- A software glitch with Windows XP, Microsoft's new flagship
operating system, leaves users in unprecedented danger according to the
company's own security experts. Some older versions of Windows may also
be affected.
The hole is in a service called Universal Plug and Play, which comes as
standard with Windows XP. The bug allows a malicious hacker to gain complete
control over a computer. UPnP is intended to allow a PC to control a broad
range of hardware, including the latest home appliances. UPnP can also
be added to Windows 98, 98SE and ME.
Microsoft representatives say that the fault poses an unprecedented risk
because a user is vulnerable as soon as they connect to the internet -
no other action is required. The company has recommended that all users
running UPnP download and install a new patch immediately.
- Worldwide alert
- Microsoft touted Windows XP as its most secure operating
system ever when the software was launched worldwide on 25 October. The
company estimates that it has sold over seven million copies of the platform
since then.
Spokesman Jim Desler said: "We are in the process of notifying our
customers. We have mobilized all of our technical account managers worldwide
who work with big clients and we have a very broad email list for email
notification."
There are two sides to the UPnP flaw. The first could allow the hacker
to break into a Windows system and run any programs or code they choose
by sending a specially designed network message. This takes advantage of
an error in the way the service allocates memory to different processes.
The second might enable the hacker to overload a Windows machine and prevent
it from functioning properly. This can be achieved by sending similarly
customised network messages repeatedly.
- Protocol problem
- The hole was discovered by Riley Hassell of US security
company eEye Digital Security. In his advisory, Hassell hints that there
may be further problems with the UPnP service.
It reads: "We at eEye believe that there are several security issues
with the UPnP protocol itself. However, these more generic issues are out
of the scope of this advisory. Expect a detailed paper to be released from
eEye within the coming weeks."
The US government-sponsored computer monitoring service, the Computer Emergency
Response Team has also issued an open warning to computer users about the
problem.
-
- http://www.newscientist.com/news/news.jsp?id=ns99991726
|
