M$ does it again ...

Discussion in 'Computer Science & Culture' started by Chagur, Dec 20, 2001.

Thread Status:
Not open for further replies.
  1. Chagur .Seeker. Registered Senior Member

    Messages:
    2,235
    Windows XP Vulnerable to Hack Attacks

    By TED BRIDIS

    Microsoft's newest version of Windows, billed as the most
    secure ever, contains several serious flaws that allow
    hackers to steal or destroy a victim's data files across
    the Internet or implant rogue computer software. The
    company released a free fix Thursday.

    A Microsoft official acknowledged that the risk to
    consumers was unprecedented because the glitches allow
    hackers to seize control of all Windows XP operating
    system software without requiring a computer user to
    do anything except connect to the Internet.

    Microsoft made available on its Web site a free fix for
    both home and professional editions of Windows XP and
    forcefully urged consumers to install it immediately.

    The flaws, discovered five weeks ago by independent
    security researchers, threatened to undermine widespread
    adoption of Microsoft's latest Windows software, which
    many hope will be an economic catalyst for the sagging
    technology industry.

    The company sold more than 7 million copies of Windows
    XP in the two weeks after it hit stores Oct. 25.

    The vulnerabilities were discovered by three young
    security researchers with eEye Digital Security Inc.
    of Aliso Viejo, Calif., led by Marc Maiffret, a
    21-year-old former hacker. In recent months, Maiffret,
    who calls himself the firm's "chief hacking officer,"
    has advised the FBI and the White House on Internet
    security questions and testified before Congress.

    The Windows XP problems affect a little-used feature that
    eventually will allow consumers to control high-tech
    household appliances using their computers. Called
    "universal plug and play," the feature is activated
    by design in every copy of Windows XP and can be added
    manually to Microsoft's earlier Windows ME software,
    also used by millions of consumers worldwide.

    "This is the first network-based, remote compromise that
    I'm aware of for Windows desktop systems," said Scott
    Culp, manager of Microsoft's security response center.
    "Every Windows XP user needs to immediately take action."
    He called it a "very serious vulnerability."

    Microsoft said a new feature of Windows XP, known as
    "drizzle," can automatically download the free fix, which
    takes several minutes to download, and prompt consumers
    to install it. Microsoft also is working with other software
    companies, such as leading antivirus and firewall vendors,
    to build protection into their products.

    Maiffret and his researchers demonstrated the flaws for
    The Associated Press by hacking into a reporter's laptop
    running Windows XP from 2,300 miles away and successfully
    instructing the computer to connect automatically
    several times to the Web site for the National Security
    Agency, the government's super-secret spy agency.

    Microsoft and Maiffret said there was no suggestion that
    anyone has used these flaws to break into any computers;
    Maiffret predicted that many hackers will be able to
    duplicate his firm's research - and begin breaking into
    unprotected computers - "a couple months from now."

    Microsoft feared that hackers could exploit the flaws
    more quickly if eEye discloses too many details about its
    findings. Leading up to the public announcement, Culp
    said, those researchers behaved "exactly right" by quietly
    notifying Microsoft.

    Riley Hassell, eEye's self-described "network penetration
    specialist," discovered methods for hackers to either
    disrupt a victim's Windows XP computer, order it to
    attack other Internet users or instruct it to run
    commands - such as to delete or steal files or install
    rogue software.

    "This is very serious," said Maiffret. Hackers using
    these methods "could reformat your hard-drive, record your
    keystrokes," he added.

    Hackers could attack individual computers directly,
    though the flaws also allow hackers to transmit an attack
    to a single Internet address and strike all the nearby
    Windows XP computers within a corporation or neighborhood.
    Microsoft said companies and Internet providers can
    reduce the threat by properly configuring their Internet
    traffic-directing devices, called routers.

    The flaws are particularly embarrassing to Microsoft
    because their discovery falls so close to Christmas
    and because of the company's commercial emphasis on
    improved security in Windows XP. The company boasts
    as one of 10 reasons for technology experts to buy
    Windows XP the promise of a "safe, secure and private
    computing experience."

    "This is the most secure version of Windows we have ever
    released," said Culp, adding that complex software "will
    always fall short of perfection."

    One of the problems disclosed Thursday belongs to a
    category of software flaws known as "buffer overflows,"
    which can trick software into accepting dangerous
    commands. Another is the result of broader design
    problems with universal plug and play technology.

    Just last week, Microsoft's corporate security officer,
    Howard Schmidt, expressed frustration about continuing
    threats from overflows. "I'm still amazed that we allow
    these things to occur," he said at a conference of
    technology executives. Schmidt is expected soon to
    resign from Microsoft to work for President Bush's
    top computer security adviser.
     
  2. Google AdSense Guest Advertisement



    to hide all adverts.
  3. Red Devil Born Again Athiest Registered Senior Member

    Messages:
    1,996
    M$ - ouch!

    Bloody 'ell - don't those guys at M$ know what they are doing?? Bloody well should get sacked that's what!

    Please Register or Log in to view the hidden image!

     
  4. Google AdSense Guest Advertisement



    to hide all adverts.
Thread Status:
Not open for further replies.

Share This Page