HOME
TOPICS
SEARCH
ABOUT ME
MAIL

 
Microsoft had been advertising Windows XP as "the most secure version of Windows ever," an implausible assertion now.
  technofile
Al Fasoldt's reviews and commentaries, continuously available online since 1983

Worst security flaw ever found is detected in Windows XP


Dec. 26, 2001


By Al Fasoldt
Copyright © 2001, Al Fasoldt
Copyright © 2001, The Post-Standard

   The worst security flaw in the history of Windows has been uncovered by private researchers and confirmed by Microsoft. It affects all current copies of Windows XP, the latest Microsoft operating system, and some copies of Windows 98, Windows 98SE and Windows Me.
   The flaw allows hackers to take full control of any Windows XP computer over the Internet. Every file on a Windows XP computer is vulnerable and could be copied or deleted. Passwords and other personal data on a Windows XP computer could be stolen.
   The flaw also permits Windows XP computers to be "hijacked" from across the Internet and turned into Denial of Service weapons that can attack Web sites. By taking over thousands of XP computers simultaneously, hackers could attempt to knock out government Web sites by making each XP computer send a flood of data to the sites.
   Denial of Service attacks were launched against many U.S. sites, including ones run by the Pentagon, earlier this year when hackers secretly planted DOS-launcher programs on countless non-XP Windows computers. The XP flaw could make such DOS attacks commonplace.
   Microsoft wrote a patch for the flaw and has made it available for downloading. Instructions on how to get the patch are below.
   Making the flaw even more dangerous is the popularity of cable Internet services. Most Windows PCs that are connected to cable services can be broken into relatively easily. Hackers who take control of Windows XP computers on a cable service could easily break into non-XP Windows computers on the same service.
   A California computer security company, eEye Digital Security, discovered the flaw and reported it to Microsoft about six weeks ago.
   Microsoft had been advertising Windows XP as "the most secure version of Windows ever," an implausible assertion now. But the company should be praised for making the patch available as quickly as it did. The six-week delay is a comparatively short time for Microsoft.
   The flaw comes from poorly written code in a feature called Universal Plug and Play. Windows XP is the first computer operating system to have Universal Plug and Play built in. But it's also available as an option on a limited number of Windows 98, Windows 98SE and Windows Me computers.
   Universal Plug and Play is part of Microsoft's plan to allow non-computer devices such as microwaves and refrigerators to connect to home computers so they can share information. The flaw gives anyone on a network, whether a small home network or one as diverse as the Internet, easy access to the heart of any Windows XP computer, as well as to the operating systems of Windows 98 and Windows Me computers that have Universal Plug and Play installed.
   Windows XP computers that have automatic updating turned on probably have patched themselves already. But if you have Windows XP and don't know if auto-updates are active, don't take a chance. Get the patch. This advice also applies to Windows 98 and Windows Me users who have modified their systems with Universal Plug and Play.
   (If you have Windows 95 or Windows 2000, you're not affected. If you have Windows 98, Windows 98SE or Windows Me and have never installed any special Microsoft plug-and-play software, you're not affected either.)
   The patch is available from this site:
   www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-059.asp
   Two cautions: Do not rely on a software or hardware firewall to protect your Windows XP computer. Be sure install the patch. Firewalls are important, but they can be fooled. And do not expect your antivirus software to help. AV programs do not protect against breakins.