Microsoft Reveals Security Hole in Windows

In a security bulletin published late Wednesday, the software giant urged users of Windows 98, Millennium, NT 4.0, 2000 and XP to download a software patch that fixes the flaw.

A successful attacker wouldn't be able to steal personal information or take control of a victim's machine, said Lynn Terwoerds, security program manager at the Microsoft Security Response Center.

The flaw lies in a so-called ActiveX control used to prove that two parties exchanging information on the Internet are really who they claim to be.

An attacker would have to create and lure users to an infected Web page or send the page as an e-mail. A mail-based attack won't work if the recipient has the default security setting in Outlook Express 6 and Outlook 2002, or in Outlook 98 and 2000 if the user has installed a previous security update.

Microsoft's Terwoerds said the company discovered the flaw during its internal security push, ordered by Bill Gates in January.

Russ Cooper, editor of NTBugtraq, an online clearinghouse for bugs in Microsoft software, said the security hole was 'not a big problem in and of itself.'

'What's troubling is that (Microsoft) has, in the last few days, had to 'kill' two of its ActiveX controls. This is a further demonstration of a deep flaw in the underlying infrastructure,' he said in an e-mail interview.

On Aug. 22, Microsoft revealed another security flaw in an ActiveX control that can be used to take over a user's computer.

Copyright© 2002 The Associated Press. All rights reserved. The information contained in the AP News report may not be published, broadcast, rewritten or redistributed without the prior written authority of The Associated Press.