Rense.com



Windows XP Security Bug
'Very Serious' Says Microsoft
By Will Knight
NewScientist.com
12-22-1

A software glitch with Windows XP, Microsoft's new flagship operating system, leaves users in unprecedented danger according to the company's own security experts. Some older versions of Windows may also be affected.

The hole is in a service called Universal Plug and Play, which comes as standard with Windows XP. The bug allows a malicious hacker to gain complete control over a computer. UPnP is intended to allow a PC to control a broad range of hardware, including the latest home appliances. UPnP can also be added to Windows 98, 98SE and ME.

Microsoft representatives say that the fault poses an unprecedented risk because a user is vulnerable as soon as they connect to the internet - no other action is required. The company has recommended that all users running UPnP download and install a new patch immediately.

Worldwide alert

Microsoft touted Windows XP as its most secure operating system ever when the software was launched worldwide on 25 October. The company estimates that it has sold over seven million copies of the platform since then.

Spokesman Jim Desler said: "We are in the process of notifying our customers. We have mobilized all of our technical account managers worldwide who work with big clients and we have a very broad email list for email notification."

There are two sides to the UPnP flaw. The first could allow the hacker to break into a Windows system and run any programs or code they choose by sending a specially designed network message. This takes advantage of an error in the way the service allocates memory to different processes.

The second might enable the hacker to overload a Windows machine and prevent it from functioning properly. This can be achieved by sending similarly customised network messages repeatedly.

Protocol problem

The hole was discovered by Riley Hassell of US security company eEye Digital Security. In his advisory, Hassell hints that there may be further problems with the UPnP service.

It reads: "We at eEye believe that there are several security issues with the UPnP protocol itself. However, these more generic issues are out of the scope of this advisory. Expect a detailed paper to be released from eEye within the coming weeks."

The US government-sponsored computer monitoring service, the Computer Emergency Response Team has also issued an open warning to computer users about the problem.
 
http://www.newscientist.com/news/news.jsp?id=ns99991726
 
 
MainPage
http://www.rense.com


This Site Served by TheHostPros