Associated Press
WASHINGTON — Microsoft Corp. acknowledged several serious flaws Thursday in its newest version of Windows, billed as the most secure ever, that allow hackers to steal or destroy a victim’s data files across the Internet or implant rogue computer software. It urged consumers to quickly install a free fix it offered.
A Microsoft official said the risk to consumers was unprecedented because the glitches allow hackers to seize control of all Windows XP operating system software without requiring a computer user to do anything except connect to the Internet.
Microsoft made available on its Web site a free fix for both home and professional editions of Windows XP and forcefully urged consumers to install it immediately.
The flaws, discovered five weeks ago by independent security researchers, threatened to undermine widespread adoption of Microsoft’s latest Windows software, which many hope will be an economic catalyst for the sagging technology industry.
The company sold more than 7 million copies of Windows XP in the two weeks after it hit stores Oct. 25.
"If a hacker could get in this easily, it makes a lot of difference," said Anthony Gaskin of New York, a shopper at an office-supply store who was considering buying Windows XP. "I don’t want to have my computer vulnerable. Stuff like this I’m trying to keep away. I wouldn’t consider it."
Microsoft’s stock, one of the most widely held, fell $2.73 Thursday, or nearly 4 percent, in moderate trading.
The vulnerabilities were discovered by three young security researchers with eEye Digital Security Inc. of Aliso Viejo, Calif., led by Marc Maiffret, a 21-year-old former hacker. In recent months, Maiffret, who calls himself the firm’s "chief hacking officer," has advised the FBI and the White House on Internet security questions and testified before Congress.
The Windows XP problems affect a little-used feature that eventually will allow consumers to control high-tech household appliances using their computers. Called universal plug and play, the feature is activated by design in every copy of Windows XP and can be added manually to Microsoft’s earlier Windows ME software, also used by millions of consumers worldwide.
"This is the first network-based, remote compromise that I’m aware of for Windows desktop systems," said Scott Culpa, manager of Microsoft’s security response center. "Every Windows XP user needs to immediately take action." He called it a "very serious vulnerability."
Microsoft said a new feature of Windows XP, known as "drizzle," can automatically download the free fix, which takes several minutes to download, and prompt consumers to install it. Microsoft also is working with other software companies, such as leading anti-virus and firewall vendors, to build protection into their products.
Maiffret and his researchers demonstrated the flaws for The Associated Press by hacking into a reporter’s laptop running Windows XP from 2,300 miles away and successfully instructing the computer to connect automatically several times to the Web site for the National Security Agency, the government’s supersecret spy agency.
Microsoft and Maiffret said there was no suggestion that anyone has used these flaws to break into any computers; Maiffret predicted that many hackers will be able to duplicate his firm’s research — and begin breaking into unprotected computers — "a couple of months from now."
eEye’s Riley Hassell, also 21, discovered methods for hackers to either disrupt a victim’s Windows XP computer, order it to attack other Internet users or instruct it to run commands — such as to delete or steal files or install rogue software.
"This is very serious," Maiffret said. Hackers using these methods "could reformat your hard drive, record your keystrokes," he added.
Copyright ©2001 Associated Press. All rights reserved. This material may not be published, broadcast, rewritten, or redistributed.
Talk to us
> Give us your news tips.
> Send us a letter to the editor.
> More Herald contact information.