Microsoft Patches Second XP Security Hole
By Elinor Mills Abreu SAN FRANCISCO (Reuters) -- Less than two months after releasing Windows XP -- dubbed its most secure operating system ever -- Microsoft Corp. (Nasdaq:MSFT - news) said Thursday it had detected a second serious security hole in the software and issued a quick patch to fix it. The company is issuing a patch for Windows XP, Windows ME and Windows 98 systems for what Scott Culp, manager of Microsoft's Security Response Center, said is a "very serious vulnerability." The latest hole could allow a malicious hacker to completely take control of a computer, Culp said. It also puts Web servers at risk of being temporarily shut down from a denial-of-service attack or being used, along with many others, in such an attack on other computers, he said. Under a denial-of-service attack, a Web server is flooded with so much Internet traffic that it is rendered inaccessible to legitimate traffic. The vulnerability is located in Universal Plug and Play software, which allows devices added to a network to be automatically recognized and accessed. That software is installed by default on all Windows XP systems, is an option for Windows ME users to switch on and can be installed separately on Windows 98 computers, according to Culp. A mitigating factor is that attackers must know the exact numerical Internet address a computer is using in most instances, he said. "There have been no reports of this being exploited yet," Culp said. However, "we do know that it will be exploited. They always are. It's a question of time." Marc Maiffret, chief hacking officer at eEye Digital Security who discovered the hole, said that despite there being two security vulnerabilities announced in as many months for the new operating system, "it's too early to judge XP security." In April, Microsoft announced a new Windows Security Initiative designed to catch bugs and security holes before products ship. Despite the XP holes, the initiative is working, Culp said. "We have said and we continue to believe that XP is the most secure version of Windows ever developed,'' he said. ``Even as we're improving the engineering process we have to recognize that it will never be perfect." The first XP security hole, much less serious than the current one, was discovered before the product was released and a patch for it was available when XP was released Oct. 25, Culp said. The current patch fixes both holes, he said. Information about the vulnerability and latest patch is at http://www.microsoft.com/technet/security/bulletin/ms01-059.asp. --- Send e-mail to '[EMAIL PROTECTED]' with 'unsubscribe rlug' to unsubscribe from this list.
