Critical XP flaws prompt Microsoft to offer free fixes

  • Thursday, December 20, 2001 9:00pm
  • Business

Associated Press

WASHINGTON — Microsoft Corp. acknowledged several serious flaws Thursday in its newest version of Windows, billed as the most secure ever, that allow hackers to steal or destroy a victim’s data files across the Internet or implant rogue computer software. It urged consumers to quickly install a free fix it offered.

A Microsoft official said the risk to consumers was unprecedented because the glitches allow hackers to seize control of all Windows XP operating system software without requiring a computer user to do anything except connect to the Internet.

Microsoft made available on its Web site a free fix for both home and professional editions of Windows XP and forcefully urged consumers to install it immediately.

The flaws, discovered five weeks ago by independent security researchers, threatened to undermine widespread adoption of Microsoft’s latest Windows software, which many hope will be an economic catalyst for the sagging technology industry.

The company sold more than 7 million copies of Windows XP in the two weeks after it hit stores Oct. 25.

"If a hacker could get in this easily, it makes a lot of difference," said Anthony Gaskin of New York, a shopper at an office-supply store who was considering buying Windows XP. "I don’t want to have my computer vulnerable. Stuff like this I’m trying to keep away. I wouldn’t consider it."

Microsoft’s stock, one of the most widely held, fell $2.73 Thursday, or nearly 4 percent, in moderate trading.

The vulnerabilities were discovered by three young security researchers with eEye Digital Security Inc. of Aliso Viejo, Calif., led by Marc Maiffret, a 21-year-old former hacker. In recent months, Maiffret, who calls himself the firm’s "chief hacking officer," has advised the FBI and the White House on Internet security questions and testified before Congress.

The Windows XP problems affect a little-used feature that eventually will allow consumers to control high-tech household appliances using their computers. Called universal plug and play, the feature is activated by design in every copy of Windows XP and can be added manually to Microsoft’s earlier Windows ME software, also used by millions of consumers worldwide.

"This is the first network-based, remote compromise that I’m aware of for Windows desktop systems," said Scott Culpa, manager of Microsoft’s security response center. "Every Windows XP user needs to immediately take action." He called it a "very serious vulnerability."

Microsoft said a new feature of Windows XP, known as "drizzle," can automatically download the free fix, which takes several minutes to download, and prompt consumers to install it. Microsoft also is working with other software companies, such as leading anti-virus and firewall vendors, to build protection into their products.

Maiffret and his researchers demonstrated the flaws for The Associated Press by hacking into a reporter’s laptop running Windows XP from 2,300 miles away and successfully instructing the computer to connect automatically several times to the Web site for the National Security Agency, the government’s supersecret spy agency.

Microsoft and Maiffret said there was no suggestion that anyone has used these flaws to break into any computers; Maiffret predicted that many hackers will be able to duplicate his firm’s research — and begin breaking into unprotected computers — "a couple of months from now."

eEye’s Riley Hassell, also 21, discovered methods for hackers to either disrupt a victim’s Windows XP computer, order it to attack other Internet users or instruct it to run commands — such as to delete or steal files or install rogue software.

"This is very serious," Maiffret said. Hackers using these methods "could reformat your hard drive, record your keystrokes," he added.

Copyright ©2001 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.

Talk to us

> Give us your news tips.

> Send us a letter to the editor.

> More Herald contact information.

More in Business

A closing sign hangs above the entrance of the Big Lots at Evergreen and Madison on Monday, July 22, 2024, in Everett, Washington. (Ryan Berry / The Herald)
Big Lots announces it will shutter Everett and Lynnwood stores

The Marysville store will remain open for now. The retailer reported declining sales in the first quarter of the year.

George Montemor poses for a photo in front of his office in Lynnwood, Washington on Tuesday, July 30, 2024.  (Annie Barker / The Herald)
Despite high mortgage rates, Snohomish County home market still competitive

Snohomish County homes priced from $550K to $850K are pulling in multiple offers and selling quickly.

Henry M. Jackson High School’s robotic team, Jack in the Bot, shake hands at the 2024 Indiana Robotics Invitational.(Henry M. Jackson High School)
Mill Creek robotics team — Jack in the Bot — wins big

Henry M. Jackson High School students took first place at the Indiana Robotic Invitational for the second year in a row.

The computer science and robotics and artificial intelligence department faculty includes (left to right) faculty department head Allison Obourn; Dean Carey Schroyer; Ishaani Priyadarshini; ROBAI department head Sirine Maalej and Charlene Lugli. PHOTO: Arutyun Sargsyan / Edmonds College.
Edmonds College to offer 2 new four-year degree programs

The college is accepting applications for bachelor programs in computer science as well as robotics and artificial intelligence.

FILE — Boeing 737 MAX8 airplanes on the assembly line at the Boeing plant in Renton, Wash., on March 27, 2019. Boeing said on Wednesday, Feb. 21, 2024, that it was shaking up the leadership in its commercial airplanes unit after a harrowing incident last month during which a piece fell off a 737 Max 9 jet in flight. (Ruth Fremson/The New York Times)
Federal judge rejects Boeing’s guilty plea related to 737 Max crashes

The plea agreement included a fine of up to $487 million and three years of probation.

Neetha Hsu practices a command with Marley, left, and Andie Holsten practices with Oshie, right, during a puppy training class at The Everett Zoom Room in Everett, Washington on Wednesday, July 3, 2024. (Annie Barker / The Herald)
Tricks of the trade: New Everett dog training gym is a people-pleaser

Everett Zoom Room offers training for puppies, dogs and their owners: “We don’t train dogs, we train the people who love them.”

Andy Bronson/ The Herald 

Everett mayor Ray Stephenson looks over the city on Tuesday, Jan. 5, 2015 in Everett, Wa. Stephanson sees  Utah’s “housing first” model – dealing with homelessness first before tackling related issues – is one Everett and Snohomish County should adopt.

Local:issuesStephanson

Shot on: 1/5/16
Economic Alliance taps former Everett mayor as CEO

Ray Stephanson will serve as the interim leader of the Snohomish County group.

Molbak's Garden + Home in Woodinville, Washington will close on Jan. 28. (Photo courtesy of Molbak's)
After tumultuous year, Molbak’s is being demolished in Woodinville

The beloved garden store closed in January. And a fundraising initiative to revitalize the space fell short.

Everett Mayor Cassie Franklin, Advanced Manufacturing Skills Center executive director Larry Cluphf, Boeing Director of manufacturing and safety Cameron Myers, Edmonds College President Amit Singh, U.S. Rep. Rick Larsen, and Snohomish County Executive Dave Somers participate in a ribbon-cutting ceremony on Tuesday, July 2 celebrating the opening of a new fuselage training lab at Paine Field. Credit: Arutyun Sargsyan / Edmonds College
‘Magic happens’: Paine Field aerospace center dedicates new hands-on lab

Last month, Edmonds College officials cut the ribbon on a new training lab — a section of a 12-ton Boeing 767 tanker.

Gov. Jay Inslee presents CEO Fredrik Hellstrom with the Swedish flag during a grand opening ceremony for Sweden-based Echandia on Tuesday, July 30, 2024, in Marysville, Washington. (Ryan Berry / The Herald)
Swedish battery maker opens first U.S. facility in Marysville

Echandia’s marine battery systems power everything from tug boats to passenger and car ferries.

Helion Energy CEO and co-founder David Kirtley talks to Governor Jay Inslee about Trenta, Helion’s 6th fusion prototype, during a tour of their facility on Tuesday, July 9, 2024 in Everett, Washington. (Olivia Vanni / The Herald)
State grants Everett-based Helion a fusion energy license

The permit allows Helion to use radioactive materials to operate the company’s fusion generator.

People walk past the new J.sweets storefront in Alderwood Mall on Thursday, July 25, 2024, in Lynnwood, Washington. (Olivia Vanni / The Herald)
New Japanese-style sweets shop to open in Lynnwood

J. Sweets, offering traditional Japanese and western style treats opens, could open by early August at the Alderwood mall.

Support local journalism

If you value local news, make a gift now to support the trusted journalism you get in The Daily Herald. Donations processed in this system are not tax deductible.