Elinor Mills Abreu
SAN FRANCISCO: Less than two months after releasing Windows XP, dubbed its
most secure operating system ever, Microsoft Corp. said on Thursday that it had
detected a second serious security hole in the software and issued a quick patch
to fix it.
The company is issuing a patch for Windows XP, Windows ME and Windows 98
systems for what Scott Culp, manager of Microsoft's Security Response Center,
said is a "very serious vulnerability." The latest hole could allow a
malicious hacker to completely take control of a computer, Culp said.
It also puts Web servers at risk of being temporarily shut down from a
denial-of-service attack or being used, along with many others, in such an
attack on other computers, he said. Under a denial-of-service attack, a Web
server is flooded with so much Internet traffic that it is rendered inaccessible
to legitimate traffic.
The vulnerability is located in Universal Plug and Play software, which
allows devices added to a network to be automatically recognized and accessed.
That software is installed by default on all Windows XP systems, is an option
for Windows ME users to switch on and can be installed separately on Windows 98
computers, according to Culp.
A mitigating factor is that attackers must know the exact numerical Internet
address a computer is using in most instances, he said. "There have been no
reports of this being exploited yet," Culp said. However, "we do know
that it will be exploited. They always are. It's a question of time."
Marc Maiffret, chief hacking officer at eEye Digital Security who discovered
the hole, said that despite there being two security vulnerabilities announced
in as many months for the new operating system, "it's too early to judge XP
security."
In April, Microsoft announced a new Windows Security Initiative designed to
catch bugs and security holes before products ship. Despite the XP holes, the
initiative is working, Culp said. "We have said and we continue to believe
that XP is the most secure version of Windows ever developed," he said.
"Even as we're improving the engineering process we have to recognize that
it will never be perfect."
The first XP security hole, much less serious than the current one, was
discovered before the product was released and a patch for it was available when
XP was released Oct. 25, Culp said. The current patch fixes both holes, he said.
Information about the vulnerability and latest patch is at http://www.microsoft.com/technet/security/bulletin/ms01-059.asp.
(C) Reuters Limited.