Microsoft issue security bulletin urging users to download soft-ware patch that fixes flaw

RECENT versions of the Microsoft Windows computer operating system contain a “critical” security hole that an attacker could use to prevent some on-line transactions.

Sat, 31 Aug, 2002 - 01:00

In a security bulletin they published, the software giant urged users of Windows 98, Millennium, NT 4.0, 2000 and XP to download a software patch that can fix the flaw.

A successful attacker wouldn’t be able to steal personal information or take control of a victim’s machine, said Lynn Terwoerds, security program manager at the Microsoft Security Response Centre.

The flaw lies in a so-called ActiveX control used to prove that two parties exchanging information on the Internet are really who they claim to be.

An attacker would have to create and lure users to an infected Web page or send the page as an e-mail.

A mail-based attack won’t work if the recipient has the default security setting in Outlook Express 6 and Outlook 2002, or in Outlook 98 and 2000 if the user has installed a previous security update.

Microsoft’s Terwoerds said the company discovered the flaw during its internal security push, ordered by Bill Gates.

Russ Cooper, editor of NTBugtraq, an on-line clearing house for bugs in Microsoft software, said the security hole was “not a big problem in and of itself.”

“What’s troubling is that Microsoft has, in the last few days, had to ‘kill’ two of its ActiveX controls. This is a further demonstration of a deep flaw in the underlying infrastructure,” he said .

A week ago, Microsoft revealed another security flaw in an ActiveX control that can be used to take over a user’s computer.