Originally created 12/23/01

Feds quiz Microsoft on software security



WASHINGTON -- FBI and Defense Department officials and some top industry experts sought reassurance Friday from Microsoft Corp. that a free software fix it offered effectively stops hackers from attacking major flaws discovered in the latest version of Windows.

The government's rare interest in the problems with Windows XP software, which is expected to be widely adopted by consumers, illustrates U.S. concerns about risks to the Internet. Friday's discussions came during a private conference call organized by the FBI's National Infrastructure Protection Center, its top cyber-security unit.

Microsoft's experts bluntly acknowledged the threats posed by the Windows XP problems, but they assured federal officials and industry experts that its fix - if installed by consumers - resolves the issues.

The company acknowledged Thursday that Windows XP suffers from serious problems that allow hackers to steal or destroy a victim's data files across the Internet or implant rogue computer software. The glitches were unusually serious because they allow hackers to seize control of all Windows XP operating system software without requiring a computer user to do anything except connect to the Internet.

Microsoft declined to tell U.S. officials Friday how many consumers downloaded and installed its fix during the first 24 hours it was available. Experts from Internet providers, including AT&T Corp., argued that information was vital to determine the scope of the threat.

Microsoft also indicated it would not send e-mail reminders to Windows XP customers to remind them of the importance of installing the patch.

One participant in the call, who spoke on condition of anonymity, otherwise described Microsoft officials as "extremely forthright." Microsoft explained that a new feature of Windows XP can automatically download the free fix, which takes several minutes, and prompt consumers to install it.

"The patch is effective," said Steve Lipner, Microsoft's director of security assurance, who participated in Friday's call. "There was a discussion of the importance of the Windows auto-update capability. People were encouraged by the fact that we'll get the patch to people."

Officials also expressed fears to Microsoft about electronic attacks launched against Web sites and federal agencies during next week's Christmas holidays from computers running still-vulnerable versions of Windows, participants said.

Several experts said they had already managed to duplicate within their research labs so-called "denial of service" attacks made possible by the Windows XP flaws. Such attacks can overwhelm Web sites and prevent their use by legitimate visitors.

"That was the one you'll more likely see over Christmas break," one participant said.

Another risk, that hackers can implant rogue software on vulnerable computers, was considered more remote because of the technical sophistication needed.

The FBI's cyber-security unit has been particularly worried lately about the threats from denial of service attacks. It warned again Thursday that it "has reason to believe that the potential for (denial of service) attacks is high."

The FBI said people have indicated they plan to target the Defense Department's Web sites, as well as other organizations that support the nation's most important networks.

Participants in Friday's call included the FBI; Defense Department; the U.S. Federal Computer Incident Response Center; federally funded CERT Coordination Center; eEye Digital Security Inc., which discovered the Windows XP problems; Network Associates Inc.; the System Administration, Networking and Security Institute; and others.