Posted on 12/23/2001 6:55:43 AM PST by TaRaRaBoomDeAyGoreLostToday!
The FBI's National Infrastructure Protection Center said that, in addition to installing a free software fix offered by Microsoft on the company's Web site, consumers and corporations using Windows XP (news - web sites) should disable the product's ``universal plug and play'' features affected by the glitches.
The FBI did not provide detailed instructions how to do this. Microsoft considers disabling the ``plug and play'' features unnecessary.
The company acknowledged this week that Windows XP suffers from serious problems that allow hackers to steal or destroy a victim's data files across the Internet or implant rogue computer software. The glitches were unusually serious because they allow hackers to seize control of all Windows XP operating system software without requiring a computer user to do anything except connect to the Internet.
Outside experts cautioned that disabling the affected Windows XP features threatens to render unusable an entire category of high-tech devices about to go on the market, such as a new class of computer printers that are easier to set up. But they also acknowledged that disabling it could afford some protection against similar flaws discovered in the future.
The FBI, in a bulletin released at 8 p.m. at the start of a long holiday weekend, also warned professional computer administrators to actively monitor for specific types of Internet traffic that might indicate an attack was in progress.
A top Microsoft security official, Steve Lipner, sought to reassure consumers and companies that installing the free fix was the best course of action to protect their systems.
Friday's warning from the FBI's cyber-protection unit came after FBI and Defense Department officials and some top industry experts sought reassurance from Microsoft that the free software fix it offered effectively stops hackers from attacking the Windows XP flaws.
The government's rare interest in the problems with Windows XP software, which is expected to be widely adopted by consumers, illustrates U.S. concerns about risks to the Internet. Friday's discussions came during a private conference call organized by the National Infrastructure Protection Center.
During the call, Microsoft's experts acknowledged the threats posed by the Windows XP problems, but they assured federal officials and industry experts that its fix - if installed by consumers - resolves the issues.
Microsoft declined to tell U.S. officials how many consumers downloaded and installed its fix during the first 24 hours it was available. Experts from Internet providers, including AT&T Corp., argued that information was vital to determine the scope of the threat.
Microsoft also indicated it would not send e-mail reminders to Windows XP customers to remind them of the importance of installing the patch.
Microsoft explained that a new feature of Windows XP can automatically download the free fix, which takes several minutes, and prompt consumers to install it.
``The patch is effective,'' said Lipner, Microsoft's director of security assurance, in an interview with The Associated Press.
Officials expressed fears to Microsoft about possible electronic attacks targeting Web sites and federal agencies during next week's Christmas holidays from computers running still-vulnerable versions of Windows, participants said.
Several experts said they had already managed to duplicate within their research labs so-called ``denial of service'' attacks made possible by the Windows XP flaws. Such attacks can overwhelm Web sites and prevent their use by legitimate visitors.
Another risk, that hackers can implant rogue software on vulnerable computers, was considered more remote because of the technical sophistication needed.
The FBI's cyber-security unit has been concerned about the threat and warned again Thursday that the potential of ``denial of service'' attacks is high. The agency said people unhappy with U.S. policy have indicated they plan to target the Defense Department's Web sites, as well as other organizations that support the nation's most important networks.
-
On the Net:
Someone tried to hack me at 7PM tonight I know cause Norton told me so.Now...being a prior Mac user I am not used to using anti-virus/hack job protection programs so this should not be a prerequisite to their flawed product, this is a weak argument.
For real.
The difference in Mac's N piece a crap (PC's)is Apples N rotten oranges.
With a vehicle, building, or safe, there is a certain level of security that's expected. If I buy a $50 security cabinet, I should not be surprised if someone with a crowbar can force it open readily. A $2,000 safe, however, should require an attacker to expend a little more effort. A $2,000 safe which could be opened by tapping the right spot three times with a screwdriver would rightly be regarded as defective.
I can destroy a frame house with gasoline and a match does that not make the house defective?
Buildings are required to meet certain fire-resistance standards. These standards generally specify the rate at which fires spread (and are designed to ensure that occupants escape). If dropping a lit cigarette on the floor of a structure would result in the entire structure being engulfed in flames within 15 seconds, the structure would be rightly considered defective.
If drunk runs into your car and it kills you does that make your car defective?
If your car and the drunk's were if comparable weight and both were travelling at 25mph or less, probably yes. Vehicles have certain specs for what types of crashes are supposed to be survivable. Vehicles which cannot protect their occupants in such crashes may be rightly regarded as defective.
Microsoft advertised their product as being "secure". Their product is in reality no more secure than a safe which will open for someone who taps the right spot with a screwdriver. As such, it would rightly be regarded as defective.
Bill Gates before Windows 2000. We do not release software
with bugs, you must not know how to use it.
After
To the federal Judge..You must let me release this software
it fixes over 6000 bugs.
Can a company deliberately with-hold a known defect in a product?
This is about a company that *knew* their product had a serious defect, and they with-held that information from their customers purely to avoid losing sales.
That is *illegal*!!!!!!!!!
How did MS get to be above the law?
He is supposed to take it back to where he bought it and get a refund. This may be easier said than done. If the store balks, the store manager should read the applicable clause of the EULA: YOU AGREE TO BE BOUND BY THE TERMS OF THIS EULA BY INSTALLING, COPYING, OR OTHERWISE USING THE PRODUCT. IF YOU DO NOT AGREE, DO NOT INSTALL OR USE THE PRODUCT; YOU MAY RETURN IT TO YOUR PLACE OF PURCHASE FOR A FULL REFUND.
In order to be "allowed" to sell the product, the store must agree with the manufacturer to take returns. This is usually the way it works. If the store still doesn't want to play ball, then you take it up their management chain. When you reach the end of the chain, there's always the FTC.
Some fella in Oz actually got a refund for OEM-installed MS software from Toshiba, but it wasn't easy.
Thanks, but no thanks. That does'nt sound to secure to me.
I may have found my sentence.
Can you see any flaws with this?
No, better than that -- I'm a software developer who has to obey these laws.
The law says, "A merchant is obligated under the law to disclose any fact, the disclosure of which may have influenced the buyer not to enter into the transaction to start with."
And common sense does, too.
If MS had informed it's customers that XP allowed outside people to take contol of their machine, it would have influenced their decision to buy.
Therefore they defrauded those customers to increase sales of XP.
These folks don't want you to know what goes on under the covers. That automatic download deal appears to have surprised a lot of XP users... hmmm?
Y'know, I'm torn on that one. It's a nice idea, automatic updates.
But it also allows the possibility of a company doing things you *don't* want.
If it ran in a 'sandbox' mode, like a Java applet, where it couldn't do anything to the hard drive without permission first -- then I think it would be a great feature.
But *unknown*?
No, I don't think so.
The difference is that you decide whether you need/want the update (I uninstalled that RPM last month!) and you initiate the download at your convenience.
Boy do you misunderstand my motives.
I do development for a living.
I have to deal with this debate every day. What's important is for me to have the 'right' take on it. And I have to be able to explain that take in one or two quick sentences.
I realize I'll never convince most people here . . . they're emotionally/financially tied to MS in a way that wouldn't allow them to face the truth. In the same way that Clintonistas can't admit the simplest, most obvious lawbreaking by MS.
But this is just 'practice'. The real fight over tech takes place in corporate meetings, if you get my drift. Please don't get me wrong, but nothing of consequence is likely to happen here.
Disclaimer: Opinions posted on Free Republic are those of the individual posters and do not necessarily represent the opinion of Free Republic or its management. All materials posted herein are protected by copyright law and the exemption for fair use of copyrighted works.