The hole could let hackers take control of a PC running XP, says the manager of Microsoft's Security Response Center. "They might as well be sitting in front of the keyboard."
Microsoft is recommending that every Windows XP customer apply the patch immediately. Customers using Windows 98, Windows 98 Second Edition and Windows ME with the "Universal Plug and Play" (UPnP) service up and running should also use the patch, the company said.
UPnP is Microsoft software that uses Internet protocols to allow devices such as computers, scanners and printers to automatically discover one another so they can communicate. Microsoft said an attacker who exploited the hole could take over computers on such a network. Depending on the skills of the attackers, they could take complete control of the PC--such as viewing or deleting files--or launch "denial-of-service" attacks, which flood a person's PC with data, crippling it.
Windows users can download the patch from Microsoft's Web site.
A Microsoft executive said Windows XP comes with the UPnP feature turned on, so every XP user needs the patch.
"This is a serious vulnerability. People running Windows XP need to put the patch on right away," said Scott Culp, manager of Microsoft's Security Response Center.
Culp said users of Windows ME or Windows 98 only need the patch if they are running UPnP. Windows ME was released with UPnP built in, but the feature is turned off when customers install that operating system. Windows 98 doesn't have UPnP built in, so users of the OS don't need the patch unless they have installed UPnP separately, he added.
UPnP is networking software that is slowly beginning to catch on among tech companies and computer users. Printer makers, for example, have begun supporting it so that printers can easily connect to PCs on a network.
UPnP is Microsoft's vision of allowing computers, printers and other peripherals to automatically find one another and communicate without consumers having to configure the computers. With everything connected, people in the house could videoconference or play multiplayer video games, for example.
More seriously, hackers who are inside the network can take over a PC without needing to know the PC's IP address. That's the case with cable Internet access, where people in the neighborhood share the same cable network, Culp said.
"With most cable modem users, there's a physical wire that feeds an entire neighborhood, and someone from that wire could attack anyone without needing to know the IP address," he said. "The attacker can take control of the PC and have access to all the files. They might as well be sitting in front of the keyboard."
The flaws were discovered by Aliso Viejo, Calif.-based security company eEye Digital Security and reported to Microsoft about six weeks ago, said Marc Maiffret, eEye's chief hacking officer.
Although describing the flaws as "the worst default security vulnerability in Windows ever," Maiffret credited the company for working quickly and intelligently to stem possible damage.
"Microsoft made a really good effort to work with us and get the patch ready in a coordinated way," he said. "Microsoft understands you're never going to be perfect; you have to have a mechanism in place to react to these things quickly and comprehensively when they happen."
Maiffret predicted hackers would develop and release tools to exploit the UPnP vulnerability within a week or two. But he said the buffer overflow flaw was so technically complex that attacks based on it were unlikely to become widespread. "I think the people skilled enough to exploit this will keep the exploit to themselves," he said.