WinXP Security Flaw

← Back to Stories (view on slashdot.org)

Posted by ryuzaki0 on Thursday December 20, 2001 @07:42AM from the can-root-my-dad's-new-laptop dept.

Many readers have submitted word of the newest security hole in Windows XP. joshjs, for instance, writes: "Don't know if this is common knowledge at this point or not, but apparently some security researchers discovered that Windows XP's universal plug and play features contain a huge security flaw: 'A Microsoft official acknowledged that the risk to consumers was unprecedented because the glitches allow hackers to seize control of all Windows XP operating system software without requiring a computer user to do anything except connect to the Internet. ... Microsoft made available on its Web site a free fix for both home and professional editions of Windows XP and forcefully urged consumers to install it immediately.' Read more at the Washington Post's story." No OS is perfectly secure, but I bet a lot of new XP owners won't be too happy about this. Update: 12/20 20:05 GMT by T : fcrick submits a link to the same AP story at Wired, and several readers have pointed out that a patch is available. Update: 12/20 21:31 GMT by T : And as banuaba writes: "This hole also affects versions of 98 with XP File sharing installed and all versions of ME."

4 of 628 comments (clear)

Min score:

Reason:

Sort:

Re:Well.. by Zigg · 2001-12-20 08:21 · Score: 5, Insightful

Ironically, he did "stay quiet". Notice that Scott Culp is practically peeing his pants in admiration of how he didn't publish details on how this is exploited.
Yes, FUD by poemofatic · 2001-12-20 08:46 · Score: 5, Insightful

The GPL is a EULA..

EULA = "End User License Agreement". They are a way of taking away user's first sale rights. The GPL does not try to foist any license agreement on end users. In fact it states

5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or distribute the Program or its derivative works.

So you are confusing a license to redistribute something (which is required for all copyrighted works) with a license to use a copyrighted work. Microsoft has the latter in the form of EULA. Linux doesn't. Microsoft has the former in the form of often secret agreements with OEMs. Linux has the former with the publicly available GPL. Apples and oranges.

--
When in doubt, have a man come through a door with a gun in his hand.
Re:NO EXPLOIT AVAILABLE by nagora · 2001-12-20 09:07 · Score: 5, Insightful
You missunderstand the purpose of full-disclosure. It is not intended to make life easy for skiddies, it has two reasons:
1. To force the programmers of the faulty code to fix it by giving them a deadline by which the exploit will be published. This in turn is because the black-hats will be passing the info around and the rest of us living in ignorance will lead to rooted systems eventually, even if the exploit is not disclosed. So there has to be a deadline to make sure the bug gets fixed quickly.
2. To test the manufacturer's claim that they've fixed the problem. It does happen that patches occasionally don't work.
The idea that full-disclosure means "immediate disclosure" is simply not true.
TWW
--
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
Re:There's no exploit by nagora · 2001-12-20 09:10 · Score: 5, Insightful

One would expect a rush of script kiddies against vulnerable machines....
How do you know there hasn't already been one. After all, security through obscurity means not telling users how bad things really are.
TWW

--
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"