Microsoft plugs 'critical' hole

Microsoft is urging users to patch a 'critical' hole discovered by a Polish group of hackers that allows an attacker to take control of Windows-based PCs.

Windows users should expect to have another update from Microsoft waiting for them on their computers.

The software giant issued a patch on Wednesday morning to plug a critical security hole that could allow an attacker to take control of computers running any version of Windows except for Windows ME.

A group of Polish hackers and independent security consultants, known as the Last Stage of Delirium, discovered the flaw and worked with Microsoft to fix it.

"It should be emphasised that this vulnerability poses an enormous threat, and appropriate patches provided by Microsoft should be immediately applied," the group said in an advisory posted to its website. The group said that programs designed to exploit the vulnerability will probably be available on the internet soon.

The flaw is in a component of the operating system that allows other computers to request the Windows system perform an action or service. The component, known as the remote procedure call (RPC) process, facilitates such activities such as sharing files and allowing others to use the computer's printer.

By sending too much data to the RPC process, an attacker can cause the system to grant full access to the system.

"This would give the attacker the ability to take any action on the server that they want," Microsoft stated in its advisory. "For example, an attacker could change web pages, reformat the hard disk, or add new users to the local administrators group."

Jeff Jones, senior director for Microsoft's Trustworthy Computing effort, said that, in addition to applying the patch, users and systems administrator should close down any unused communications channels, or ports.

"Customers should protect their network with a firewall," he said. "Individual users should use the Internet Connection Firewall or some other personal firewall." The Internet Connection Firewall is a feature of Windows XP and Windows 2003 that limits the ways that a potential intruder could attack from the network.

Internet Security Systems, a network protection company based in Atlanta, warned its customers of the flaw on Wednesday. The company said in an advisory that it had raised its measure of the danger posed by threats on the internet because of the vulnerability's seriousness.

Microsoft is well into the second year of its Trustworthy Computing initiative. Aimed at boosting customers' trust in the company's products, the initiative has been both praised as a bold move to become a leader in security and criticised as largely ineffectual.

Jones says the company is learning from its mistakes. In this case, Microsoft analysed where the flaw crept in, and it developed plans to build in the expertise to detect it in the company's in-house development tools.

"It was primarily a process issue," he said. "We will be updating our automated scanning tool to make sure this type of issue is detected in the future."

Robert Lemos writes for CNET News.com