Microsoft's Most Secure OS Ever, Windows XP, Subject To Major Security Hole

by , 9:00 AM EST, December 21st, 2001

Sometimes there are events that happen in the computer world that just sort of write themselves into a funny article. Usually they involve Microsoft, and today we have just such an example. Microsoft released a patch to plug a security hole the size of Montana. A technology called Universal Plug & Play (UPnP) that is included in Windows XP, and can be either turned on or downloaded for Windows 98 and Windows ME, includes the unique ability to give a malicious hacker complete and utter control of the user's PC. Windows XP has been touted by Microsoft as being their most secure OS yet. Just to show they mean it, the company has released a patch to plug this hole. From a C|Net report:

"This is a serious vulnerability. People running Windows XP need to put the patch on right away," said Scott Culp, manager of Microsoft's Security Response Center.

Culp said users of Windows ME or Windows 98 only need the patch if they are running UPnP. Windows ME was released with UPnP built in, but the feature is turned off when customers install that operating system. Windows 98 doesn't have UPnP built in, so users of the OS don't need the patch unless they have installed UPnP separately, he added.

Culp said there are several ways people can exploit the security hole in UPnP. Someone who knows the Internet Protocol (IP) address of a specific PC can gain control of the computer through the Internet if the network doesn't have firewall security installed. Most corporations and many consumers, however, have firewalls installed to block these types of break-ins, he said.

More seriously, hackers who are inside the network can take over a PC without needing to know the PC's IP address. That's the case with cable Internet access, where people in the neighborhood share the same cable network, Culp said.

"With most cable modem users, there's a physical wire that feeds an entire neighborhood, and someone from that wire could attack anyone without needing to know the IP address," he said. "The attacker can take control of the PC and have access to all the files. They might as well be sitting in front of the keyboard."

Microsoft sat on the information until they had prepared a fix, a tactic the company has been wanting the freedom to use for the last few months. This subject has gotten a lot of media attention, and you can find more information in the full article. We also have other reports for your reading edification:

The Mac Observer Spin:

Oh, how we Mac users envy the Windows world with its rich proliferation of software and stuff. Or something. In our eyes, living in the rich world of Windows is all about waiting to download the next security patch before something bad happens. Admittedly, Microsoft has been able to release a patch for this problem before any attacks started, but that doesn't mean that everyone is going to download that patch.

Microsoft has patched most of the security holes in Windows and its various bits of software, but we still see virii and exploits like Code Red, Anna K., and I Love You wreck billions and billions of dollars of lost productivity around the world because Windows Lemmings don't all get the word. Windows XP does include the ability to ask MS's servers for updates, so there's a chance that most of the XP systems out there will get updated before the hackers figure out a way to allow the script kiddies to exploit this serious problem. In any event, pardon us while we are not surprised by the whole thing.