Search /
Docfinder:
Advanced search  |  Help  |  Site map
RESEARCH CENTERS
SITE RESOURCES
Click for Layer 8! No, really, click NOW!
Networking for Small Business
TODAY'S NEWS
Cisco all but kills Cius tablet computer
Windows 8 Update: Steve Ballmer's 80-inch Windows 8 tablet
Gartner: Don't trust cloud provider to protect your corporate assets
Take me out to the ballgame, with 4G
Most OpenOffice users run Windows
Smartphones with quad-core chips and 4G LTE coming soon
Government alarm over cyberattacks validated by terrorists
Lawmakers call on DOJ to reopen investigation into Google Wi-Fi spying
Researchers propose TLS extension to detect rogue SSL certificates
IaaS: Renting on-demand technology
Yahoo Axis may be game changer for search and the troubled company
Android, Apple Own 80% of Global Smartphone Market; Microsoft's Share, 2.2%
Managing Mobile Mania
Proposed New York Legislation Would Ban Anonymous Online Comments
Supercomputer to connect to 400PB of storage via Ethernet
/

Microsoft patch blocks holes in XP

Related linksToday's breaking news
Send to a friendFeedback

By Matt Berger
IDG News Service, 12/20/01

Microsoft issued a security bulletin Thursday to users of its Windows operating systems, warning of three "critical" holes in the software that leave a Windows PC vulnerable to hackers when it is connected to the Internet.

By exploiting holes in Windows XP that allow a computer to automatically recognize peripheral devices, such as digital cameras or printers, when they are plugged into a PC, a hacker could take over a user's PC and run malicious code or use it to perform a denial-of-service attack.

Scott Culp, manager of Microsoft's Security Response Center, said the buffer overflow vulnerability affecting Windows XP could give an outside party free rein to overwrite files and assume total control of a Web-connected computer.

"(A hacker) can modify software while (the PC) is running. That's why overflows are so dangerous," Culp said. "It would be possible for a foreign attacker to make that machine do anything the user of that machine could do -- delete data, surf the Web. In this case the privileges are total."

Microsoft has posted free patches on its Web site for developers, for each of the affected operating systems. Windows XP is the most vulnerable to the holes, while users of Windows ME and Windows 98 were also encouraged to install the patches. Microsoft strongly urged Windows XP users to install the patch immediately.

"It's definitely a serious vulnerability. If you're running Windows XP, you need this patch and you need it right now. Don't wait for the (Windows XP) auto update" to apply the fix, Culp said.

The vulnerable technology is called Universal Plug and Play (UPnP). Windows XP and its predecessor, Windows ME, have built-in support for UPnP. Users of Windows 98 can get support for the technology through a Microsoft download.

Independent security consultants from eEye Digital Security managed to discover the vulnerabilities by sending malicious commands disguised as a UPnP service to a remote computer plugged into the Internet.

"This would enable the attacker to gain complete control over the system," Microsoft said in the security bulletin.

Certain commands could allow a hacker to run code on that computer, install software or use that PC to perform a denial-of-service attack. In such attacks, software is used to flood a network with traffic, rendering servers unable to distinguish between legitimate traffic and malicious or false traffic.

Marc Maiffret, cofounder and chief hacking officer of eEye Digital Security, said his company first alerted Microsoft of the DoS glitch toward the end of October. While eEye was working with the software giant to plug the uncovered hole, the buffer overflow vulnerability came to eEye Digital Security's attention and was immediately forwarded to Microsoft for further follow-up.

"A lot of people bought (Windows XP) or are getting it as a Christmas gift. It was important to get (the proper fixes) out before Christmas and make sure the patch was good to go," Maiffret said.

During a live infiltration of the Windows XP OS on Thursday, Maiffret said his company was able to use cable modem addresses at or near a vulnerable Windows XP system to seize control of a group of nearby Windows computers and centrally tie them back into a host computer.

But he cautioned that an attacker would require a great deal of skill to be able to write an exploit program capable of overwriting the code of a remote computer by taking advantage of Windows XP.

The DoS problem required significant engineering to shore up, said Culp, who admitted that UPnP is a fairly new protocol and still very much in development. But he remained firm that the DoS exposure was not a protocol problem, but rather an instance of the service being "too trusting" when a UPnP capable device requested information on the network.

"Basically, when it saw a notice saying 'you can get information on this device over here,' it was going off and diligently trying to download the information without doing enough checking that the information was in fact valid," Culp said. That scenario caused two potential DoS vulnerabilities to occur.

The first vulnerability allowed a system to be pointed to a server feeding it huge amounts of bogus data to consume the machine's time and resources. The second type of exposure would cause an innocent third-party server hosting information to be used as a pawn to send massive data to other vulnerable machines, Culp added.

In contrast to the DoS problem, which involved service requests that were not properly regulated, Culp said the buffer overflow hole is a mistake caused by the implementation of the code design within Windows XP.

"It's a coding error. It's a mistake made by the program. The design itself was sound, but somebody made an error in implementing that design. They didn't validate one of the inputs before using it... they didn't check the length," he added.

Since its Oct. 25 release, Microsoft has sold about 650,000 copies of the operating system as a packaged product through retail channels, according to research from NPDTechworld, a division of the NPD Group. PC makers have been selling computers with the operating system pre-installed since September.

The IDG News Service is a Network World affiliate.

Related Links

Download the patches

 
NWFusion offers more than 40 FREE technology-specific email newsletters in key network technology areas such as NSM, VPNs, Convergence, Security and more.
Click here to sign up!
New Event - WANs: Optimizing Your Network Now.
Hear from the experts about the innovations that are already starting to shake up the WAN world. Free Network World Technology Tour and Expo in Dallas, San Francisco, Washington DC, and New York.
Attend FREE
Your FREE Network World subscription will also include breaking news and information on wireless, storage, infrastructure, carriers and SPs, enterprise applications, videoconferencing, plus product reviews, technology insiders, management surveys and technology updates - GET IT NOW.