Microsoft Admits Serious New Windows VulnerabilitiesMicrosoft Admits Serious New Windows Vulnerabilities

Microsoft issued a critical security bulletin for all supported versions of Windows on Wednesday, warning of flaws that could let a hacker gain control of a user's computer.

The company has released a fix for the vulnerable versions of the operating system, including Windows Server 2003, Windows XP, Windows 2000, and Windows NT 4.0. Older versions of Windows, including 95, 98, 98 Second Edition and ME, are not affected.

Three vulnerabilities have been identified, all of them related to the Distributed Component Object Model (DCOM) interface in Windows's Remote Procedure Call service. RPC is a standard communication mechanism that lets applications running on separate computers access each other's services. DCOM, Microsoft's proprietary technology, defines the RPC that enables programs to communicate across a network.

A hacker who exploits these vulnerabilities can take a variety of actions on the compromised PC, including installing programs; viewing, changing or deleting data; or creating new accounts with full rights, Microsoft said in its security bulletin.

The latest flaws, discovered by researchers outside of Microsoft, are within the same RPC/DCOM-related code that was compromised by the creator of the recent Blaster virus, said Jeff Jones, senior director of trustworthy computing at Microsoft. The company issued its first patch for Blaster on July 16.

Blaster, which struck a week before last month's SoBig.F virus attack, inundated corporate networks and frustrated home users. The virus forced Maryland's motor vehicle agency to close for one day. Security company Symantec Corp. estimates more than 500,000 computers were infected.

"The scope of the severity is exactly the same (as Blaster)," said Dan Ingevaldson, engineer at security software maker Internet Security Systems Inc. "The same platforms are vulnerable and the same net affect. Hackers can take advantage of these vulnerabilities to compromise systems completely."

Sobig.F, considered one of the most virulent mass-mailing viruses ever, infected hundreds of thousands of computers and sent millions of virus-carrying E-mails across the Internet, clogging home E-mail boxes, and slowing corporate networks. Some organizations were forced to shut down their networks.

While acknowledging the seriousness of the latest vulnerabilities, Eric Hemmendinger, an Aberdeen Group analyst, said Microsoft deserves credit for issuing warnings and patches faster than ever. Chairman Bill Gates launched Microsoft's Trustworthy Computing initiative last year, making security a top priority.

Whether the company is improving security in Windows, however, is a question that can only be answered fairly over time, Hemmendinger said. Large chunks of code in even the latest versions of Windows are taken from previous releases, which means flaws can be carried over.

"I'm not saying that the issues they're trying to help their customers overcome aren't serious, but the fact that (vulnerabilities) haven't stopped should not be a reflection on what the company is trying to do," Hemmendinger said. "That doesn't mean that life is easy for everybody, but it does mean that (Microsoft) is trying to do something it hasn't been good at in the past."