Microsoft owns up to massive XP security hole

Microsoft has admitted that Windows XP, supposedly the most secure PC operating system ever developed, contains three serious security holes that could allow hackers to take over vulnerable computers.

The flaws were first discovered by a security consultancy, eEye Digital Security, five weeks ago.

Tony Lock, senior analyst at Bloor Research, said: "Microsoft doesn't have the best reputation for dealing with security holes in its products. It has taken an unreasonably long time to deal with this hole in its product, which is potentially very serious indeed.

"A company with the resources of Microsoft really ought to be doing better."

The problems are caused by the universal plug and play service of XP, a feature designed to allow computers to control other electronic devices such as DVD players remotely without using a complex configuration procedure.

A malicious hacker could use a vulnerability in the system to take control of a machine running XP. It could also be used to make the computer crash.

The flaw could also be exploited to make a computer send requests to a web server. If hundreds of computers were used in this way, they could flood a third-party website with more requests for information than it could respond to, thereby taking it offline.

Any machine operating behind a firewall would not be vulnerable to this form of attack unless the hacker breached the firewall first. Microsoft believes that the security hole has not yet been exploited.

The company has nonetheless posted three patches on its site, and is urging all the seven million customers who have bought the OS to download from http://www.microsoft.com/technet/ and install the patch immediately.

eEye has a track record of spotting holes in Microsoft products and exposed a flaw in its internet server in the summer.