An anonymous hacker claims to have uncovered a critical security flaw in the software that runs Microsoft's Xbox 360 that could allow an attacker to take control of the system.
Microsoft has acknowledged the vulnerability and issued a patch on 9 January. The hacker demonstrated the vulnerability in December, but has only now provided details on how to exploit the flaw on the Full Disclosure security email list.
"Microsoft has completed the investigation into the public claims of a vulnerability in Xbox 360. The issue in question can only allow a user with physical access to the console to modify the Xbox configuration," a Microsoft spokesperson told vnunet.com.
The vulnerability affected the hypervisor component that effectively acts as a gatekeeper to the system by encrypting all code and making it read-only.
This approach limits access to system resources for games and any code that users or attackers could inject.
Because the flaw lets users override the Xbox security system, it could allow them to install a custom operating system.
This includes systems that are stripped from copyright protection technologies that prevent users from running illegally copied games.
Microsoft introduced the flaw through the 4532 kernel update on 31 October that was automatically distributed to all Xbox 360 systems with an internet connection through the Xbox Live service.
It took six days for the company to develop a patch after it was contacted.
Microsoft's previous generation gaming console was an easy target for so-called modders. The practice has been a constant irritation to Microsoft and the hypervisor technology was designed to block the practice.
Users can manually download the patch by connecting to Xbox Live. Users of systems without an internet connection can obtain the update by manually downloading a patch to a PC, burning it to a CD and inserting it into the console.
Hackers crack Xbox 360 security
By Tom Sanders on Mar 5, 2007 8:12AM