Microsoft Warns About Critical Software Flaw

NEW YORK -- People who use Microsoft operating system software have to patch their systems yet again, or their computers will be vulnerable to attacks that could cede control of their computers to hackers, the company announced Tuesday.

Microsoft called the software flaw a "critical'' vulnerability, its highest rating. It is the second major security flaw announced this month by Microsoft, which recently began issuing regularly scheduled security patches for its software.

"We urge all of our customers to apply this update,'' said Stephen Toulouse, a security program manager with Microsoft's security response center.

The flaw affects a fundamental building block of network operating systems known as Abstract Syntax Notation One, and helps govern how machines communicate with one another and how they establish secure communications. Microsoft's version of that protocol is flawed, and could be used to gain control of the target machine. The company said there is no evidence that any attacks based on the flaw had occurred.

Russ Cooper, a security expert with TruSecure Corp., said that the newly announced vulnerability was especially insidious because it could allow attacks on the equivalent of the computer's immune system.

"It's like AIDS,'' he said. "This is the stuff that's supposed to protect us!''

For now, Cooper said, computer users are probably safe because the flaw "is not exactly a simple one'' to take advantage of, and no attack that would exploit the flaw has appeared on the hacker sites where such code is freely circulated. But once such an attack method is created, he said he expected to see a malicious software program that could circulate via mass e-mail and which would have as profound an effect on computer networks as the widespread "Blaster'' worm of last year.

A security company, eEye Digital Security, reported the problem to Microsoft last July. Because the software flaw is common to so many operating systems and applications, "this is one of the biggest ones ever,'' said Mark Maiffret, an executive at eEye whose official title is "chief hacking officer.''

Maiffret said that he was surprised that it took Microsoft so long to issue a patch. "All the reason Microsoft gave us was 'extra testing,' but it doesn't take that long to test something this simple,'' he said.

Toulouse of Microsoft disagreed. "We don't just produce a fix, we produce a comprehensive fix,'' he said. A quick response that does not work for every user, or which introduces new vulnerabilities, "would almost be worse than no fix at all,'' he said.

Microsoft urged users of virtually all of its current operating systems -- Windows NT, Windows 2000 or Windows XP versions of its software, as well as Windows NT Server, Server 2000 and Server 2003 -- to go to www.windowsupdate.com to download the patch.