Ars Technica: The PC enthusiast's resource Posted 12/20/2001 - 3:37PM, by Caesar
This Washington Post story let the cat out of the bag: WinXP's Universal Plug 'n Play support contains a flaw that essentially allows malicious users to seize control of any unpatched XP system on the 'net. This flaw is also present in the Internet Connection Sharing client that can be installed in Win98 and WinME. In other words, everyone using a Microsoft OS should get the patch. From the story:
A Microsoft official acknowledged that the risk to consumers was unprecedented because the glitches allow hackers to seize control of all Windows XP operating system software without requiring a computer user to do anything except connect to the Internet.
There is no KB article yet, although Microsoft said that information will be available within 24 hours under KB article Q315000. Most egregious, in my view, is the fact that this bug was discovered five weeks ago, yet we're only learning about it now, yet not from Microsoft, but from the media. Also note that the patch has not appeared on WindowsUpdate yet, so you'll need to grab it and install it the old fashioned way. Update: I've just received a copy of the security bulletin that Microsoft sent out over e-mail. It contains much more in-depth information than is currently available elsewhere. I've posted it up here for those interested.