Microsoft Corp. says it will be at least a week before it issues a fix to a recently discovered vulnerability that could let an attacker take control of an Internet-connected computer.
Microsoft said Tuesday it has created a patch for the flaw in its Windows operating system but needs to test it first. The software giant said it hopes to release the patch as part of its regular monthly security updates next Tuesday. (MSNBC is a Microsoft - NBC joint venture.)
The Redmond company confirmed late last week that some people were trying to take advantage of a flaw in an element of Windows that is used to view images. If a user is tricked into viewing an image, such as on a malicious Web site or within an e-mail attachment, that person's computer could be attacked.
Microsoft said Tuesday that its research indicates the attacks are not widespread. The fact that the vulnerability requires a person to take action — say, opening an e-mail from a stranger — could mitigate the potential damage.
But Marc Maiffret, an executive with eEye Digital Security Inc. of Aliso Viejo, Calif., said the vulnerability still could be troubling because personal firewalls will offer little protection and the attacks can easily be modified to get around security software such as antivirus programs.
Another concern is that the flaw affects versions of Windows desktop and server software dating back to Windows 98.
"It's basically almost any Windows PC right now that you can compromise if you can trick a person to going to the wrong Web site or opening the wrong e-mail," Maiffret said.
The Financial Times reported that concern about the threat was so great among some security experts that they were urging system administrators to take the unusual and controversial step of installing an unofficial patch created over the weekend by a Russian programmer.
While it tests a fix, Microsoft is offering some technical options for decreasing the risk of an exploit. Security experts say the flaw also reinforces the importance of not opening e-mails from strangers or visiting suspect Web sites.