Microsoft Corp. issued a security bulletin Thursday to users of its Windows operating systems, warning of three "critical" holes in the software that leave a Windows PC vulnerable to hackers when it is logged on to the Internet.
By exploiting holes in technology built into Windows XP that allow a computer to automatically recognize peripheral devices, such as digital cameras or printers, when they are plugged into a PC, a hacker could take over a user's PC and run malicious code or use it to perform a denial of service attack.
Microsoft has posted free patches for the holes on its Web site for developers, for each of the affected operating systems. Windows XP is the most vulnerable to the holes, while users of Windows ME and Windows 98 were also encouraged to install the patches. Microsoft strongly urged Windows XP users to install the patch immediately.
The vulnerable technology is called Universal Plug and Play (UPnP). Windows XP and its predecessor, Windows ME, have built-in support for UPnP. Users of Windows 98 can get support for the technology through a Microsoft download.
Independent security consultants from eEye Digital Security, based in Aliso Viejo, California, managed to discover the vulnerabilities by sending malicious commands disguised as a UPnP service to a remote computer plugged into the Internet.
"This would enable the attacker to gain complete control over the system," Microsoft said in the security bulletin.
Certain commands could allow a hacker to run code on that computer, install software or use that PC to perform a denial of service attack. In denial of service attacks, software is used flood a network with traffic, rendering servers unable to distinguish between legitimate traffic and malicious or false traffic.
Since its Oct. 25 release, Microsoft has sold about 650,000 copies of the operating system as a packaged product through retail channels, according to research from NPDTechworld, a division of the NPD Group Inc. PC makers have been selling computers with the operating system pre-installed since September.
Microsoft has made patches available on its Web site at http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/MS01-059.asp.