[Reader-list] Security Flaw Compromises Windows XP

Harsh Kapoor aiindex at mnet.fr
Fri Dec 21 23:24:55 IST 2001

Washington Post
Friday, December 21, 2001; Page E01

Security Flaw Compromises Windows XP

By Ariana Eunjung Cha
Washington Post Staff Writer

When reports of viruses, hackers and software flaws seem to show up 
in e-mail boxes several times a day, they become almost mundane. But 
the latest one was a doozy.

Microsoft Corp. said its new Windows XP operating system, which it 
had touted as a "secure and private" computing experience, has an 
unprecedented flaw.

In a security bulletin issued to customers yesterday, Microsoft said 
the "serious vulnerability" could allow hackers to commandeer all the 
computers in a neighborhood or company in a single attack. The 
Redmond, Wash., company urged customers to update their systems with 
a patch available on its Web site.

The acknowledgment could be a blow to the ambitions of Microsoft, 
which hoped that $500 million worth of flashy advertisements 
promoting Windows XP would result in billions of dollars worth of 
sales that would revitalize the high-tech sector.

In the two weeks after Windows XP went on sale Oct. 25, 7 million 
copies were sold, significantly fewer than previous versions of 
Windows. Analysts said the newly disclosed security problems might 
deflate sales even more.

The problem is in a tool called "universal plug and play" that is 
included in Windows XP. Beyond standard plug and play, with which 
computers recognize new peripherals, universal plug and play allows 
individual devices and even home appliances to connect and 
communicate with one another.

The unintended consequence is that universal plug and play also 
apparently allows people to seize control of a computer when it 
connects to the Internet, even if it isn't being used to check e-mail 
or view Web pages.

"We were basically able to take a remote computer and make it connect 
to the National Security Agency Web site," said Marc Maiffret, one of 
the three computer experts at eEye Digital Security Inc. who 
discovered the flaw. It also exists in Windows Millennium Edition if 
Microsoft's universal plug and play client has been loaded, and in 
Windows 98 and Windows 98 Second Edition when Microsoft software to 
share an Internet connection with a Windows XP computer has been 

The eEye researchers identified two other security holes, one that 
would allow malicious outsiders to crash an XP system and one that 
would let hackers coordinate an army of machines to flood a target 
with fake data.

As the most widely used operating system in the world, installed on 
more than 90 percent of all personal computers, the various versions 
of Microsoft Windows have benefited and suffered from research by 
security consultants all over the world. Independent researchers 
previously have found problems in the Internet Explorer Web browser 
and the Outlook and Outlook Express e-mail programs.

Maiffret said one of his colleagues was just "playing around" with 
Windows XP when he noticed the problems. "After a few weeks of 
playing around we noticed it was starting to do bad things," he said.

Microsoft spokesman Tom Laemmel said the flaw "slipped through" the 
company's testing process but that XP's security still is superior to 
that of previous Windows versions.

"When we say Windows XP is the most secure system ever we're not 
saying it's perfect," he said.

Network Associates security research manager Jim Magdych said finding 
the flaw in XP is a sophisticated task and there is no evidence that 
anyone has used it yet to break into systems.

EEye, based in Aliso Viejo, Calif., and Geneva, said it worked with 
Microsoft to develop the patch after it discovered the problem in a 
test version of Windows XP on Oct. 26.

Usually, relatively few people take the time to download fixes to 
security holes. "Unfortunately, we're not at the point yet where 
administering your home network is a routine task like mowing your 
lawn, although it should be," Maiffret said.

The good news is that Windows XP can automatically alert users to 
available security patches and other updates -- although the feature 
is turned off by default.

The bad news is that Microsoft isn't sure when it will be able to 
offer an alert or the software patch through the automatic system. In 
the meantime, users will have to go to Microsoft's Technet site and 
download the fix themselves.

© 2001 The Washington Post Company

More information about the reader-list mailing list