• PC World
• » Software

Microsoft has issued a security bulletin and software fixes for its Windows operating systems, warning of three "critical" holes in the software that leave a Windows PC vulnerable to hackers when it is logged on to the Internet.

By exploiting holes in technology built into Windows XP that allow a computer to automatically recognize peripheral devices when they are plugged into a PC, a hacker could take over a user's PC and run malicious code or use it to perform a denial-of-service attack.

Microsoft strongly urged Windows XP users to install the patch immediately. Windows XP is the most vulnerable to the holes, while users of Windows Millennium (Windows Me) and Windows 98 are also encouraged to install the patches.

Microsoft has posted free patches for the holes on its developer Web site, for each of the affected operating systems.

"It's definitely a serious vulnerability. If you're running Windows XP, you need this patch and you need it right now," said Scott Culp, manager of Microsoft's security response center. "Don't wait for the (Windows XP) auto update" to apply the fix, Culp said.

The buffer overflow vulnerability affecting Windows XP could give an outside party free rein to overwrite files and assume total control of a Web-connected computer, Culp added.

"(A hacker) can modify software while (the PC) is running. That's why overflows are so dangerous," Culp said. "It would be possible for a foreign attacker to make that machine do anything the user of that machine could do -- delete data, surf the Web. In this case the privileges are total."

Discovered Outside

The vulnerable technology is called Universal Plug and Play, or UPnP. Windows XP and its predecessor, Windows Me, have built-in support for UPnP. Users of Windows 98 can get support for the technology through a Microsoft download. UPnP is intended to make it easier for users to add hardware peripherals, such as digital cameras or printers, to a system.

Independent security consultants from eEye Digital Security, based in Aliso Viejo, California, discovered the vulnerabilities. They were testing the strength of eEye Digital's vulnerability scanning products by sending malicious commands disguised as a UPnP service to a remote computer plugged into the Internet.

"This would enable the attacker to gain complete control over the system," Microsoft said in the security bulletin.

Certain commands could allow a hacker to run code on that computer, install software or use that PC to perform a denial-of-service attack. In denial-of-service attacks, software is used flood a network with traffic, rendering servers unable to distinguish between legitimate traffic and malicious or false traffic.

Marc Maiffret, cofounder and chief hacking officer of eEye Digital Security, said his company first alerted Microsoft of the DoS glitch in late October. While eEye was working with the software giant to plug the uncovered hole, the buffer overflow vulnerability came to eEye Digital Security's attention and was immediately forwarded to Microsoft for further follow-up.

"A lot of people bought (Windows XP) or are getting it as a Christmas gift. It was important to get (the proper fixes) out before Christmas and make sure the patch was good to go," Maiffret said.

Maiffret said his company used cable modem addresses at or near a vulnerable Windows XP system to seize control of a group of nearby Windows computers and centrally tie them back into a host computer. But he cautioned that an attacker would require a great deal of skill to be able to write an exploit program capable of overwriting the code of a remote computer by taking advantage of Windows XP.

Acknowledging Error

The DoS problem required significant engineering to shore up, said Culp, who admitted that UPnP is a fairly new protocol and still very much in development. But he remained firm that the DoS exposure was not a protocol problem, but rather an instance of the service being "too trusting" when a UPnP capable device requested information on the network.

"Basically, when it saw a notice saying 'you can get information on this device over here,' it was going off and diligently trying to download the information without doing enough checking that the information was in fact valid," Culp said. That scenario caused two potential DoS vulnerabilities to occur.

The first vulnerability allowed a system to be pointed to a server feeding it huge amounts of bogus data to consume the machine's time and resources. The second type of exposure would cause an innocent third-party server hosting information to be used as a pawn to send massive data to other vulnerable machines, Culp added.

In contrast to the DoS problem, which involved service requests that were not properly regulated, Culp said the buffer overflow hole is a mistake caused by the implementation of the code design within Windows XP.

"It's a coding error. It's a mistake made by the program. The design itself was sound, but somebody made an error in implementing that design. They didn't validate one of the inputs before using it ... they didn't check the length," he added.

Frequent Bug Finder

The consultants at eEye Digital Security have uncovered a number of flaws in Microsoft software, and have raised a bit of controversy about the ways they release information about their findings. They position themselves as bug-hunters who are performing a service for users by publicizing vulnerabilities, especially after Microsoft has not remedied them after being alerted of the flaws.

Last spring, the company took credit for identifying a problem in a version of Microsoft's Internet Information Server. The flaw was later exploited by the creator of the Code Red virus, which infected a number of Internet servers. Even some Microsoft servers were hit, although a patch was available.

Critics say eEye sometimes makes it too easy for malicious hackers, by publishing details about vulnerabilities. The company says it gives a vendor sufficient time to prepare and release a patch before going public. Maiffret of eEye, maintains the company behaves as a responsible bug hunter that enables people to protect their systems.

The issue is termed full disclosure, and is a source of debate in the development community. Some say disclosure improves security and those who say it too readily gives information and tools to eager crackers. Most urge a balance in disclosure so users are kept informed and vendors are encouraged to make their software more secure.

Since its October 25 release, Microsoft has sold about 650,000 copies of the operating system as a packaged product through retail channels, according to research from NPDTechworld, a division of the NPD Group. PC makers have been selling PCs with the operating system pre-installed since September.

PC World Contributing Editor Kim Zetter assisted with this report.

• See more like this:
• bug,
• flaw,
• vulnerability,
• hole,
• windows xp,
• windows,
• patch,
• Microsoft,
• attack,
• hacker,
• malicious