Microsoft Windows users encouraged to deploy critical vulnerability patch, Sophos offers advice

July 31, 2003 Sophos Press Release

Microsoft has released a patch that reportedly eliminates a critical security vulnerability in some versions of Microsoft Windows.

If exploited, the vulnerability would allow a hacker to gain complete control over a remote computer. This would give the attacker the ability to take any action on the computer they desired - including changing web pages, reformatting the hard drive, or adding new users to the local administrators group.

Microsoft says the vulnerability is present in the following versions of Windows: Microsoft Windows NT 4.0, Microsoft Windows NT 4.0 Terminal Services Edition, Microsoft Windows 2000, Microsoft Windows XP, and Microsoft Windows Server 2003. Microsoft Windows Millennium Edition is not believed to be affected.

Further details of the vulnerability and how businesses can patch against it can be found at www.microsoft.com/security/bulletins/200309_windows.mspx.

Microsoft has also published step-by-step instructions for home users on how to help protect their computers with critical updates.

"Loopholes are found in products on a weekly basis, some significant, some trivial," said Graham Cluley, senior technology consultant at Sophos. "IT managers should keep abreast of these loopholes and apply patches where appropriate before viruses and hackers come along to exploit them."

Sophos recommends that every IT manager responsible for security should consider subscribing to vulnerability mailing lists such as that operated by Microsoft at www.microsoft.com/technet/security/bulletin/notify.asp. Other vendors offer similar services.