Washington Post Friday, December 21, 2001; Page E01 Security Flaw Compromises Windows XP By Ariana Eunjung Cha Washington Post Staff Writer When reports of viruses, hackers and software flaws seem to show up in e-mail boxes several times a day, they become almost mundane. But the latest one was a doozy. Microsoft Corp. said its new Windows XP operating system, which it had touted as a "secure and private" computing experience, has an unprecedented flaw. In a security bulletin issued to customers yesterday, Microsoft said the "serious vulnerability" could allow hackers to commandeer all the computers in a neighborhood or company in a single attack. The Redmond, Wash., company urged customers to update their systems with a patch available on its Web site. The acknowledgment could be a blow to the ambitions of Microsoft, which hoped that $500 million worth of flashy advertisements promoting Windows XP would result in billions of dollars worth of sales that would revitalize the high-tech sector. In the two weeks after Windows XP went on sale Oct. 25, 7 million copies were sold, significantly fewer than previous versions of Windows. Analysts said the newly disclosed security problems might deflate sales even more. The problem is in a tool called "universal plug and play" that is included in Windows XP. Beyond standard plug and play, with which computers recognize new peripherals, universal plug and play allows individual devices and even home appliances to connect and communicate with one another. The unintended consequence is that universal plug and play also apparently allows people to seize control of a computer when it connects to the Internet, even if it isn't being used to check e-mail or view Web pages. "We were basically able to take a remote computer and make it connect to the National Security Agency Web site," said Marc Maiffret, one of the three computer experts at eEye Digital Security Inc. who discovered the flaw. It also exists in Windows Millennium Edition if Microsoft's universal plug and play client has been loaded, and in Windows 98 and Windows 98 Second Edition when Microsoft software to share an Internet connection with a Windows XP computer has been installed. The eEye researchers identified two other security holes, one that would allow malicious outsiders to crash an XP system and one that would let hackers coordinate an army of machines to flood a target with fake data. As the most widely used operating system in the world, installed on more than 90 percent of all personal computers, the various versions of Microsoft Windows have benefited and suffered from research by security consultants all over the world. Independent researchers previously have found problems in the Internet Explorer Web browser and the Outlook and Outlook Express e-mail programs. Maiffret said one of his colleagues was just "playing around" with Windows XP when he noticed the problems. "After a few weeks of playing around we noticed it was starting to do bad things," he said. Microsoft spokesman Tom Laemmel said the flaw "slipped through" the company's testing process but that XP's security still is superior to that of previous Windows versions. "When we say Windows XP is the most secure system ever we're not saying it's perfect," he said. Network Associates security research manager Jim Magdych said finding the flaw in XP is a sophisticated task and there is no evidence that anyone has used it yet to break into systems. EEye, based in Aliso Viejo, Calif., and Geneva, said it worked with Microsoft to develop the patch after it discovered the problem in a test version of Windows XP on Oct. 26. Usually, relatively few people take the time to download fixes to security holes. "Unfortunately, we're not at the point yet where administering your home network is a routine task like mowing your lawn, although it should be," Maiffret said. The good news is that Windows XP can automatically alert users to available security patches and other updates -- although the feature is turned off by default. The bad news is that Microsoft isn't sure when it will be able to offer an alert or the software patch through the automatic system. In the meantime, users will have to go to Microsoft's Technet site and download the fix themselves. © 2001 The Washington Post Company -- ========== HURIDOCS-Tech listserv ========== Send mail intended for the list to <email@example.com>. Archives of the list can be found at: http://www.hrea.org/lists/huridocs-tech/ To subscribe to the list, send a message to <firstname.lastname@example.org>, with the following text in the message: subscribe huridocs-tech To unsubscribe from the list, send a message to <email@example.com>, with the following text in the message: unsubscribe huridocs-tech If you have problems (un)subscribing, contact <firstname.lastname@example.org>.
[Reply to this message] [Start a new topic] [Date Index] [Thread Index] [Author Index] [Subject Index] [List Home Page] [HREA Home Page]