. Programmers don't work at the processor level.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.