Culture

Reports of Windows Me bug already rolling in

On the eve of the operating system's debut, a bug hunter has announced the discovery of a vulnerability that allows attackers to crash or reboot a Windows Me computer.

The first reports of a Windows Me bug are rolling in on the eve of the official launch of Microsoft's new operating system for home PC users.

A bug hunter named Andrew Griffiths has announced he has discovered a vulnerability that allows attackers to crash or reboot a Windows Me computer running a TV software package by sending the computer a certain type of data over the Internet.

Although Microsoft has been investigating this potential problem since it learned of it a month ago, the company declined to confirm whether it's actually a vulnerability.

"At this point we are still investigating it to determine if this is indeed a security vulnerability and what is the appropriate action," a Microsoft spokeswoman said today.

However, Security Focus analyst Ben Greenbaum said today that others have been able to verify the vulnerability.

The problem lies in Microsoft software called WebTV that lets a computer running on Windows Me display video and allows people to watch TV on their computer monitors. The software, which began shipping with Windows 98 Second Edition, also accepts TV program guides from the Internet, according to Microsoft.

To exploit the vulnerability, an attacker sends a type of information formatted with a networking standard called User Datagram Protocol (UDP), Griffiths and Greenbaum said. Sending UDP data to a specific address, called a "port," can crash the WebTV software or the entire computer. In some circumstances, it can cause a reboot.

"As far as I'm aware, this is the first (Windows Me vulnerability) that's been made public knowledge," Greenbaum said.

Not all computers are vulnerable all the time, however. Although the software comes with Windows 98, Windows 98 Second Edition and Windows Me, it must first be specifically installed and running before a computer becomes vulnerable. People aren't likely to install or even the run the software unless they have a particular type of video card that can decode TV signals.

In addition, computers protected by a firewall--as is the case for most corporate machines--are not likely to be vulnerable, Greenbaum said.

Griffiths, who posted news of the vulnerability to the Bugtraq email list yesterday, stated that he notified Microsoft about the vulnerability Aug. 13. "I asked them to get back to me awhile ago, but I haven't heard any responses yet," he wrote in the posting.

But Microsoft has a different story. The company acknowledged that it received word of the vulnerability a month ago but insists its security team has been communicating with Griffiths.

"We've actively been working with Andrew throughout the investigation process," the spokeswoman said. "We respond to every email that comes in."

Griffiths, who has an Australian email address, could not immediately be reached for comment.

He described the bug this way: "By sending a UDP packet to the 22701-22705 (ports), you can cause the program to crash or cause various blue screens etc. The larger the size, the more dramatic the effects (lockups, reboots and that)."

Windows Me, the successor to Windows 98, is aimed at home computer users, not businesses. Although Microsoft initially planned to phase out the Windows 95/98 family in favor of the less-crash-prone Windows NT, the company decided to extend the lineage one more generation.

Microsoft officially is launching Windows Me tomorrow, though the operating system has been shipping on PCs since mid-August.

WebTV software is different from Microsoft's WebTV set-top boxes that allow people to surf the Internet and send email using their televisions.

One reason attackers might be interested in the vulnerability is that some types of attacks require that a machine be rebooted for changes to the computer's settings to take effect, Greenbaum said. In other words, to plant a more serious bug, a hacker would have to first prompt a reboot.

An attacker must know the specific Internet address of the target computer. Greenbaum said it's not difficult to scan Internet Protocol addresses to find which computers have the specific ports open, an indication that they're vulnerable to the attack.

So far there's no indication whether an attacker could use the vulnerability for more damaging attacks, such as running arbitrary programs or corrupting data, but that type of problem is a possibility, Greenbaum said.