"This is a serious vulnerability. People running Windows XP need to put the patch on right away," said Scott Culp, manager of Microsoftis Security Response Center.
Culp said users of Windows ME or Windows 98 only need the patch if they are running UPnP. Windows ME was released with UPnP built in, but the feature is turned off when customers install that operating system. Windows 98 doesnit have UPnP built in, so users of the OS donit need the patch unless they have installed UPnP separately, he added.
Culp said there are several ways people can exploit the security hole in UPnP. Someone who knows the Internet Protocol (IP) address of a specific PC can gain control of the computer through the Internet if the network doesnit have firewall security installed. Most corporations and many consumers, however, have firewalls installed to block these types of break-ins, he said.
More seriously, hackers who are inside the network can take over a PC without needing to know the PCis IP address. Thatis the case with cable Internet access, where people in the neighborhood share the same cable network, Culp said.
"With most cable modem users, thereis a physical wire that feeds an entire neighborhood, and someone from that wire could attack anyone without needing to know the IP address," he said. "The attacker can take control of the PC and have access to all the files. They might as well be sitting in front of the keyboard."
Microsoft sat on the information until they had prepared a fix, a tactic the company has been wanting the freedom to use for the last few months. This subject has gotten a lot of media attention, and you can find more information in the full article. We also have other reports for your reading edification:
- Microsoftis Patch
- Washington Post – Windows Vulnerable To Hack Attacks
- Slashdot Article – WinXP Security Flaw
- CNN Article – Windows XP vulnerable To "Serious" Attacks
- The Register UK – MS Warns Of Severe Universal Plug & Play Security Hole