Microsoft warns of critical Windows flaw

The software giant issued a patch Wednesday morning to plug a critical security hole that could allow an attacker to take control of computers running any version of Windows except for Windows ME.

A group of Polish hackers and independent security consultants, known as the Last Stage of Delirium, discovered the flaw and worked with Microsoft to fix it.

"It should be emphasized that this vulnerability poses an enormous threat, and appropriate patches provided by Microsoft should be immediately applied," the group said in an advisory posted to its Web site. The group said that programs designed to exploit the vulnerability will likely be available on the Internet soon.

The flaw is in a component of the operating system that allows other computers to request the Windows system perform an action or service. The component, known as the remote procedure call (RPC) process, facilitates such activities such as sharing files and allowing others to use the computer's printer.

By sending too much data to the RPC process, an attacker can cause the system to grant full access to the system.

"This would give the attacker the ability to take any action on the server that they want," Microsoft stated in its advisory. "For example, an attacker could change Web pages, reformat the hard disk, or add new users to the local administrators group."

Jeff Jones, senior director for Microsoft's Trustworthy Computing effort, said that, in addition to applying the patch, users and systems administrator should close down any unused communications channels, or ports.

"Customers should protect their network with a firewall," he said. "Individual users should use the Internet Connection Firewall or some other personal firewall." The Internet Connection Firewall is a feature of Windows XP and Windows 2003 that limits the ways that a potential intruder could attack from the network.

Ports are standardized software addresses that allow applications to exchange data. Firewalls routinely prevent access to such services from the Internet by blocking the specific port used by a computer to offer those services.

Internet Security Systems, a network protection company based in Atlanta, warned its customers of the flaw on Wednesday. The company said in an advisory that it had raised its measure of the danger posed by threats on the Internet because of the vulnerability's seriousness.

Microsoft is well into the second year of its Trustworthy Computing initiative. Aimed at boosting customers' trust in the company's products, the initiative has been both praised as a bold move to become a leader in security and criticized as largely ineffectual.

Jones says the company is learning from its mistakes. In this case, Microsoft analyzed where the flaw crept in, and it developed plans to build in the expertise to detect it in the company's in-house development tools.

"It was primarily a process issue," he said. "We will be updating our automated scanning tool to make sure this type of issue is detected in the future."