Microsoft Warns Of Major Windows Security FlawsMicrosoft Warns Of Major Windows Security Flaws

Microsoft on Tuesday alerted users to a trio of new security vulnerabilities in Windows and Internet Explorer, one of which is characterized by its discoverer as even more dangerous than the flaws that spawned some of the biggest worms of all time, Nimda and Code Red.

While Microsoft tagged two of the three vulnerabilities as "critical," its highest-ranked warning, one is of special concern.

The vulnerability relates to Windows Abstract Syntax Notation, a language used to define the syntax of data messages shared between applications and computers. Any flaw in Windows' implementation of ASN is by definition critical, since the ASN library is widely used by the operating system's security subsystems, including Kerberos and NTLM authentication, as well as by applications that use digital certificates, including SSL, digitally signed E-mail, and the ActiveX controls utilized by Internet Explorer.

A determined attacker could exploit the ASN vulnerability to create a buffer overflow in a targeted machine, which would, in turn, offer up complete control of the computer. From there, the sky's the limit: a hacker could install new software (including, for instance, Trojan horses), wipe hard drives, hijack files, or any of a thousand other things.

There's no workaround for the vulnerability, Microsoft said in the security bulletin issued Tuesday that the only way to correct the problem is to install the fix, which is available through the Windows Update service. Windows NT 4.0, Windows 2000, Windows XP, and Windows Server 2003 are all affected and must be patched.

"These flaws can be detected and exploited remotely, and have the potential to cause serious damage if not immediately remediated," said executives at eEye Digital Security, the firm which uncovered the problem in July 2003. "Ironically, the security-related functionality in Windows is especially adept at rendering a machine vulnerable to an attack."

At Microsoft's request, eEye held off disclosure of the vulnerability until a patch was created, tested, and released.

The Department of Homeland Security also warned Americans about the software problems with E-mails sent across its new national cyber-alert system.

The disclosure comes just weeks before Microsoft chairman Bill Gates delivers a keynote speech in San Francisco at one of the industry's most important security trade conferences. Microsoft has struggled in recent months against a tide of renewed criticism about security risks in its software, the engine for computers in most of the world's governments, businesses, and homes.

One of the other two bulletins, also rated "critical," relates to Internet Explorer, which has been patched several times in recent weeks. The patch corrects three newly announced vulnerabilities that include flaws in the browser's security model, its URL parsing (which can lead to spoofed addresses, ones leading to malicious Web sites that disguise themselves as legitimate URLs), and in its drag-and-drop operations.

Internet Explorer versions 5.01 and later are affected, said Microsoft, and users should immediately apply the patch.

The third bulletin, ranked as "important," Microsoft's second-most dangerous rating, applies to Windows NT, Windows 2000, and Windows Server 2003, and stems from a problem in how Windows' Internet Naming Service validates data packets. Hackers could exploit this bug to bring down a WINS server.

As with the ASN vulnerability, the other two security flaws can be corrected by apply patches downloaded from Windows Update.

But it's the ASN flaw that has security experts scared. "These are potentially catastrophic vulnerabilities," Marc Maiffret, chief hacking officer at eEye, said in a statement. "It's imperative that organizations immediately apply the appropriate patches to ensure their systems are secure."