Microsoft's XP System Vulnerable to Hacking

Microsoft’s XP System Vulnerable to Hacking

By CHARLES PILLER

Dec. 21, 2001 12 AM PT

TIMES STAFF WRITER

SAN FRANCISCO —

Microsoft Corp. announced on Thursday that its flagship Windows XP operating system has a major security flaw that allows hackers to erase files from--or take control of--Internet-connected computers.

More than 7 million XP users also face the prospect of their PCs being turned into “zombies,” secretly directed by hackers to attack other computers.

“This is a serious vulnerability,” said Scott Culp, manager of Microsoft’s security response center.

Security experts called the vulnerability particularly glaring--and galling, given Microsoft’s touting of the XP operating system as among its most secure.

Experts blamed the error partly on Microsoft’s attempts to make its products easier to use. In that process, the company sometimes creates default software settings to save users headaches, but those settings later prove insecure.

In this case, the flaw stems from XP’s “universal plug-and-play” feature, which allows users to easily connect devices such as printers over a network. But it also opens a trap door for hackers.

Microsoft urged XP users to visit the Microsoft Web site to download a free software “patch” that fixes the problem. Some users of Windows 98 also are affected.

“We’re going out and asking every Windows XP user on the planet to install this patch,” Culp said. “It has got to work.”

The security problem was discovered and reported to Microsoft by EEye Digital Security, a software firm in Aliso Viejo. Company co-founder Marc Maiffret credited Microsoft with an efficient system for creating patches and making them available to customers.

Microsoft learned of the problems more than a month ago and has been preparing the patches since then.

The software giant conducted research to see if hackers had begun to exploit the problem, but found no such evidence. If it had, Microsoft would have alerted users even before the patch was prepared, Culp said. Now that it has been publicly disclosed, hackers will exploit the flaw, he added. “Count on it.”

Previous versions of Windows suffered from thousands of bugs, or errors in their underlying software code, some of which caused security problems. Experts said such problems are on the rise as the networked computing environment becomes increasingly complex.

Given the commercial pressures to produce software quickly, even Microsoft’s vast resources have been inadequate to test products fully before they go on the market.

That’s why the company often learns of major flaws through the efforts of security firms or hackers themselves. In this case, it was a bit of both.

Four years ago, as a teen hacker using the moniker “Chameleon,” Maiffret was known for defacing Department of Defense Web sites with digital graffiti.

He became the subject of an FBI investigation in which he was accused of trying to sell information and software stolen from Defense Department computers to a Middle Eastern terrorist group. Agents raided Maiffret’s home; he was arrested at gunpoint and his computer files were seized. Maiffret denied the accusations, describing his actions as mere mischief. Charges were never filed.

He later formed EEye to capitalize on his first-hand knowledge of hacking techniques.

Tim Belcher, chief technical officer of Riptech Inc., a security monitoring company in Alexandria, Va., said it was likely that more XP security flaws will come to light, given the sheer scale of the software, with its millions of lines of programming instructions.

“The operating system is so inclusive that there are bound to be many, many significant oversights,” Belcher said.