Windows XP Vulnerable to Hack Attacks
By TED BRIDIS
Microsoft's newest version of Windows, billed as the most
secure ever, contains several serious flaws that allow
hackers to steal or destroy a victim's data files across
the Internet or implant rogue computer software. The
company released a free fix Thursday.
A Microsoft official acknowledged that the risk to
consumers was unprecedented because the glitches allow
hackers to seize control of all Windows XP operating
system software without requiring a computer user to
do anything except connect to the Internet.
Microsoft made available on its Web site a free fix for
both home and professional editions of Windows XP and
forcefully urged consumers to install it immediately.
The flaws, discovered five weeks ago by independent
security researchers, threatened to undermine widespread
adoption of Microsoft's latest Windows software, which
many hope will be an economic catalyst for the sagging
technology industry.
The company sold more than 7 million copies of Windows
XP in the two weeks after it hit stores Oct. 25.
The vulnerabilities were discovered by three young
security researchers with eEye Digital Security Inc.
of Aliso Viejo, Calif., led by Marc Maiffret, a
21-year-old former hacker. In recent months, Maiffret,
who calls himself the firm's "chief hacking officer,"
has advised the FBI and the White House on Internet
security questions and testified before Congress.
The Windows XP problems affect a little-used feature that
eventually will allow consumers to control high-tech
household appliances using their computers. Called
"universal plug and play," the feature is activated
by design in every copy of Windows XP and can be added
manually to Microsoft's earlier Windows ME software,
also used by millions of consumers worldwide.
"This is the first network-based, remote compromise that
I'm aware of for Windows desktop systems," said Scott
Culp, manager of Microsoft's security response center.
"Every Windows XP user needs to immediately take action."
He called it a "very serious vulnerability."
Microsoft said a new feature of Windows XP, known as
"drizzle," can automatically download the free fix, which
takes several minutes to download, and prompt consumers
to install it. Microsoft also is working with other software
companies, such as leading antivirus and firewall vendors,
to build protection into their products.
Maiffret and his researchers demonstrated the flaws for
The Associated Press by hacking into a reporter's laptop
running Windows XP from 2,300 miles away and successfully
instructing the computer to connect automatically
several times to the Web site for the National Security
Agency, the government's super-secret spy agency.
Microsoft and Maiffret said there was no suggestion that
anyone has used these flaws to break into any computers;
Maiffret predicted that many hackers will be able to
duplicate his firm's research - and begin breaking into
unprotected computers - "a couple months from now."
Microsoft feared that hackers could exploit the flaws
more quickly if eEye discloses too many details about its
findings. Leading up to the public announcement, Culp
said, those researchers behaved "exactly right" by quietly
notifying Microsoft.
Riley Hassell, eEye's self-described "network penetration
specialist," discovered methods for hackers to either
disrupt a victim's Windows XP computer, order it to
attack other Internet users or instruct it to run
commands - such as to delete or steal files or install
rogue software.
"This is very serious," said Maiffret. Hackers using
these methods "could reformat your hard-drive, record your
keystrokes," he added.
Hackers could attack individual computers directly,
though the flaws also allow hackers to transmit an attack
to a single Internet address and strike all the nearby
Windows XP computers within a corporation or neighborhood.
Microsoft said companies and Internet providers can
reduce the threat by properly configuring their Internet
traffic-directing devices, called routers.
The flaws are particularly embarrassing to Microsoft
because their discovery falls so close to Christmas
and because of the company's commercial emphasis on
improved security in Windows XP. The company boasts
as one of 10 reasons for technology experts to buy
Windows XP the promise of a "safe, secure and private
computing experience."
"This is the most secure version of Windows we have ever
released," said Culp, adding that complex software "will
always fall short of perfection."
One of the problems disclosed Thursday belongs to a
category of software flaws known as "buffer overflows,"
which can trick software into accepting dangerous
commands. Another is the result of broader design
problems with universal plug and play technology.
Just last week, Microsoft's corporate security officer,
Howard Schmidt, expressed frustration about continuing
threats from overflows. "I'm still amazed that we allow
these things to occur," he said at a conference of
technology executives. Schmidt is expected soon to
resign from Microsoft to work for President Bush's
top computer security adviser.
By TED BRIDIS
Microsoft's newest version of Windows, billed as the most
secure ever, contains several serious flaws that allow
hackers to steal or destroy a victim's data files across
the Internet or implant rogue computer software. The
company released a free fix Thursday.
A Microsoft official acknowledged that the risk to
consumers was unprecedented because the glitches allow
hackers to seize control of all Windows XP operating
system software without requiring a computer user to
do anything except connect to the Internet.
Microsoft made available on its Web site a free fix for
both home and professional editions of Windows XP and
forcefully urged consumers to install it immediately.
The flaws, discovered five weeks ago by independent
security researchers, threatened to undermine widespread
adoption of Microsoft's latest Windows software, which
many hope will be an economic catalyst for the sagging
technology industry.
The company sold more than 7 million copies of Windows
XP in the two weeks after it hit stores Oct. 25.
The vulnerabilities were discovered by three young
security researchers with eEye Digital Security Inc.
of Aliso Viejo, Calif., led by Marc Maiffret, a
21-year-old former hacker. In recent months, Maiffret,
who calls himself the firm's "chief hacking officer,"
has advised the FBI and the White House on Internet
security questions and testified before Congress.
The Windows XP problems affect a little-used feature that
eventually will allow consumers to control high-tech
household appliances using their computers. Called
"universal plug and play," the feature is activated
by design in every copy of Windows XP and can be added
manually to Microsoft's earlier Windows ME software,
also used by millions of consumers worldwide.
"This is the first network-based, remote compromise that
I'm aware of for Windows desktop systems," said Scott
Culp, manager of Microsoft's security response center.
"Every Windows XP user needs to immediately take action."
He called it a "very serious vulnerability."
Microsoft said a new feature of Windows XP, known as
"drizzle," can automatically download the free fix, which
takes several minutes to download, and prompt consumers
to install it. Microsoft also is working with other software
companies, such as leading antivirus and firewall vendors,
to build protection into their products.
Maiffret and his researchers demonstrated the flaws for
The Associated Press by hacking into a reporter's laptop
running Windows XP from 2,300 miles away and successfully
instructing the computer to connect automatically
several times to the Web site for the National Security
Agency, the government's super-secret spy agency.
Microsoft and Maiffret said there was no suggestion that
anyone has used these flaws to break into any computers;
Maiffret predicted that many hackers will be able to
duplicate his firm's research - and begin breaking into
unprotected computers - "a couple months from now."
Microsoft feared that hackers could exploit the flaws
more quickly if eEye discloses too many details about its
findings. Leading up to the public announcement, Culp
said, those researchers behaved "exactly right" by quietly
notifying Microsoft.
Riley Hassell, eEye's self-described "network penetration
specialist," discovered methods for hackers to either
disrupt a victim's Windows XP computer, order it to
attack other Internet users or instruct it to run
commands - such as to delete or steal files or install
rogue software.
"This is very serious," said Maiffret. Hackers using
these methods "could reformat your hard-drive, record your
keystrokes," he added.
Hackers could attack individual computers directly,
though the flaws also allow hackers to transmit an attack
to a single Internet address and strike all the nearby
Windows XP computers within a corporation or neighborhood.
Microsoft said companies and Internet providers can
reduce the threat by properly configuring their Internet
traffic-directing devices, called routers.
The flaws are particularly embarrassing to Microsoft
because their discovery falls so close to Christmas
and because of the company's commercial emphasis on
improved security in Windows XP. The company boasts
as one of 10 reasons for technology experts to buy
Windows XP the promise of a "safe, secure and private
computing experience."
"This is the most secure version of Windows we have ever
released," said Culp, adding that complex software "will
always fall short of perfection."
One of the problems disclosed Thursday belongs to a
category of software flaws known as "buffer overflows,"
which can trick software into accepting dangerous
commands. Another is the result of broader design
problems with universal plug and play technology.
Just last week, Microsoft's corporate security officer,
Howard Schmidt, expressed frustration about continuing
threats from overflows. "I'm still amazed that we allow
these things to occur," he said at a conference of
technology executives. Schmidt is expected soon to
resign from Microsoft to work for President Bush's
top computer security adviser.
