IP: Fw: Latest Windows versions vulnerable to unusually serious hacker attacks...

[David Farber <dfarber () earthlink net>]

-----Original Message-----
From: Jim McHugh <Jim_McHugh () mac com> (by way of Einar Stefferud)
Date: Thu, 20 Dec 2001 14:24:38 
To: Dave Farber <farber () cis upenn edu>
Subject: Latest Windows versions vulnerable to unusually serious hacker 
 attacks...

The Washington Post - Thursday, December 20, 2001; 1:24 PM

Windows Vulnerable to Hack Attacks

By Ted Bridis, Associated Press Writer


WASHINGTON -- Microsoft's newest version of Windows, billed as the most
secure ever, contains several serious flaws that allow hackers to steal or
destroy a victim's data files across the Internet or implant rogue computer
software. The company released a free fix Thursday.

A Microsoft official acknowledged that the risk to consumers was
unprecedented because the glitches allow hackers to seize control of all
Windows XP operating system software without requiring a computer user to do
anything except connect to the Internet.

Microsoft made available on its Web site a free fix for both home and
professional editions of Windows XP and forcefully urged consumers to
install it immediately.

The flaws, discovered five weeks ago by independent security researchers,
threatened to undermine widespread adoption of Microsoft's latest Windows
software, which many hope will be an economic catalyst for the sagging
technology industry.

The company sold more than 7 million copies of Windows XP in the two weeks
after it hit stores Oct. 25.

The vulnerabilities were discovered by three young security researchers with
eEye Digital Security Inc. of Aliso Viejo, Calif., led by Marc Maiffret, a
21-year-old former hacker. In recent months, Maiffret, who calls himself the
firm's "chief hacking officer," has advised the FBI and the White House on
Internet security questions and testified before Congress.

The Windows XP problems affect a little-used feature that eventually will
allow consumers to control high-tech household appliances using their
computers. Called "universal plug and play," the feature is activated by
design in every copy of Windows XP and can be added manually to Microsoft's
earlier Windows ME software, also used by millions of consumers worldwide.

"This is the first network-based, remote compromise that I'm aware of for
Windows desktop systems," said Scott Culp, manager of Microsoft's security
response center. "Every Windows XP user needs to immediately take action."
He called it a "very serious vulnerability."

Microsoft said a new feature of Windows XP, known as "drizzle," can
automatically download the free fix, which takes several minutes to
download, and prompt consumers to install it. Microsoft also is working with
other software companies, such as leading antivirus and firewall vendors, to
build protection into their products.

Maiffret and his researchers demonstrated the flaws for The Associated Press
by hacking into a reporter's laptop running Windows XP from 2,300 miles away
and successfully instructing the computer to connect automatically several
times to the Web site for the National Security Agency, the government's
super-secret spy agency.

© 2001 The Associated Press
http://www.washingtonpost.com/wp-dyn/articles/A7050-2001Dec20.html


For archives see:
http://www.interesting-people.org/archives/interesting-people/