Autor: Dariusz (dariusj_at_poczta.onet.pl)
Data: Fri 21 Dec 2001 - 11:17:21 MET
> http://www.cnn.com/2001/TECH/ptech/12/20/microsoft.hackers.ap/index.html
>
> WASHINGTON (AP) -- Microsoft's
> newest version of Windows,
> billed as
> the most secure ever,
> contains several
> serious flaws that allow
> hackers to
> steal or destroy a
> victim's data files
> across the Internet or
> implant rogue
> computer software. The
> company
> released a free fix
> Thursday.
>
> A Microsoft official
> acknowledged that the
> risk to consumers was
> unprecedented
> because the glitches allow
> hackers to seize
> control of all Windows XP
> operating
> system software without
> requiring a
> computer user to do
> anything except
> connect to the Internet.
>
> Microsoft made available on its Web site a free fix for
> both home and professional
> editions of Windows XP and forcefully urged consumers
> to install it immediately.
>
> The flaws, discovered five weeks ago by independent
> security researchers,
> threatened to undermine widespread adoption of
> Microsoft's latest Windows
> software, which many hope will be an economic catalyst
> for the sagging
> technology industry.
>
> The company sold more than 7 million copies of Windows
> XP in the two weeks
> after it hit stores October 25.
>
> The vulnerabilities were discovered by three young
> security researchers with eEye
> Digital Security Inc. of Aliso Viejo, California, led
> by Marc Maiffret, a 21-year-old
> former hacker. In recent months, Maiffret, who calls
> himself the firm's "chief
> hacking officer," has advised the FBI and the White
> House on Internet security
> questions and testified before Congress.
>
> The Windows XP problems affect a little-used feature
> that eventually will allow
> consumers to control high-tech household appliances
> using their computers. Called
> "universal plug and play," the feature is activated by
> design in every copy of
> Windows XP and can be added manually to Microsoft's
> earlier Windows ME
> software, also used by millions of consumers worldwide.
>
> "This is the first network-based, remote compromise
> that I'm aware of for
> Windows desktop systems," said Scott Culp, manager of
> Microsoft's security
> response center. "Every Windows XP user needs to
> immediately take action." He
> called it a "very serious vulnerability."
>
> Microsoft said a new feature of Windows XP, known as
> "drizzle," can
> automatically download the free fix, which takes
> several minutes to download, and
> prompt consumers to install it. Microsoft also is
> working with other software
> companies, such as leading antivirus and firewall
> vendors, to build protection into
> their products.
>
> Maiffret and his researchers demonstrated the flaws for
> The Associated Press by
> hacking into a reporter's laptop running Windows XP
> from 2,300 miles away and
> successfully instructing the computer to connect
> automatically several times to the
> Web site for the National Security Agency, the
> government's super-secret spy
> agency.
>
> Microsoft and Maiffret said there was no suggestion
> that anyone has used these
> flaws to break into any computers; Maiffret predicted
> that many hackers will be
> able to duplicate his firm's research -- and begin
> breaking into unprotected
> computers -- "a couple months from now."
>
> Microsoft feared that hackers could exploit the flaws
> more quickly if eEye
> discloses too many details about its findings. Leading
> up to the public
> announcement, Culp said, those researchers behaved
> "exactly right" by quietly
> notifying Microsoft.
>
> 'Very serious'
>
> Riley Hassell, eEye's self-described "network
> penetration specialist," discovered
> methods for hackers to either disrupt a victim's
> Windows XP computer, order it to
> attack other Internet users or instruct it to run
> commands -- such as to delete or
> steal files or install rogue software.
>
> "This is very serious," said Maiffret. Hackers using
> these methods "could reformat
> your hard-drive, record your keystrokes," he added.
>
> Hackers could attack individual computers directly,
> though the flaws also allow
> hackers to transmit an attack to a single Internet
> address and strike all the nearby
> Windows XP computers within a corporation or
> neighborhood. Microsoft said
> companies and Internet providers can reduce the threat
> by properly configuring
> their Internet traffic-directing devices, called
> routers.
>
> The flaws are particularly embarrassing to Microsoft
> because their discovery falls
> so close to Christmas and because of the company's
> commercial emphasis on
> improved security in Windows XP. The company boasts as
> one of 10 reasons for
> technology experts to buy Windows XP the promise of a
> "safe, secure and private
> computing experience."
>
> "This is the most secure version of Windows we have
> ever released," said Culp,
> adding that complex software "will always fall short of
> perfection."
>
> One of the problems disclosed Thursday belongs to a
> category of software flaws
> known as "buffer overflows," which can trick software
> into accepting dangerous
> commands. Another is the result of broader design
> problems with universal plug
> and play technology.
>
> Just last week, Microsoft's corporate security officer,
> Howard Schmidt, expressed
> frustration about continuing threats from overflows.
> "I'm still amazed that we allow
> these things to occur," he said at a conference of
> technology executives. Schmidt is
> expected soon to resign from Microsoft to work for
> President Bush's top computer
> security adviser.
To archiwum zostało wygenerowane przez hypermail 2.1.7 : Tue 18 May 2004 - 23:38:12 MET DST