Reports of Windows Me bug already rolling in

[William Knowles <wk () C4I ORG>]

http://news.cnet.com/news/0-1006-200-2770983.html?tag=st.ne.1002.bgif.ni

By Stephen Shankland
Staff Writer, CNET News.com
September 13, 2000, 6:20 p.m. PT

The first reports of a Windows Me bug are rolling in on the eve of the
official launch of Microsoft's new operating system for home PC users.

A bug hunter named Andrew Griffiths has announced he has discovered a
vulnerability that allows attackers to crash or reboot a Windows Me
computer running a TV software package by sending the computer a
certain type of data over the Internet.

Although Microsoft has been investigating this potential problem since
it learned of it a month ago, the company declined to confirm whether
it's actually a vulnerability.

"At this point we are still investigating it to determine if this is
indeed a security vulnerability and what is the appropriate action," a
Microsoft spokeswoman said today.

However, Security Focus analyst Ben Greenbaum said today that others
have been able to verify the vulnerability.

The problem lies in Microsoft software called WebTV that lets a
computer running on Windows Me display video and allows people to
watch TV on their computer monitors. The software, which began
shipping with Windows 98 Second Edition, also accepts TV program
guides from the Internet, according to Microsoft.

To exploit the vulnerability, an attacker sends a type of information
formatted with a networking standard called User Datagram Protocol
(UDP), Griffiths and Greenbaum said. Sending UDP data to a specific
address, called a "port," can crash the WebTV software or the entire
computer. In some circumstances, it can cause a reboot.

"As far as I'm aware, this is the first (Windows Me vulnerability)
that's been made public knowledge," Greenbaum said.

Not all computers are vulnerable all the time, however. Although the
software comes with Windows 98 Second Edition and Windows Me, it must
first be specifically installed and running before a computer becomes
vulnerable. People aren't likely to install or even the run the
software unless they have a particular type of video card that can
decode TV signals.

In addition, computers protected by a firewall--as is the case for
most corporate machines--are not likely to be vulnerable, Greenbaum
said.

Griffiths, who posted news of the vulnerability to the Bugtraq email
list yesterday, stated that he notified Microsoft about the
vulnerability Aug. 13. "I asked them to get back to me awhile ago, but
I haven't heard any responses yet," he wrote in the posting.

But Microsoft has a different story. The company acknowledged that it
received word of the vulnerability a month ago but insists its
security team has been communicating with Griffiths.

"We've actively been working with Andrew throughout the investigation
process," the spokeswoman said. "We respond to every email that comes
in."

Griffiths, who has an Australian email address, could not immediately
be reached for comment.

He described the bug this way: "By sending a UDP packet to the
22701-22705 (ports), you can cause the program to crash or cause
various blue screens etc. The larger the size, the more dramatic the
effects (lockups, reboots and that)."

Windows Me, the successor to Windows 98, is aimed at home computer
users, not businesses. Although Microsoft initially planned to phase
out the Windows 95/98 family in favor of the less-crash-prone Windows
NT, the company decided to extend the lineage one more generation.

Microsoft officially is launching Windows Me tomorrow, though the
operating system has been shipping on PCs since mid-August.

WebTV software is different from Microsoft's WebTV set-top boxes that
allow people to surf the Internet and send email using their
televisions. Although Windows 98 is also susceptible to the WebTV
vulnerability, that OS doesn't come with WebTV software, thus lowering
the potential for attacks.

One reason attackers might be interested in the vulnerability is that
some types of attacks require that a machine be rebooted for changes
to the computer's settings to take effect, Greenbaum said. In other
words, to plant a more serious bug, a hacker would have to first
prompt a reboot.

An attacker must know the specific Internet address of the target
computer. Greenbaum said it's not difficult to scan Internet Protocol
addresses to find which computers have the specific ports open, an
indication that they're vulnerable to the attack.

So far there's no indication whether an attacker could use the
vulnerability for more damaging attacks, such as running arbitrary
programs or corrupting data, but that type of problem is a
possibility, Greenbaum said.


*==============================================================*
"Communications without intelligence is noise;  Intelligence
without communications is irrelevant." Gen Alfred. M. Gray, USMC
================================================================
C4I.org - Computer Security, & Intelligence - http://www.c4i.org
*==============================================================*

ISN is hosted by SecurityFocus.com
---
To unsubscribe email LISTSERV () SecurityFocus com with a message body of
"SIGNOFF ISN".