[Reader-list] Security Flaw Compromises Windows XP
Harsh Kapoor
aiindex at mnet.fr
Fri Dec 21 23:24:55 IST 2001
Washington Post
Friday, December 21, 2001; Page E01
Security Flaw Compromises Windows XP
By Ariana Eunjung Cha
Washington Post Staff Writer
When reports of viruses, hackers and software flaws seem to show up
in e-mail boxes several times a day, they become almost mundane. But
the latest one was a doozy.
Microsoft Corp. said its new Windows XP operating system, which it
had touted as a "secure and private" computing experience, has an
unprecedented flaw.
In a security bulletin issued to customers yesterday, Microsoft said
the "serious vulnerability" could allow hackers to commandeer all the
computers in a neighborhood or company in a single attack. The
Redmond, Wash., company urged customers to update their systems with
a patch available on its Web site.
The acknowledgment could be a blow to the ambitions of Microsoft,
which hoped that $500 million worth of flashy advertisements
promoting Windows XP would result in billions of dollars worth of
sales that would revitalize the high-tech sector.
In the two weeks after Windows XP went on sale Oct. 25, 7 million
copies were sold, significantly fewer than previous versions of
Windows. Analysts said the newly disclosed security problems might
deflate sales even more.
The problem is in a tool called "universal plug and play" that is
included in Windows XP. Beyond standard plug and play, with which
computers recognize new peripherals, universal plug and play allows
individual devices and even home appliances to connect and
communicate with one another.
The unintended consequence is that universal plug and play also
apparently allows people to seize control of a computer when it
connects to the Internet, even if it isn't being used to check e-mail
or view Web pages.
"We were basically able to take a remote computer and make it connect
to the National Security Agency Web site," said Marc Maiffret, one of
the three computer experts at eEye Digital Security Inc. who
discovered the flaw. It also exists in Windows Millennium Edition if
Microsoft's universal plug and play client has been loaded, and in
Windows 98 and Windows 98 Second Edition when Microsoft software to
share an Internet connection with a Windows XP computer has been
installed.
The eEye researchers identified two other security holes, one that
would allow malicious outsiders to crash an XP system and one that
would let hackers coordinate an army of machines to flood a target
with fake data.
As the most widely used operating system in the world, installed on
more than 90 percent of all personal computers, the various versions
of Microsoft Windows have benefited and suffered from research by
security consultants all over the world. Independent researchers
previously have found problems in the Internet Explorer Web browser
and the Outlook and Outlook Express e-mail programs.
Maiffret said one of his colleagues was just "playing around" with
Windows XP when he noticed the problems. "After a few weeks of
playing around we noticed it was starting to do bad things," he said.
Microsoft spokesman Tom Laemmel said the flaw "slipped through" the
company's testing process but that XP's security still is superior to
that of previous Windows versions.
"When we say Windows XP is the most secure system ever we're not
saying it's perfect," he said.
Network Associates security research manager Jim Magdych said finding
the flaw in XP is a sophisticated task and there is no evidence that
anyone has used it yet to break into systems.
EEye, based in Aliso Viejo, Calif., and Geneva, said it worked with
Microsoft to develop the patch after it discovered the problem in a
test version of Windows XP on Oct. 26.
Usually, relatively few people take the time to download fixes to
security holes. "Unfortunately, we're not at the point yet where
administering your home network is a routine task like mowing your
lawn, although it should be," Maiffret said.
The good news is that Windows XP can automatically alert users to
available security patches and other updates -- although the feature
is turned off by default.
The bad news is that Microsoft isn't sure when it will be able to
offer an alert or the software patch through the automatic system. In
the meantime, users will have to go to Microsoft's Technet site and
download the fix themselves.
© 2001 The Washington Post Company
--
More information about the reader-list
mailing list