The alert was sparked by the discovery that a raft of Microsoft programs were vulnerable to a problem called "buffer overflow", which hackers can exploit to extract private information from a PC. And the risk of such attacks only worsened when, two days after the alert was issued, critical Windows "source code" was leaked onto the internet- letting hackers see how it works.
A buffer is a section of computer memory that can store a set amount of data. Sometimes, usually because of a software bug, the processor sends more data to the buffer than it can hold, causing it to overflow into the next chunk of buffer memory. This makes computers vulnerable to hackers, because by deliberately making a buffer overflow they can force the computer to execute their malicious code.
The problem is hard to detect, as popular programming languages, like C and C++ do not make it easy to track when programs are vulnerable to overflow. But now chip makers Advanced Micro Devices (AMD) and Intel are developing processor chips that will deal with the problem. AMD's Athlon-64 (for PCs) and Opteron (for servers) will protect against buffer overflows when used with a new version of Windows XP. Intel plans similar features on next generation Pentium chips.
Until now, Intel-compatible processors have not been able to distinguish between sections of memory that contain data and those that contain program instructions. This has allowed hackers to insert malicious program instructions in sections of memory that are supposed to contain data only, and use buffer overflow to overwrite the "pointer" data that tells the processor which instruction to execute next. Hackers use this to force the computer to start executing their own code (see Graphic).
The new AMD chips prevent this. They separate memory into instruction-only and data-only sections. If hackers attempt to execute code from the data section of memory, they will fail. Windows will then detect the attempt and close the application.
"Buffer overflows are the largest class of software vulnerabilities that lead to security flaws," says Crispin Cowan, of computer security company Immunix in Portland, Oregon. Buffer overflow was behind the devastating Slammer and Blaster worm attacks on Windows PCs in 2003, and the Slapper worm used it to infect thousands of Linux-based web servers in 2002.
The buffer overflow problem that triggered last week's alert was discovered by engineers at eEye Digital Security in Aliso Viejo, California. It appears in a commonly used component of 20 Microsoft packages, including the Outlook emailer. "It's a most critical vulnerability," says Firas Raouf of eEye. Hackers could exploit the flaw to write email worms that could give them full remote access to a PC. This could happen without the user of the target PC opening an attachment or reading the email that carried it.
The new chips will block this kind of attack. But Cowan believes hackers will find other ways to insert malicious code: for example, by making a program jump to a subsection of its own code at the wrong time, perhaps to open a data port, to a hacker. "There's nothing to prevent that kind of attack," Cowan says.
New Scientist issue: 21st February 2004
Written by ANIL ANANTHASWAMY
UK CONTACT - Claire Bowles, New Scientist Press Office, London: Tel: 44-20-7331-2751 or email claire.bowles@rbi.co.uk
PLEASE MENTION NEW SCIENTIST AS THE SOURCE OF THIS STORY AND, IF PUBLISHING ONLINE, PLEASE CARRY A HYPERLINK TO: http://www.newscientist.com
"These articles are posted on this site to give advance access to other authorised media who may wish to quote extracts as part of fair dealing with this copyrighted material. Full attribution is required, and if publishing online a link to http://www.newscientist.com is also required. Advance permission is required before any and every reproduction of each article in full - please contact celia.thomas@rbi.co.uk. Please note that all material is copyright of Reed Business Information Limited and we reserve the right to take such action as we consider appropriate to protect such copyright."