[an error occurred while processing this directive]
BBC News
watch One-Minute World News
Last Updated: Wednesday, 11 February, 2004, 18:43 GMT
'Protect PCs' Microsoft users told
Screenshot of Microsoft's warning
Microsoft has admitted to "critical" security flaws
Security experts have warned PC users running Microsoft Windows to make sure their anti-virus software is updated.

It comes after Microsoft earlier said that a critical flaw in its latest versions of Windows operating systems could leave PCs vulnerable to hackers.

It has urged home users and firms to download the free software repair patch from its website to fix it.

If users do not download the patch, and protect their computers, they could be left open to worm or virus attacks.

The flaw affects systems running Windows NT, Windows 2000, Windows XP or Windows Server 2003 software.

'Extremely deep problem'

It was found by a US net security firm in July 2003, and was announced in Microsoft's monthly security bulletin on Tuesday.

Security experts Sophos, said computer users should keep a sense of proportion about the flaw, however.

"At the moment, we haven't seen any hackers or worms exploiting this hole, but that doesn't mean computer users don't need to protect their PCs," said Sophos' Carole Theriault.

Windows 2000
Windows XP
Windows Server 2003
Windows NT Workstation 4.0
Windows NT Server 4.0
Windows NT 4.0 Server, Terminal Server Edition

"Everyone should ensure their computer is patched against this vulnerability as soon as possible."

As well as leaving systems open to possible worm and virus threats, the flaw leaves computers vulnerable to hackers who could break into computers and take files, delete or steal valuable data, and snoop on what users are doing.

Stephen Toulouse, security program manager for Microsoft's Security Response Center, said the problem was "an extremely deep and pervasive technology in Windows" which affects the language standard that computers use to communicate with each other.

According to Sal Viveros, security expert with McAfee Security, many home users are not aware they should fix flaws and download patches when they are identified.

Historically, Mr Viveros told BBC News Online, net security firms have seen an increase in mass-mailing worm and virus attacks which try to take advantage of unpatched systems after flaws are discovered.

"There is no evidence that the recent worms [Mydoom and its variants] took advantage of this flaw," he said.

"But historically, what we have seen is that computer users do not patch their systems, which is why we continue to see such worm attacks."

He urged computer users to download the patch as soon as possible and to make sure they keep anti-virus software and firewalls up-to-date.

Microsoft criticised

Computer security company, eEye Digital Security, has criticised Microsoft for taking so long to come up with a fix.

Marc Maiffret, from eEye, said it had spotted the vulnerability and told Microsoft about it over six months ago

"This is one of the most serious Microsoft vulnerabilities ever released," said Mr Maiffret.

"The breadth of systems affected is probably the largest ever." He added that, unusually, even the most secure Windows networks would be vulnerable.

But McAfee said it was standard practice within the industry not to announce vulnerabilities as soon as they are spotted.

"Typically if someone identifies a flaw, they give the vendor a certain amount of time to fix it. If people don't know about it, virus writers are less likely to write something to take advantage of it," said Mr Viveros.

If Microsoft had announced the flaw without having a fix for it, the potential damage would have been much much worse, he added.

Steven Philippsohn, who chairs a government fraud and cybercrime panel and is a senior partner at Philippsohn Crawfords Berwald, said the delay could be a headache for Microsoft.

"I have no doubt that if manufacturers in cases like this know about a flaw in their system and don't inform at earliest opportunity possible, they could be liable for losses," Mr Philippsohn told BBC News Online.

"It has been made more serious by the fact Microsoft have accepted that they were told about the flaw months ago.

"If a company can prove they suffered losses because of this, they have a good chance of making a claim," he said.

Microsoft said it took so long because it wanted to ensure a single patch solved any related problems.

The BBC's Rory Cellan-Jones
"A warning for computer users around the world"

Microsoft dodges Mydoom onslaught
03 Feb 04  |  Technology
Microsoft fixes 'phishing' flaw
03 Feb 04  |  Technology
Microsoft warns of 'critical' flaws
16 Oct 03  |  Technology
Microsoft faces fresh lawsuit
03 Oct 03  |  Business

The BBC is not responsible for the content of external internet sites


News Front Page | Africa | Americas | Asia-Pacific | Europe | Middle East | South Asia
UK | Business | Entertainment | Science/Nature | Technology | Health
Have Your Say | In Pictures | Week at a Glance | Country Profiles | In Depth | Programmes
Americas Africa Europe Middle East South Asia Asia Pacific