Windows Flaws Give Attackers Control of PCs

Security researchers have discovered two new vulnerabilities in Microsoft Corp.s Windows XP and ME and some versions of Windows 98, one of which gives attackers complete control over a vulnerable machine.

Both flaws are in the Universal Plug and Play service, which enables computers to find and use network-based devices, and affect Windows XP and ME and versions of Windows 98 and 98SE with the Internet Connection Sharing client installed.

The most serious vulnerability is a buffer overrun in one of the UPnP components that notifies networked PCs of the availability of a device. If an attacker sent a specially crafted Notify directive to a vulnerable machine, he could run code in the context of the UPnP service, which has system-level privileges in Windows XP.

This scenario would give the attacker total control of the compromised PC, according to an advisory released by Microsoft.

The other vulnerability also involves the Notify directive and can result in two separate denial-of-service scenarios. The Notify directive contains information on where PCs can obtain a devices description, and this data can often reside on a third-party server. But the UPnP implementations in XP and Windows 98 dont correctly regulate how the service performs this operation.

As a result, an attacker could send a Notify command to a UPnP machine specifying that the device description be downloaded from a certain port on a designated server. If that server has the echo service running on the specified port, the requesting computer could be put into an endless download cycle, consuming all of the systems resources.

Alternately, if enough machines responded to the Notify directive pointing them to the third-party server, they could flood the server with requests, creating a distributed denial-of-service attack.

There are several mitigating factors involved in these scenarios, however. UPnP support does not run by default on Windows ME, and there is no native support for the service in 98 or 98SE. And Windows XP has a built-in firewall, which runs by default and could hamper some of the attacks.

This is the first serious remote vulnerability that has been found in XP, and security experts worry that it could eventually lead to the development of a self-propogating worm capable of infecting thousand of machines.

“There are more than a few people with the ability to write a tool to exploit this,” said Jim Magdych, director of the Covert Lab at Network Assocaites Inc., in Santa Clara, Calif. “This could potentially be a candidate [for a worm].”

Magdych added that XPs large base of home users, who are generally inexperienced with security matters, makes this vulnerability particularly worrisome. “We have a window of opportunity right now to get the message out,” he said.

Patches for the various operating systems are available here.