FBI, Pentagon Quiz Microsoft on XP

[Paul Howell]

At http://dailynews.yahoo.com/h/ap/20011221/tc/microsoft_hackers_10.html

Friday December 21 5:50 PM ET 
FBI, Pentagon Quiz Microsoft on XP
   
By TED BRIDIS, Associated Press Writer 

WASHINGTON (AP) - FBI (news - web sites) and Defense Department officials and 
some top industry experts sought reassurance Friday from Microsoft Corp. that 
a free software fix it offered effectively stops hackers from attacking major 
flaws discovered in the latest version of Windows. 

The government's rare interest in the problems with Windows XP (news - web 
sites) software, which is expected to be widely adopted by consumers, 
illustrates U.S. concerns about risks to the Internet. Friday's discussions 
came during a private conference call organized by the FBI's National 
Infrastructure Protection Center, its top cyber-security unit. 

Microsoft's experts bluntly acknowledged the threats posed by the Windows XP 
problems, but they assured federal officials and industry experts that its 
fix - if installed by consumers - resolves the issues. 

The company acknowledged Thursday that Windows XP suffers from serious 
problems that allow hackers to steal or destroy a victim's data files across 
the Internet or implant rogue computer software. The glitches were unusually 
serious because they allow hackers to seize control of all Windows XP 
operating system software without requiring a computer user to do anything 
except connect to the Internet. 

Microsoft declined to tell U.S. officials Friday how many consumers downloaded 
and installed its fix during the first 24 hours it was available. Experts from 
Internet providers, including AT&T Corp., argued that information was vital 
to determine the scope of the threat. 

Microsoft also indicated it would not send e-mail reminders to Windows XP 
customers to remind them of the importance of installing the patch. 

One participant in the call, who spoke on condition of anonymity, otherwise 
described Microsoft officials as ``extremely forthright.'' Microsoft explained 
that a new feature of Windows XP can automatically download the free fix, 
which takes several minutes, and prompt consumers to install it. 

``The patch is effective,'' said Steve Lipner, Microsoft's director of 
security assurance, who participated in Friday's call. ``There was a 
discussion of the importance of the Windows auto-update capability. People 
were encouraged by the fact that we'll get the patch to people.'' 

Officials also expressed fears to Microsoft about electronic attacks launched 
against Web sites and federal agencies during next week's Christmas holidays 
from computers running still-vulnerable versions of Windows, participants said. 

Several experts said they had already managed to duplicate within their 
research labs so-called ``denial of service'' attacks made possible by the 
Windows XP flaws. Such attacks can overwhelm Web sites and prevent their use 
by legitimate visitors. 

``That was the one you'll more likely see over Christmas break,'' one 
participant said. 

Another risk, that hackers can implant rogue software on vulnerable computers, 
was considered more remote because of the technical sophistication needed. 

The FBI's cyber-security unit has been particularly worried lately about the 
threats from denial of service attacks. It warned again Thursday that it ``has 
reason to believe that the potential for (denial of service) attacks is high.'' 

The FBI said people have indicated they plan to target the Defense 
Department's Web sites, as well as other organizations that support the 
nation's most important networks. 

Participants in Friday's call included the FBI; Defense Department; the U.S. 
Federal Computer Incident Response Center; federally funded CERT Coordination 
Center (news - web sites); eEye Digital Security Inc., which discovered the 
Windows XP problems; Network Associates Inc.; the System Administration, 
Networking and Security Institute; and others.