ooohhhh sounds scary!?
 :turn:

Microsoft Patches Second XP Security Hole
Thursday December 20 7:31 PM ET
By Elinor Mills Abreu

SAN FRANCISCO (Reuters) - Less than two months after releasing Windows XP -- dubbed its most secure operating system ever -- Microsoft Corp. (Nasdaq:MSFT - news) said Thursday it had detected a second serious security hole in the software and issued a quick patch to fix it.

The company is issuing a patch for Windows XP, Windows ME and Windows 98 systems for what Scott Culp, manager of Microsoft's Security Response Center, said is a ``very serious vulnerability.''

The latest hole could allow a malicious hacker to completely take control of a computer, Culp said.

It also puts Web servers at risk of being temporarily shut down from a denial-of-service attack or being used, along with many others, in such an attack on other computers, he said.

Under a denial-of-service attack, a Web server is flooded with so much Internet traffic that it is rendered inaccessible to legitimate traffic.

The vulnerability is located in Universal Plug and Play software, which allows devices added to a network to be automatically recognized and accessed.

That software is installed by default on all Windows XP systems, is an option for Windows ME users to switch on and can be installed separately on Windows 98 computers, according to Culp.

A mitigating factor is that attackers must know the exact numerical Internet address a computer is using in most instances, he said.

``There have been no reports of this being exploited yet,'' Culp said. However, ``we do know that it will be exploited. They always are. It's a question of time.''

Marc Maiffret, chief hacking officer at eEye Digital Security who discovered the hole, said that despite there being two security vulnerabilities announced in as many months for the new operating system, ``it's too early to judge XP security.''

In April, Microsoft announced a new Windows Security Initiative designed to catch bugs and security holes before products ship. Despite the XP holes, the initiative is working, Culp said.

``We have said and we continue to believe that XP is the most secure version of Windows ever developed,'' he said. ``Even as we're improving the engineering process we have to recognize that it will never be perfect.''

The first XP security hole, much less serious than the current one, was discovered before the product was released and a patch for it was available when XP was released Oct. 25, Culp said. The current patch fixes both holes, he said.

Information about the vulnerability and latest patch is at http://www.microsoft.com/technet/security/bulletin/ms01-059.asp

 :turn:

Thanks Russ, I feel a little better now, all your Gibson Test Results came up saying my computer was invisible to the internet, and it wasn't able to access at all.

Muhhahhahh, guess it pays to be paranoid, I actually had dream last night I'd been hacked and I was watching all my data filter away.  Maybe I AM geek?

VWTrav

I Like the test too. Everything here checks out good (very secure). The test actually said i was unusually secure.

Well, I guess that means I'm safe from inquiring minds. Although, I didn't think I was running a firewall of any kind. it must be built in to my base station. :biggrin:

Secure Connection terminated...Agent has left the virtual space.

 :tounge2:

Port 139 is the one typically exploited because it's where Windows listens for connections on a Microsoft local area network. This is what the "client for microsoft networks", "microsoft family logon" and "file and printer sharing" crap are. These services are based upon NetBEUI, a protocol for small LANs and not intended for the Internet because of their insecurity. By default in Windows, these are automatically enabled for you, even though you probably don't have a Microsoft LAN running. Steve has good instructions for getting rid of this if you like.

And if you are running a home network over a broadband connection Linksys makes good home routers with a simple built-in firewall known as NAT (network address translation) which conceals the actual IP of each computer you have connected on the network.

Of course, if Microsoft didn't write operating systems we wouldn't be discussing these issues.

Russ
(maybe I should major in networking?)