BBC NEWS Americas Africa Europe Middle East South Asia Asia Pacific Arabic Spanish Russian Chinese Welsh

 You are in: Sci/Tech
Front Page 
UK Politics 
Talking Point 
In Depth 

Commonwealth Games 2002

BBC Sport

BBC Weather

Friday, 21 December, 2001, 00:53 GMT
Fix your Windows, says Microsoft
Microsoft logo, Bill Gates, BBC
Microsoft says there is no evidence the hole has been exploited so far
Kevin Anderson

Microsoft has admitted that the newest version of its flagship Windows operating system - touted as the most secure ever - has yawning security holes.

The problems were discovered by a security firm a few weeks ago but announced on Thursday once a fix was ready, and now Microsoft is urging users of its new Windows XP operating system to download a fix.

Left unrepaired, the hole gives malicious hackers the chance to take over a Windows XP machine as soon as it is connected to the internet.

Users behind a firewall - including most businesses - are not vulnerable unless the hacker has been able to gain access to the user's network and work from behind the firewall.

Analysts say that a growing number of security alerts could hurt Microsoft's efforts to expand its reach in the business market.


Microsoft says there is no evidence that the hole has been exploited.
Windows XP, AP
Microsoft has sold more than seven million copies of Windows XP since its 25 October release

The company sold more than seven million copies of Windows XP in the two weeks after it was launched on 25 October, and many hope it will be a boost for the troubled technology industry.

It had been billed as the most secure Windows version ever.

Now, the company is urging all Windows XP customers and those using previous versions of Windows, including Windows 98, 98 SE or ME, who have fitted the Universal Plug and Play service, to download a patch, available on the company's website, and install it immediately.

"We are in the process of notifying our customers," said Microsoft spokesman Jim Desler.

"We have mobilised all of our technical account managers worldwide who work with big clients and we have a very broad e-mail list for e-mail notification.

"We are going out very publicly with the media - admitting or notifying that a vulnerability does exist - and that it is important to patch systems," he added.

Flaw in future feature

The flaw was discovered five weeks ago by independent computer security researchers at eEye Digital Services.

The fault is in a feature called Universal Plug and Play (UPnP).

UPnP could open the way for a future class of intelligent networked devices that would allow home users to remotely control smart appliances using their computer as a remote control.

They rushed XP out the door with this thing enabled

Richard Forno, chief technology officer, Shadowlogic

For example, in the future, a UPnP recordable DVD player could download the television schedule from the internet and automatically record programmes that the user was interested in.

UPnP hopes to allow users to easily connect these devices without complex configuration.

However, there are next to no UPnP devices on the market at present, but Microsoft chose to turn the services on by default in shipping versions of Windows XP.

UPnP was built into Windows ME, but computer makers had to choose to turn it on, otherwise, it was off by default.

Security hurts expansion plans

Microsoft is re-examining what features it chooses to turn on by default, says Mike Cherry, lead analyst for operating systems at the consultancy Directions on Microsoft.

It is a fine line for the company, Mr Cherry says, because many users like to have things turned on for them and computer makers sometimes turn on optional functions in the operating system to avoid customer support calls.

The growing number of security alerts from Microsoft could hurt its efforts to expand its presence in the enterprise market with software that runs business networks and internet servers, Mr Cherry says.

Companies that Microsoft is courting want to know that the software giant can protect their information.

Hackers may not be interested in consumers' personal files, but such vulnerabilities could expose corporate secrets to prying eyes.

There is increasing impatience in the security community with vulnerabilities in Microsoft software.

"They rushed XP out the door with this thing enabled," said Richard Forno, chief technology officer for security firm Shadowlogic.

"How many patches are they going to issue?" he asked. The company recently issued a security patch for its browser.

He said that Microsoft must radically change its thinking about security. "They have got to test their stuff out and think like the bad guys," he said.

The BBC's Steve Kingstone
"Consumers are being encouraged to download a patch"
Professional computer hacker Jason Moon
"Microsoft only admits to a vulnerability when it has a patch for it"
See also:

19 Dec 01 | Sci/Tech
Microsoft closes browser holes
18 May 00 | Sci/Tech
When paper clips attack
17 May 00 | Sci/Tech
Hackers get backdoor access
11 May 00 | Americas
Tackling cyber crime
Internet links:

The BBC is not responsible for the content of external internet sites

Links to more Sci/Tech stories are at the foot of the page.

E-mail this story to a friend

Links to more Sci/Tech stories