Windows PCs face 'huge' virus threat
By Kevin Allison in San Francisco
Published: January 2 2006 18:18
Last updated: January 2 2006 22:19
Computer security experts were grappling with the threat of a
newweakness in Microsoft's Windows operating system that could put
hundreds of millions of PCs at risk of infection by spyware or
The news marks the latest security setback for Microsoft, the world's
biggest software company, whose Windows operating system is a
favourite target for hackers.
"The potential [security threat] is huge," said Mikko Hyppönen, chief
research officer at F-Secure, an antivirus company. "It's probably
bigger than for any other vulnerability we've seen. Any version of
Windows is vulnerable right now." The flaw, which allows hackers to
infect computers using programs maliciously inserted into seemingly
innocuous image files, was first discovered last week. But the
potential for damaging attacks increased dramatically at the weekend
after a group of computer hackers published the source code they used
to exploit it. Unlike most attacks, which require victims to download
or execute a suspect file, the new vulnerability makes it possible for
users to infect their computers with spyware or a virus simply by
viewing a web page, e-mail or instant message that contains a
"We haven't seen anything that bad yet, but multiple individuals and
groups are exploiting this vulnerability," Mr Hyppönen said. He said
that every Windows system shipped since 1990 contained the flaw.
Microsoft said in a security bulletin on its website that it was aware
that the vulnerability was being actively exploited. But by early
yesterday, it had not yet released an official patch to correct the
flaw. "We are working closely with our antivirus partners and aiding
law enforcement in its investigation," the company said. In the
meantime, Microsoft said it was urging customers to be careful opening
e-mail or following web links from untrusted sources.
Meanwhile, some security experts were urging system administrators to
take the unusual step of installing an unofficial patch created at the
weekend by Ilfak Guilfanov, a Russian computer programmer.
Concerns remain that without an official patch, many corporate
information technology systems could remain vulnerable as employees
trickle back to work after the holiday weekend.
"We've received many e-mails from people saying that no one in a
corporate environment will find using an unofficial patch acceptable,"
wrote Tom Liston, a researcher at the Internet Storm Center, an
antivirus research group. Both ISC and F-Secure have endorsed the
Microsoft routinely identifies or receives reports of security
weaknesses but most such vulnerabilities are limited to a particular
version of the Windows operating system or other piece of Microsoft
software. In recent weeks, the company has been touting its progress
in combating security threats.
The company could not be reached on Monday for comment.