A previously unknown flaw in Microsoft Corp.'s Windows operating system is leaving computer users vulnerable to spyware, viruses and other programs that could overtake their machines.
Users can infect their computers by visiting certain Web sites that are able to exploit some Windows-based applications, Internet security company Panda Software said Friday. It called the discovery "one of the most serious vulnerabilities recently detected."
The flaw to the world's most popular software leaves PCs open to adware and spyware as well as Trojans that can hide damaging programs. Internet Explorer, Outlook and the Windows Picture and Fax viewer are used to insert the potentially harmful code, said Patrick Hinojosa, chief technology officer of Panda.
"Because this exploits particular programs on Windows, rather than Windows itself, your machine can get infected simply by visiting a Web site that's set up to exploit the flaw," he said.
Microsoft is investigating reports of the problem, the Redmond, Wash., company said on its Web site. Microsoft hasn't yet developed a security patch.
Mike Reavey, operations manager for Microsoft's Security Response Center, called the flaw "a very serious issue." He encouraged users to update their antivirus software, ensure all Windows security patches are installed, avoid visiting unfamiliar Web sites, and refrain from clicking on links that arrive via e-mail or instant message.
Security researchers revealed the flaw on Tuesday and posted instructions online that showed how would-be attackers could exploit the flaw. Within hours, computer virus and spyware authors were using the flaw to distribute malicious programs that could allow them to take over and remotely control afflicted computers.
Panda found cases of infection almost immediately after the flaw was first reported, Hinojosa said.
Web sites exploiting the security lapse include Toolbar.biz and BuyToolbar.biz, Panda said. The sites are set up to install malicious code by using the way applications process Windows Metafiles to show images.
Dean Turner, a senior manager at antivirus firm Symantec Corp. of Cupertino, Calif., said the company has seen the vulnerability exploited to install software that intercepts personal and financial information when users of infected computers enter the data at certain banking or e-commerce sites.
Microsoft has been working to improve the security of Windows, which has come under attack from more than 17,000 computer viruses and worms. The latest vulnerability was found in Windows XP, Windows 2000 and Windows NT systems. Panda said it is still testing Windows 98 for the flaw.
Because the vulnerability exists within a faulty Windows component, security experts warn that Windows users who eschew Internet Explorer in favor of alternative Web browsers, such as older versions of Firefox and Opera, can still get their PCs infected if they agree to download a file from a site taking advantage of the flaw.
- - -
Protect yourself
To avoid infecting your computer with a virus, Microsoft advises Windows users to take the following steps:
- Update antivirus software.
- Don't visit unfamiliar Web sites.
- Don't click on links that arrive via e-mail or instant message. Also, don't open e-mail attachments sent from an unknown source.
but true.
When I was running 98 it crashed at least 10 times a day.
