IP: Government questions over Windows XP security flaws

[David Farber <dave () farber net>]

> http://www.kfwb.com/news/nat/n122113.html

FBI, Pentagon Quiz Microsoft Over Windows XP Problems WASHINGTON (AP) 
12.21.01, 4:05p -- FBI and Defense Department officials and some top 
industry experts sought reassurance Friday from Microsoft Corp. that a free 
software fix it offered effectively stops hackers from attacking major 
flaws discovered in the latest version of Windows.
The government's rare interest in the problems with Windows XP software, 
which is expected to be widely adopted by consumers, illustrates U.S. 
concerns about risks to the Internet. Friday's discussions came during a 
private conference call organized by the FBI's National Infrastructure 
Protection Center, its top cyber-security unit.
Microsoft's experts bluntly acknowledged the threats posed by the Windows 
XP problems, but they assured federal officials and industry experts that 
its fix -- if installed by consumers -- resolves the issues.
The company acknowledged Thursday that Windows XP suffers from serious 
problems that allow hackers to steal or destroy a victim's data files 
across the Internet or implant rogue computer software. The glitches were 
unusually serious because they allow hackers to seize control of all 
Windows XP operating system software without requiring a computer user to 
do anything except connect to the Internet.
Microsoft declined to tell U.S. officials Friday how many consumers 
downloaded and installed its fix during the first 24 hours it was 
available. Experts from Internet providers, including AT&T Corp., argued 
that information was vital to determine the scope of the threat.
Microsoft also indicated it would not send e-mail reminders to Windows XP 
customers to remind them of the importance of installing the patch.
One participant in the call, who spoke on condition of anonymity, otherwise 
described Microsoft officials as "extremely forthright." Microsoft 
explained that a new feature of Windows XP can automatically download the 
free fix, which takes several minutes, and prompt consumers to install it.
"The patch is effective," said Steve Lipner, Microsoft's director of 
security assurance, who participated in Friday's call. "There was a 
discussion of the importance of the Windows auto-update capability. People 
were encouraged by the fact that we'll get the patch to people."
Officials also expressed fears to Microsoft about electronic attacks 
launched against Web sites and federal agencies during next week's 
Christmas holidays from computers running still-vulnerable versions of 
Windows, participants said.
Several experts said they had already managed to duplicate within their 
research labs so-called "denial of service" attacks made possible by the 
Windows XP flaws. Such attacks can overwhelm Web sites and prevent their 
use by legitimate visitors.
"That was the one you'll more likely see over Christmas break," one 
participant said.
Another risk, that hackers can implant rogue software on vulnerable 
computers, was considered more remote because of the technical 
sophistication needed.
The FBI's cyber-security unit has been particularly worried lately about 
the threats from denial of service attacks. It warned again Thursday that 
it "has reason to believe that the potential for (denial of service) 
attacks is high."
The FBI said people have indicated they plan to target the Defense 
Department's Web sites, as well as other organizations that support the 
nation's most important networks.
Participants in Friday's call included the FBI; Defense Department; the 
U.S. Federal Computer Incident Response Center; federally funded CERT 
Coordination Center; eEye Digital Security Inc., which discovered the 
Windows XP problems; Network Associates Inc.; the System Administration, 
Networking and Security Institute; and others.

For archives see:
http://www.interesting-people.org/archives/interesting-people/