CNET también está disponible en español.

Ir a español

Don't show this again

Tech Industry

Microsoft patches Windows security hole

The software maker releases a security patch that it hopes will prevent hackers from targeting Windows computers with denial-of-service attacks.

    Microsoft today released a security patch that it hopes will prevent hackers from targeting Windows computers with the type of attacks that swamped sites such as Yahoo and eBay earlier this year.

    The patch fixes a hole found in its currently marketed operating systems: Microsoft's Windows 95, Windows 98, Windows NT 4.0 and Windows 2000. The hole permits hackers to crash Windows-based computers with a distributed denial-of-service (DDoS) attack.

    In these types of attacks, a hacker plants code in computers or Web site servers over the Internet that causes them to email thousands of messages to a site at the same time. Sites for Slashdot.org, eBay, Yahoo and others slowed to a crawl earlier this year from DDoS attacks.

    "A malicious user would send a continuous stream of IP (Internet protocol) fragments with particular type of malformation," said Scott Culp, a program manager in Microsoft's security group. "Your machine would spend all its time trying to reassemble them. It doesn't crash, just slows down quite a bit."

    Patch creation and bug detection has become a major concern for Microsoft this year, as hackers have become more destructive. Its dominance in the software industry, combined with what some analysts say are lax security features in Microsoft Outlook and other products, have made the company's products particularly attractive targets.

    The company has about 90 percent of the desktop operating system market. The potential for mayhem associated with the software maker's dominance was illustrated this month when the "I Love You" email virus spread globally via Microsoft Outlook in less than two days, causing damages estimated in the billions of dollars. It also brought increased scrutiny and criticism of Microsoft's security procedures.

    In the software maker's case, affected computers don't need to be victims of a coordinated attack from many computers. But fragments of data coming at even a relatively low rate could be enough to cripple a system.

    Computers running on any of the Windows operating systems are vulnerable to How a denial of service attack works DDoS attacks, Microsoft has said.

    Networks break large chunks of information into more manageable sizes of data and then reassemble the fragments when they reach their destination. The vulnerability is the result of the way Windows-based operating systems reassemble that information at its intended destination, the PC.

    A steady stream of malicious fragments could consume a huge amount of the computer's resources, potentially causing a system crash, Microsoft says, although the software maker has not been able to recreate a scenario where a computer is brought down by such an attack.

    The patch fixes the way operating systems process and reform data fragments.

    Computers on corporate network firewalls will probably not be affected by the vulnerability, although Microsoft recommends that all Windows users download and install the patch. Web servers or proxy servers are especially vulnerable to the glitch.

    "Denial-of-service attacks are not new," said Frank Prince, a security analyst with Forrester Research. "They cannot be avoided, only minimized, because they take something that you have to do anyway and give you more of it than you can handle; anything that a computer does is potentially the basis of a denial-of-service attack."

    Corporations can protect themselves by "avoiding single points of failure," see CNET Software: Protect yourself from a virus attack Prince said, and instead having multiple email and Web servers.

    Microsoft's reputation for lax security may be somewhat unfair, he added, because the company is judged on single high-profile security breeches rather than the whole scope of its security measures.

    "I associate this with airline accidents," he said. "In spite of the fact that the airline industry has a wonderful reputation for safety, when you wipe out 300 people on the side of a mountain in one shot, people are going to call for safety regulations.

    "It's not like they all got together and decided to wipe out 300 people to save money."