Microsoft Reveals 'Critical' Flaw in Software
Microsoft has disclosed a serious vulnerability in its Windows operating system affecting Windows XP, Windows 2000, Windows 98, Windows 98 Second Edition, Windows Me, Windows NT 4.0 Server and Windows Server 2003 operating systems, and users could unwittingly spread bad code to others unless they apply a patch to fix their software.
The software giant has termed the flaw "critical," which is the highest step on its four-step rating system.
The critical flaw could allow a "buffer overrun," which Microsoft’s website describes as "an attack in which a malicious user exploits an unchecked buffer in a program and overwrites the program code with their own data. If the program code is overwritten with new executable code, the effect is to change the program's operation as dictated by the attacker. If overwritten with other data, the likely effect is to cause the program to crash."
The buffer overrun, found in the HTML converter in the Windows operating system, was the most serious of the reported flaws. Hackers could manipulate the vulnerability to spread the code through HTML in an e-mail or by developing a web page that causes the code to be automatically downloaded by visitors.
What makes the flaw particularly daunting is that it can be set in motion without the user doing anything to cause it. Microsoft posted a patch for the vulnerability on its website.
All of the above listed versions of Windows hold the critical flaw but it is less severe in Windows Server 2003, which has enhanced security built in.
"We certainly want everyone to apply the patch in order to protect their computers," Microsoft Security Response Center's Stephen Toulouse said on News.com. He said the company was not told of the problem, but rather learned about it when it was reported by several security mailing lists over the last month.
"We are disappointed that the finder chose not to bring that directly to us," Toulouse said. "As soon as we were made aware of that, we began our program to develop a fix as fast as we could."
The other two flaws revealed by Microsoft bulletins were called “important.” One is a buffer overrun in Windows NT, Windows 2000 Server and Windows XP and the other identifies a problem within Windows 2000's utility manager that could make it possible for a user to bolster his or her access to a system.