Another one - this time a long-standing Windows bug

Subject: Another one - this time a long-standing Windows bug
From: Gary Stoneburner <gary.stoneburner@nist.gov>
Date: Wed, 19 Mar 2003 16:19:30 -0500
Content-Type: multipart/alternative; boundary="=====================_198284359==.ALT"

re: http://www.washingtonpost.com/wp-dyn/articles/A54371-2003Mar19.html

"Microsoft Corp. on Wednesday warned about a serious flaw in almost every version of its popular Windows software that could allow hackers to seize control of a person's computer when victims read e-mails or visit Web sites. Microsoft assessed the problem's urgency as critical, its highest level, and urged customers to download a free repairing patch immediately from its Web site, www.microsoft.com/security."

"It was particularly unusual because it affected so many different versions of Windows, from Windows 98 to its latest Windows XP editions. There was some good news. Microsoft said customers using the newest versions of its e-mail software, Outlook Express 6 and Outlook 2002, were protected from hackers trying to exploit the problem using e-mails. Older versions of Outlook would also be safe if customers had manually applied another security patch, which Microsoft released in 2000 after the spread of the damaging "ILOVEYOU" virus."

Here is a bug that has been around for a LONG time and may have been known to "quiet" attackers for quite a while. Maybe, maybe not - you have to make your own best guess for the risk.

It is interesting that despite the major code differences between Win98 and Win XP the flaw is in all of them. Could be that the flaw is not one of implementation, but of design or operational concept or of a lack of consideration of the down-side of some "great" functional capability :-).

Also see: http://www.microsoft.com/security/security_bulletins/ms03-008.asp

Cheers,
Gary

PS - You make your call as to whether this is finally the last one, we got all the bugs.

************************************************************************** * Opinions expressed are not intended to reflect an official position ************************************************************************** * Gary Stoneburner
* Computer Security Division, National Institute of Standards & Technology
* 100 Bureau Drive, Stop 8930, Gaithersburg, MD 20877-8930
* Phone: 301-975-5394, FAX: 301-948-0279, Email: Stoneburner@nist.gov
**************************************************************************

Prev by Date: 10 year old sendmail bug
Next by Date: IEEE Project - OS Security Standard
Prev by thread: IEEE Project - OS Security Standard
Next by thread: 10 year old sendmail bug

Date Index | Thread Index | Problems or questions? Contact list-master@nist.gov