[CrackMonkey] major XP security bug?
M. Drew Streib
dtype at dtype.org
Thu Dec 20 11:21:29 PST 2001
This seems like hoax kind of material, but it does seem to be confirmed
on the eeyes.com site, although I don't see any Microsoft mention of it.
This came to me as a PGP signed message from a confirmed abc reporter,
for what that is worth...
Can anyone confirm or dispute the story, or the seriousness of it?
----- Forwarded message from "Gallo, Charles A." <Charles.A.Gallo at abc.com> -----
By TED BRIDIS
Associated Press Writer
WASHINGTON (AP) - Microsoft's newest version of Windows, billed
as the most secure ever, contains several serious flaws that allow
hackers to steal or destroy a victim's data files across the
Internet or implant rogue computer software. The company released a
free fix Thursday.
A Microsoft official acknowledged that the risk to consumers was
unprecedented because the glitches allow hackers to seize control
of all Windows XP operating system software without requiring a
computer user to do anything except connect to the Internet.
Microsoft made available on its Web site a free fix for both
home and professional editions of Windows XP and forcefully urged
consumers to install it immediately.
The flaws, discovered five weeks ago by independent security
researchers, threatened to undermine widespread adoption of
Microsoft's latest Windows software, which many hope will be an
economic catalyst for the sagging technology industry.
The company sold more than 7 million copies of Windows XP in the
two weeks after it hit stores Oct. 25.
The vulnerabilities were discovered by three young security
researchers with eEye Digital Security Inc. of Aliso Viejo, Calif.,
led by Marc Maiffret, a 21-year-old former hacker. In recent
months, Maiffret, who calls himself the firm's "chief hacking
officer," has advised the FBI and the White House on Internet
security questions and testified before Congress.
The Windows XP problems affect a little-used feature that
eventually will allow consumers to control high-tech household
appliances using their computers. Called "universal plug and
play," the feature is activated by design in every copy of Windows
XP and can be added manually to Microsoft's earlier Windows ME
software, also used by millions of consumers worldwide.
"This is the first network-based, remote compromise that I'm
aware of for Windows desktop systems," said Scott Culp, manager of
Microsoft's security response center. "Every Windows XP user needs
to immediately take action." He called it a "very serious
Microsoft said a new feature of Windows XP, known as
"drizzle," can automatically download the free fix, which takes
several minutes to download, and prompt consumers to install it.
Microsoft also is working with other software companies, such as
leading antivirus and firewall vendors, to build protection into
Maiffret and his researchers demonstrated the flaws for The
Associated Press by hacking into a reporter's laptop running
Windows XP from 2,300 miles away and successfully instructing the
computer to connect automatically several times to the Web site for
the National Security Agency, the government's super-secret spy
Microsoft and Maiffret said there was no suggestion that anyone
has used these flaws to break into any computers; Maiffret
predicted that many hackers will be able to duplicate his firm's
research - and begin breaking into unprotected computers - "a
couple months from now."
Microsoft feared that hackers could exploit the flaws more
quickly if eEye discloses too many details about its findings.
Leading up to the public announcement, Culp said, those researchers
behaved "exactly right" by quietly notifying Microsoft.
Riley Hassell, eEye's self-described "network penetration
specialist," discovered methods for hackers to either disrupt a
victim's Windows XP computer, order it to attack other Internet
users or instruct it to run commands - such as to delete or steal
files or install rogue software.
"This is very serious," said Maiffret. Hackers using these
methods "could reformat your hard-drive, record your keystrokes,"
Hackers could attack individual computers directly, though the
flaws also allow hackers to transmit an attack to a single Internet
address and strike all the nearby Windows XP computers within a
corporation or neighborhood. Microsoft said companies and Internet
providers can reduce the threat by properly configuring their
Internet traffic-directing devices, called routers.
The flaws are particularly embarrassing to Microsoft because
their discovery falls so close to Christmas and because of the
company's commercial emphasis on improved security in Windows XP.
The company boasts as one of 10 reasons for technology experts to
buy Windows XP the promise of a "safe, secure and private
"This is the most secure version of Windows we have ever
released," said Culp, adding that complex software "will always
fall short of perfection."
One of the problems disclosed Thursday belongs to a category of
software flaws known as "buffer overflows," which can trick
software into accepting dangerous commands. Another is the result
of broader design problems with universal plug and play technology.
Just last week, Microsoft's corporate security officer, Howard
Schmidt, expressed frustration about continuing threats from
overflows. "I'm still amazed that we allow these things to
occur," he said at a conference of technology executives. Schmidt
is expected soon to resign from Microsoft to work for President
Bush's top computer security adviser.
On the Net:
(Copyright 2001 by The Associated Press. All Rights Reserved.)
More information about the Crackmonkey