An underground hacker pretends to have discovered a significant security flaw in the software that runs Microsoft's Xbox 360 that could allow a users or attacker to take over control of the system.
Microsoft has recognized the vulnerability and issued a patch on January 9. The hacker exposed the vulnerability late December, but only now presented details on how to exploit the flaw on the Full Disclosure security email list.
"Microsoft has completed the investigation into the public claims of vulnerability in Xbox 360. The issue in question can only allow a user with physical access to the Xbox360 console to modify the Xbox’s configuration," a Microsoft spokesperson told vnunet.com.
The vulnerability affected the hypervisor, a module that effectively acts as a gate keeper to the system by encrypting all code and by making it read only. This approach limits access to system resources for both games and any code that users or attackers would inject.
Because the flaw lets users overrule they Xbox's security system, it could permit them to install a custom operating system. This includes systems that are stripped from copyright protection technologies that prevent users from running illegally copied games.
Microsoft introduced the flaw through the 4532 kernel update on 31 October that was automatically distributed to all Xbox 360 systems with an internet connection throught the Xbox Live service. It took 6 days for the company to develop a patch after it was contacted.
Microsoft's previous generation gaming console was an easy target for so-called modders. The practice has been a constant irritation to Microsoft and the hypervisor technology was designed to provide a way to block the practice.
Users can manually download the patch by connecting to Xbox Live. Systems without an internet connection can obtain the update by manaully downloading a patch, burning it to a CD and insert that in their console.
