Microsoft issued a security bulletin Thursday to users of its Windows operating systems, warning of three "critical" holes in the software that leave a Windows PC vulnerable to hackers when it is logged on to the Internet.
By exploiting holes in technology built into Windows XP that allow a computer to automatically recognize peripheral devices, such as digital cameras or printers, when they are plugged into a PC, a hacker could take over a user's PC and run malicious code or use it to perform a DoS (denial of service) attack.
Scott Culp, manager of Microsoft's Security Response Center, said the buffer overflow vulnerability affecting Windows XP could give an outside party free rein to overwrite files and assume total control of a Web-connected computer.
"(A hacker) can modify software while (the PC) is running. That's why overflows are so dangerous," Culp said. "It would be possible for a foreign attacker to make that machine do anything the user of that machine could do - delete data, surf the Web. In this case the privileges are total."
The vulnerable technology is called UPnP (Universal Plug and Play). Windows XP and its predecessor, Windows ME, have built-in support for UPnP. Users of Windows 98 can get support for the technology through a Microsoft download.
Microsoft has posted a patch for both holes on its Web site for developers, for each of the affected operating systems. Windows XP is the most vulnerable to the holes, but users of Windows ME and Windows 98 also were encouraged to apply the patches if they have previously installed UPnP. Microsoft strongly urged Windows XP users to install the patch immediately.
"It's definitely a serious vulnerability. If you're running Windows XP, you need this patch and you need it right now. Don't wait for the (Windows XP) auto update" to apply the fix, Culp said.
Independent security consultants from eEye Digital Security managed to discover the vulnerabilities by testing the strength of the company's vulnerability scanning products by sending malicious commands disguised as a UPnP service to a remote computer plugged into the Internet.
Certain commands could allow a hacker to run code on that computer, install software, or use that PC to perform a DoS attack. In DoS attacks, software is used to flood a network with traffic, rendering servers unable to distinguish between legitimate traffic and malicious or false traffic.
Marc Maiffret, cofounder and chief hacking officer of eEye Digital Security, said his company first alerted Microsoft of the DoS glitch toward the end of October. While eEye was working with the software giant to plug the uncovered hole, the buffer overflow vulnerability came to eEye Digital Security's attention and was immediately forwarded to Microsoft for further follow-up.
"A lot of people bought (Windows XP) or are getting it as a Christmas gift. It was important to get (the proper fixes) out before Christmas and make sure the patch was good to go," Maiffret said.
During a live infiltration of the Windows XP OS on Thursday, Maiffret said his company was able to use cable modem addresses at or near a vulnerable Windows XP system to seize control of a group of nearby Windows computers and centrally tie them back into a host computer.
But he cautioned that an attacker would require a great deal of skill to be able to write an exploit program capable of overwriting the code of a remote computer by taking advantage of Windows XP.
The DoS problem required significant engineering to shore up, said Culp, who admitted that UPnP is a fairly new protocol and still very much in development. But he remained firm that the DoS exposure was not a protocol problem, but rather an instance of the service being "too trusting" when a UPnP capable device requested information on the network.
"Basically, when it saw a notice saying 'you can get information on this device over here,' it was going off and diligently trying to download the information without doing enough checking that the information was in fact valid," Culp said. That scenario caused two potential DoS vulnerabilities to occur.
The first vulnerability allowed a system to be pointed to a server feeding it huge amounts of bogus data to consume the machine's time and resources. The second type of exposure would cause an innocent third-party server hosting information to be used as a pawn to send massive data to other vulnerable machines, Culp added.
In contrast to the DoS problem, which involved service requests that were not properly regulated, Culp said the buffer overflow hole is a mistake caused by the implementation of the code design within Windows XP.
"It's a coding error. It's a mistake made by the program. The design itself was sound, but somebody made an error in implementing that design. They didn't validate one of the inputs before using it ... they didn't check the length," he added.
Since its October 25 release, Microsoft has sold about 650,000 copies of the operating system as a packaged product through retail channels, according to research from NPDTechworld, a division of the NPD Group. PC makers have been selling computers with the operating system preinstalled since September.
Microsoft has made patches available on its Web site at www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-059.asp.