Microsoft Warns of Security Flaw in Windows Software

Microsoft Corp. warned customers Tuesday about unusually serious security problems with its Windows software that could let hackers quietly break into their computers to steal files, delete data or gain access to sensitive information.

Microsoft, which learned about the flaws more than six months ago from researchers, said the only protective solution was to apply a patch it offered on its website. It assessed the threat to computer users as “critical,” its highest rating.

A Microsoft security executive, Stephen Toulouse, said the flawed software was “an extremely deep and pervasive technology in Windows” and urged customers to apply the patch immediately.

The Department of Homeland Security also warned Americans about the software problems through e-mails sent across its new national cyber-alert system.

The disclosure comes just weeks before Microsoft Chairman Bill Gates delivers a keynote speech in San Francisco at one of the industry’s most important security trade conferences. Microsoft has struggled in recent months against renewed criticism about security risks in its software, the engine for computers in most of the world’s governments, corporations and homes.

“This is one of the most serious Microsoft vulnerabilities ever released,” said Marc Maiffret of eEye Digital Security Inc. of Aliso Viejo, Calif., which discovered the new Windows flaws. “This is something that will let you get into Internet servers, internal networks, pretty much any system.”

Maiffret said some computer systems that control power or water utilities were vulnerable. He predicted that hackers would try to unleash a damaging Internet infection within weeks.

Unlike earlier vulnerabilities that spawned such attacks, the newly disclosed flaws can be exploited by hackers to break into susceptible computers using dozens of methods, making any defense far more difficult.

“The race will be on,” said Marcus Sachs, a former White House advisor on cybersecurity.

Researchers at eEye discovered the problems in July and agreed to keep quiet about them until the Redmond, Wash., software giant could fix them. Maiffret complained that the delay between eEye’s discovery and Tuesday’s public disclosure by Microsoft was “just totally unacceptable” because Windows users were broadly vulnerable during the period.

Toulouse said Microsoft took months because it wanted to ensure that a single repairing patch solved any related problems. “We really took the steps to make sure our investigation was as broad and deep as possible,” he said.

Maiffret and Microsoft said they were unaware of anyone who had attacked Windows computers by taking advantage of the flaw, although eEye had successfully broken into its own computers by doing so.

Microsoft’s disclosure occurred just days before a presidential advisory council is expected to submit recommendations to the White House about ways technology companies should respond to major software vulnerabilities that could affect national security.

The problems affected a technology in the newest versions of Windows known as “abstract syntax notation,” a way to share data across different computers. Some of Microsoft’s built-in security features rely on the flawed software.

Microsoft urged consumers to apply the repairing patch immediately if they were using Windows NT, Windows 2000 or Windows XP versions of its software, or its Windows NT Server, Server 2000 and Server 2003 software commonly used by corporations.

Shares of Microsoft rose 12 cents Tuesday to close at $27.02 on Nasdaq.