Microsoft patch still at least a week away
By Allison Linn
Associated Press
SEATTLE — Microsoft Corp. says it will be at least a week before it issues a fix to a recently discovered vulnerability that could let an attacker take control of an Internet-connected computer.
Microsoft said yesterday it has created a patch for the flaw in its Windows operating system but needs to test it first. The software giant said it hopes to release the patch on Tuesday as part of its regular monthly security updates.
The company confirmed late last week that some people were trying to take advantage of a flaw in an element of Windows that is used to view images. If a user is tricked into viewing an image, such as on a malicious Web site or within an e-mail attachment, that person's computer could be attacked.
Microsoft said its research indicates the attacks are not widespread. The fact that the vulnerability requires a person to take action — say, opening an e-mail from a stranger — could mitigate the potential damage.
But Marc Maiffret, an executive with eEye Digital Security Inc. of Aliso Viejo, Calif., said the vulnerability still could be troubling because personal firewalls will offer little protection and the attacks can easily be modified to get around security software such as antivirus programs.
Another concern is that the flaw affects versions of Windows desktop and server software dating back to Windows 98.
"It's basically almost any Windows PC right now that you can compromise if you can trick a person to going to the wrong Web site or opening the wrong e-mail," Maiffret said.
While it tests a fix, Microsoft is offering some technical options for decreasing the risk of an attack. Security experts say the flaw also reinforces the importance of not opening e-mails from strangers or visiting suspect Web sites.