Microsoft patches Windows security hole

The company patches a security hole in its Windows operating system that could expose Internet-connected computers to invasion by attackers.

Paul Festa Staff Writer, CNET News.com
Paul Festa
covers browser development and Web standards.
Paul Festa
Microsoft patched a security hole in its Windows operating system that exposed Internet-connected computers to invasion by attackers.

The problem, which Microsoft acknowledged last week, lets a malicious hacker crash the operating system by flooding the file address field with more characters than it can accommodate, sending the excess characters into memory, where they can be executed when the computer is restarted.

Such an exploit, which lets an attacker run malicious code on a target's computer, is known generically as a "buffer overrun" attack. Microsoft said it's estimated that between two-thirds and three-quarters of computer security problems are buffer overrun issues.

An attacker could take advantage of the vulnerability by sending email or by luring a target to a Web page. A user would not have to click on a link of a malicious Web page; merely visiting that page would be sufficient to launch an attack.

"This vulnerability can affect a user even if the user follows what would normally be safe computing practices such as avoiding opening attachments from unknown senders and disabling macros unless they come from known and expected sources," Microsoft said in an informational page on the problem.

Microsoft said the "File Access URL" vulnerability lay in Windows' networking software; the company posted fixes for both Windows 95 and Windows 98.