LISTSERV - VICUG-L Archives - LISTSERV.ICORS.ORG

VICUG-L Archives

Visually Impaired Computer Users' Group List

VICUG-L@LISTSERV.ICORS.ORG

	LISTSERV Archives
	VICUG-L Home

	Log In
	Register

	Subscribe or Unsubscribe

	Search Archives

Options:	Use Forum View Use Monospaced Font Show Text Part by Default Condense Mail Headers
Message:	[<< First] [< Prev] [Next >] [Last >>]
Topic:	[<< First] [< Prev] [Next >] [Last >>]
Author:	[<< First] [< Prev] [Next >] [Last >>]

Content-Transfer-Encoding:	7bit
Sender:	"VICUG-L: Visually Impaired Computer Users' Group List" <[log in to unmask]>
Subject:	Microsoft issues patch for "serious" XP hole
From:	Chris McMillan <[log in to unmask]>
Date:	Thu, 20 Dec 2001 16:24:52 -0500
Content-Type:	text/plain; charset="us-ascii"
MIME-Version:	1.0
Reply-To:	Chris McMillan <[log in to unmask]>
Parts/Attachments:	text/plain (95 lines)

Microsoft issues patch for "serious" XP hole

By Wylie Wong and David Becker

Staff Writers, CNET News.com
December 20, 2001, 1:00 p.m. PT
http://news.cnet.com/news/0-1003-200-8244349.html?tag=prntfr

Microsoft may have touted Windows XP as the most secure operating system
it has made, but the company on Thursday released a bug fix for a
security hole that could leave some people's systems open to malicious
attack.

Microsoft is recommending that every Windows XP customer apply the patch
immediately. Customers using Windows 98, Windows 98 Second Edition and
Windows ME with the "Universal Plug and Play" (UPnP) service up and
running should also use the patch, the company said.

UPnP is Microsoft software that uses Internet protocols to allow devices
such as computers, scanners and printers to automatically discover one
another so they can communicate. Microsoft said an attacker who
exploited the hole could take over computers on such a network.
Depending on the skills of the attackers, they could take complete
control of the PC--such as viewing or deleting files--or launch "denial
of service" attacks, which flood a person's PC with data, crippling it.
Windows users can download the patch from Microsoft's Web site.

A Microsoft executive said Windows XP comes with the UPnP feature turned
on, so every XP user needs the patch.

"This is a serious vulnerability. People running Windows XP need to put
the patch on right away," said Scott Culp, manager of Microsoft's
Security Response Center.

Culp said users of Windows ME or Windows 98 only need the patch if they
are running UPnP. Windows ME was released with UPnP built in, but the
feature is turned off when customers install that operating system.
Windows 98 doesn't have UPnP built in, so users of the OS don't need the
patch unless they have installed UPnP separately, he added.

UPnP is networking software that is slowly beginning to catch on among
tech companies and computer users. Printer makers, for example, have
begun supporting it so that printers can easily connect to PCs on a
network. UPnP is Microsoft's vision of allowing computers, printers and
other peripherals to automatically find one another and communicate
without consumers having to configure the computers. With everything
connected, people in the house could videoconference or play multiplayer
video games, for example.

Culp said there are several ways people can exploit the security hole in
UPnP. Someone who knows the Internet Protocol (IP) address of a specific
PC can gain control of the computer through the Internet if the network
doesn't have firewall security installed. Most corporations and many
consumers, however, have firewalls installed to block these types of
break-ins, he said.

More seriously, hackers who are inside the network can take over a PC
without needing to know the PC's IP address. That's the case with cable
Internet access, where people in the neighborhood share the same cable
network, Culp said.

"With most cable modem users, there's a physical wire that feeds an
entire neighborhood, and someone from that wire could attack anyone
without needing to know the IP address," he said. "The attacker can take
control of the PC and have access to all the files. They might as well
be sitting in front of the keyboard."

The flaws were discovered by Aliso Viejo, Calif.-based security company
eEye Digital Security and reported to Microsoft about six weeks ago,
said Marc Maiffret, eEye's chief hacking officer.

Although describing the flaws as "the worst default security
vulnerability in Windows ever," Maiffret credited the company for
working quickly and intelligently to stem possible damage.

"Microsoft made a really good effort to work with us and get the patch
ready in a coordinated way," he said. "Microsoft understands you're
never going to be perfect; you have to have a mechanism in place to
react to these things quickly and comprehensively when they happen."

Maiffret predicted hackers would develop and release tools to exploit
the UPnP vulnerability within a week or two. But he said the buffer
overflow flaw was so technically complex that attacks based on it were
unlikely to become widespread. "I think the people skilled enough to
exploit this will keep the exploit to themselves," he said.


VICUG-L is the Visually Impaired Computer User Group List.
To join or leave the list, send a message to
[log in to unmask]  In the body of the message, simply type
"subscribe vicug-l" or "unsubscribe vicug-l" without the quotations.
 VICUG-L is archived on the World Wide Web at
http://maelstrom.stjohns.edu/archives/vicug-l.html

ATOM RSS1 RSS2

LISTSERV.ICORS.ORG