Microsoft Discloses Security Flaw In Web Server

The Internet Information Server software, which runs about one-third of the world's Web sites, is used by millions of businesses and organizations but less commonly by home users. Microsoft made available a free patch for customers using versions of the software with its Windows NT or Windows 2000 operating systems.

The server software included within Microsoft's newer Windows XP operating system was not affected by the security flaw.

In a separate warning Wednesday, Microsoft said customers of its Windows NT, Windows 2000 and Windows XP operating systems were vulnerable to an unrelated problem affecting Microsoft's technology to connect to the Internet over phone lines. Hackers trying to attack these computers must already have permission to use them, limiting the risks.

A researcher with eEye Digital Security , Riley Hassell, found the Web server flaw in mid-April during testing of eEye's own hacker-defense software, but the discovery was kept closely guarded under an agreement with Microsoft until Wednesday.

Microsoft described the risk to Web servers as "moderate." The company and other top experts, including U.S. officials at the National Security Agency, have for months recommended turning off the vulnerable feature unless customers need it.

One consolation for Microsoft's customers was that the software flaw wasn't easy to exploit by most hackers. "It does take a more sophisticated level of skill," said David Gardner, a security program manager at Microsoft.

Copyright © 2002 The Associated Press. All rights reserved. The information contained in the AP News report may not be published, broadcast, rewritten or redistributed without the prior written authority of The Associated Press.