Microsoft Corp. on Wednesday warned about a serious flaw in all versions of its popular Windows software that could allow hackers to seize control of a person's computer when victims read e-mails or visit Web sites.
Microsoft assessed the problem's urgency as critical, its highest level, and urged customers to download a free repairing patch immediately from its Web site, www.microsoft.com/security.
A top Microsoft security official, Steve Lipner, said the vulnerability was being discussed openly among experts on the Internet when Microsoft learned about the flaw early in January.
An Internet security company, iDefense Inc. of Chantilly, Va., said Wednesday it learned about the flaw in December 2002 from Roland Postle, a respected British computer security researcher widely known on the Internet as "Blazede," and passed the information to Microsoft on Jan. 9.
But iDefense also immediately and quietly warned its clients, which include large corporations and U.S. agencies, before Microsoft could fix the problem.
"It was made public before we had our fix out," said Lipner, Microsoft's director of security assurance. "It was under fairly wide discussion in some forums that we heard about."
Microsoft and iDefense said they were unaware of any reports that hackers already had used the technique to break into computers, even though months had passed between the disclosure of the flaw and Wednesday's announcement that it could be fixed.
Russ Cooper, a security expert for TruSecure Corp., based in Herndon, Va., predicted that antivirus software will be updated to protect users who might receive infected e-mails and that Web sites with infected pages would be shut down quickly once they are detected.
"I doubt we will see an attack based on this," Cooper said. "It's pretty unlikely any such exploit attempt will get legs."
The problem involves tricking Windows into processing unsafe code built into a Web page or e-mail message. It was particularly unusual because it affected so many different versions of Windows, from Windows 98 to its latest Windows XP editions.
Lipner confirmed that the faulty software code was created years ago and included in every successive generation of Windows software without programmers ever realizing it was so seriously flawed — even after the intensive scrutiny of Microsoft's latest flagship, Windows XP, which the company has billed as its most secure ever.
"I would have hoped this would have been caught," Lipner said. "Clearly it's one of those things we'll be looking at."
Lipner said Microsoft's automated software scanners were being updated to detect similar problems. He said the flaw announced Wednesday was "not obvious by any stretch of the imagination" even to experts studying software blueprints.
There was some good news. Microsoft said customers using the newest versions of its e-mail software, Outlook Express 6 and Outlook 2002, were protected from hackers trying to exploit the problem using e-mails.
Older versions of Outlook would also be safe if customers had manually applied another security patch, which Microsoft released in 2000 after the spread of the damaging "ILOVEYOU" virus.
Microsoft said customers could manually adjust settings hidden deep within its Internet Explorer browsing software to prevent Windows from processing the dangerous code. Experts, however, said that was not easy to do for many users and that it would cripple convenient functions for many popular Web sites.