IP: Government questions over Windows XP security flaws (fwd)

Eugene Leitl Eugene.Leitl at lrz.uni-muenchen.de
Sat Dec 22 01:44:25 PST 2001 



-- Eugen* Leitl <a href="http://leitl.org">leitl</a>
______________________________________________________________
ICBMTO: N48 04'14.8'' E11 36'41.2'' http://www.leitl.org
57F9CFD3: ED90 0433 EB74 E4A9 537F CFF5 86E7 629B 57F9 CFD3

---------- Forwarded message ----------
Date: Fri, 21 Dec 2001 20:24:18 -0500
From: David Farber <dave at farber.net>
Reply-To: farber at cis.upenn.edu
To: ip-sub-1 at majordomo.pobox.com
Subject: IP: Government questions over Windows XP security flaws


>
>http://www.kfwb.com/news/nat/n122113.html

FBI, Pentagon Quiz Microsoft Over Windows XP Problems WASHINGTON (AP)
12.21.01, 4:05p -- FBI and Defense Department officials and some top
industry experts sought reassurance Friday from Microsoft Corp. that a free
software fix it offered effectively stops hackers from attacking major
flaws discovered in the latest version of Windows.
The government's rare interest in the problems with Windows XP software,
which is expected to be widely adopted by consumers, illustrates U.S.
concerns about risks to the Internet. Friday's discussions came during a
private conference call organized by the FBI's National Infrastructure
Protection Center, its top cyber-security unit.
Microsoft's experts bluntly acknowledged the threats posed by the Windows
XP problems, but they assured federal officials and industry experts that
its fix -- if installed by consumers -- resolves the issues.
The company acknowledged Thursday that Windows XP suffers from serious
problems that allow hackers to steal or destroy a victim's data files
across the Internet or implant rogue computer software. The glitches were
unusually serious because they allow hackers to seize control of all
Windows XP operating system software without requiring a computer user to
do anything except connect to the Internet.
Microsoft declined to tell U.S. officials Friday how many consumers
downloaded and installed its fix during the first 24 hours it was
available. Experts from Internet providers, including AT&T Corp., argued
that information was vital to determine the scope of the threat.
Microsoft also indicated it would not send e-mail reminders to Windows XP
customers to remind them of the importance of installing the patch.
One participant in the call, who spoke on condition of anonymity, otherwise
described Microsoft officials as "extremely forthright." Microsoft
explained that a new feature of Windows XP can automatically download the
free fix, which takes several minutes, and prompt consumers to install it.
"The patch is effective," said Steve Lipner, Microsoft's director of
security assurance, who participated in Friday's call. "There was a
discussion of the importance of the Windows auto-update capability. People
were encouraged by the fact that we'll get the patch to people."
Officials also expressed fears to Microsoft about electronic attacks
launched against Web sites and federal agencies during next week's
Christmas holidays from computers running still-vulnerable versions of
Windows, participants said.
Several experts said they had already managed to duplicate within their
research labs so-called "denial of service" attacks made possible by the
Windows XP flaws. Such attacks can overwhelm Web sites and prevent their
use by legitimate visitors.
"That was the one you'll more likely see over Christmas break," one
participant said.
Another risk, that hackers can implant rogue software on vulnerable
computers, was considered more remote because of the technical
sophistication needed.
The FBI's cyber-security unit has been particularly worried lately about
the threats from denial of service attacks. It warned again Thursday that
it "has reason to believe that the potential for (denial of service)
attacks is high."
The FBI said people have indicated they plan to target the Defense
Department's Web sites, as well as other organizations that support the
nation's most important networks.
Participants in Friday's call included the FBI; Defense Department; the
U.S. Federal Computer Incident Response Center; federally funded CERT
Coordination Center; eEye Digital Security Inc., which discovered the
Windows XP problems; Network Associates Inc.; the System Administration,
Networking and Security Institute; and others.

For archives see:
http://www.interesting-people.org/archives/interesting-people/

More information about the cypherpunks-legacy mailing list