Better Not Postpone That Patch!

Microsoft is warning of new flaws that leave its Windows operating system vulnerable to Internet attacks similar to the Blaster virus that infected hundreds of thousands of computers last month.

Microsoft urged customers to immediately apply a free repair patch from its Web site, windowsupdate.microsoft.com.

The company cautioned that hackers could seize control over a victim's computer by attacking these flaws, which affect Windows technology that allows computers to communicate with others across a network.

"We definitely want people to apply this one," said Jeff Jones, Microsoft's senior director for trustworthy computing. Outside researchers and Microsoft's own internal reviews discovered the new flaws after the Blaster infection, he said.

"Many users have become immune to these warnings because they hear them all the time," warns CBS News Technology Consultant Larry Magid. "But what many people don't realize is that when Microsoft cries wolf, there really is a wolf. The safest procedure for the average person is to configure XP to automatically download these patches. Microsoft is frequently updating the operating system as they find security flaws, and, frankly, they find them on a regular basis."

Outside experts said some flaws were nearly identical to problems exploited by the Blaster worm, which spread last month with devastating damage. Computer users who applied an earlier patch in July to protect themselves still must install the new patch from Microsoft.

"They're as close as you can be without being the same," said Marc Maiffret, an executive at eEye Digital Security Inc. of Aliso Viejo, Calif., one of three research groups credited with discovering some of the new problems. "It's definitely a big oversight on Microsoft's part that they missed these."

"Because this flaw is so similar to the one that was exploited by Blaster, it would be easy for hackers to exploit this one," said Magid. "As Microsoft admits, this is a serious vulnerability."

A vice president at Network Associates Inc., Robin Matlock, warned that corporations, government agencies and home users will race the clock before the next attack. "Without a doubt, this is a nasty vulnerability. It could easily be exploited," she said. "Administrators are under more pressure here to move quickly."

The disclosure by Microsoft came just moments before its senior security strategist, Phil Reitinger, told lawmakers on the House Government Reform technology subcommittee about the company's efforts to help consumers defend themselves against viruses and other Internet attacks.

"Microsoft is committed to continuing to strengthen our software to make it less vulnerable to attack," said Reitinger, a former deputy chief in the Justice Department's cybercrime division. Still, he acknowledged, "There is no such thing as completely secure software."

Reitinger told lawmakers about the new flaws and said that Microsoft is considering changing Windows to install software repairs automatically; currently, computer users are notified when updates are available and reminded to manually click to install them.

The July announcement from Microsoft about the earlier software flaw in the same Windows technology was deemed so serious it led to separate warnings from the FBI and Homeland Security Department. About three weeks later, unidentified hackers unleashed the earliest version of the Blaster infection.

"The damage done was real," said Rep. William Lacy Clay, D-Mo., adding that the attacks disrupted computers at the Federal Reserve in Atlanta, Maryland's motor vehicle agency and the Minnesota transportation department.

Rep. Candice Miller, R-Mich., said the attacks in August nearly crippled the House of Representatives' e-mail system and "likely inhibited our nation's ability to adequately respond to the vast power outage" this summer.

CBS News' Magid says there are a lot of ways to protect yourself from the worm. "One, of course, is to have the latest software from Microsoft," he said. "But if you have a firewall software, that could keep hackers out, and if you keep your anti-virus software up to date, that can also help."

Also during Wednesday's hearing, a deputy assistant U.S. attorney general bristled over suggestions by Rep. Adam Putnam, R-Fla., that the government's lackluster record making arrests after major Internet attacks indicates it does not consider them serious threats.

Such investigations are enormously complicated and frequently point overseas at sophisticated hackers skilled at covering their digital footprints, John Malcolm said.