Technology & Science

Flaw allows Xbox 360 to be hijacked

A "critical" vulnerability in Microsoft's Xbox 360 video game console could let an attacker run unauthorized software on machines that haven't been fixed, according to an advisory issued Wednesday.

A "critical" vulnerability in Microsoft's Xbox 360 video game console could let an attacker run unauthorized software on machines that haven't been fixed, according to an advisory issued Wednesday.

In order to exploit the vulnerability that could let a malicious individual seize control of an Xbox 360, the attacker would need physical access to the machine.

The reportsays the flaw was disclosed to Microsoft on Jan. 3 and the company released a fix for the problem on Jan. 9, which would have been downloaded over the internet to affected systems connected to Microsoft's Xbox Live network.

"Microsoft has completed the investigation into the public claims of a vulnerability in Xbox 360 … and has already distributed a fix across our distribution methods, both online and offline," John Rodman, senior product manager for the Xbox global platform team told CBC News Online in an e-mailed statement on Thursday.

He noted that peoplewithout access to the Xbox Live online network could download the patch to a computer and burn it on to a DVD or CD.

The fix and instructions on how to obtain and install it are published on the operating system software update page on the Xbox.com website.

The flaw is in a piece of the Xbox's security software known as the hypervisor, which controls access to the system's memory and manages encryption and decryption functions.

Cryptographic key

In contrast, software such as games and other programs must be "signed" with Microsoft's cryptographic key to run on the machine and — unlike hypervisor — run in a so-called non-privileged mode.

The weakness in the hypervisor would effectively allow an attacker's software to run on the system with full privileges and access to the Xbox 360 hardware.

Microsoft said they had sold 10.4 million Xbox 360s worldwide by early January.

Word of the bug, rated "critical" in its severity,was distributed on the BugTraq computer security discussion list by an individual identifying him or herself only as Anonymous Hacker.

According to the report, the flaw was discovered on Oct. 31, 2006, and an attempt to contact Microsoft about the problem was made on Dec. 15, 2006.

A public demonstration of the vulnerability was made at the 23C3 Hacker Congress hosted by the Chaos Computer Club in Berlin, Germany, on Dec. 30, 2006.

All consoles with a kernel, or core, of the Xbox 360's operating system prior to version 4532, released on Oct. 31, 2006, are affected. The fix issued on Jan. 9 was for kernel version 4552.

now