|Microsoft NT yet another Security Glitch|
|March 10, 1999, 10:50 a.m. PT
update Microsoft has confirmed a security vulnerability in its Windows NT operating system that could allow unauthorized access to sensitive information in administrator files.
The news comes just two days after Microsoft acknowledged that a feature in its Windows 98 operating system can be used to collect information on authors of electronic documents without their knowledge and vowed to fix the problem.
The Windows NT problem is triggered by malicious software that allows a user to get into protected files on an NT system via the screensaver. When the screensaver launches, the malicious user can gain access to privileges that he or she should not ordinarily be able to obtain, Microsoft confirmed. The bug was discovered by Cybermedia Software of India.
Privacy has become an increasingly difficult issue for the computer industry in general. Earlier this week, for example, protests against Intel's Pentium III processor escalated over security ID numbers included on the chips.
Microsoft is working to repair the Windows NT problem and plans to disseminate a patch this week. The company will also issue a security alert to notify users about the problem, according to Scott Culp, security product manager for Microsoft.
"This vulnerability would allow someone to gain more privileges than they should have and do things they shouldn't be able to do," Culp said of the NT problem. However, to exploit the vulnerability, a hacker would have to be sitting at the workstation or server intended for the attack, a fairly rare situation.
"This primarily would affect workstations, but most people are already local administrators on their workstations," Culp said, so the issue would be moot. Because of this, and because the malicious software would have to be fairly sophisticated technically, he believes that "it is not an easy attack to pull off."
"It requires a detailed understanding of the operating system--it's a highly technical attack. This isn't something that's easily put together." There have been no known instances of the hack to date, he added.
The bug affects Windows NT 4.0. Microsoft will repair the problem in the Windows 2000 operating system, Culp said. "We're still investigating all the affected versions," he said.
"We're taking this very seriously. We take security very seriously in all cases," he said.