Forgot your password?
typodupeerror
News

FBI, Pentagon Talk to MS about XP Hole 405

Posted by timothy
from the step-inside-the-circle-of-trust dept.
(eternal_software) writes: "The Associated Press is reporting that the FBI and Defense Department are talking to Microsoft about the serious flaws found in the XP operating system. As we all know, the most recent flaw allowed any XP machine to be hijacked simply by connecting it to the internet. The government is getting involved because of growing U.S. concerns about risks to the 'net as a whole." In fact, the FBI would like you to go a bit beyond the MS patch. davecl points out the updated page put out by the National Infrastructure Protection Center about this vulnerability as well.
This discussion has been archived. No new comments can be posted.

FBI, Pentagon Talk to MS about XP Hole

Comments Filter:
  • Just a thought (Score:4, Interesting)

    by peripatetic_bum (211859) on Saturday December 22, 2001 @08:37AM (#2741074) Homepage Journal
    First we hear rumors that al-queda may have hacked into windows,

    now we see the Gov't take a special interest in

    the latest XP hole.

    Dont know about you, but I am really dont know what to think?

    • I'm sure it's just coincidence. The more likely reason is due to the hightened state of security, the FBI is less tolerant of MS's sloppy security holes.

      • by texchanchan (471739) <ccrowley@g m a i l . com> on Saturday December 22, 2001 @09:22AM (#2741160)
        MagikSlinger is almost certainly right about this. However, if there is a terrorist group out there which was organized and sophisticated enough to carry out another large-scale, imaginative attack (which I doubt), Microsoft might be on their list for these reasons:
        - It's American, and a symbol of American characteristics such as innovation, which is in itself hated by reactionaries.
        - It's extremely visible.
        - Its market dominance could be perceived as "imperialist" or culturally imperialist by people who think like that.
        - It's a center of wealth and therefore, in puritanical minds, of evil decadence.
        - It could be thought of as a "vital organ" of the American economy by someone who doesn't realize how decentralized the American economy is.

        Arguing against an attack on Microsoft is the idea that it's causing enough trouble for the US by itself, but this concept is probably beyond the reach of most fanatics.
        • Microsoft might be on their list for these reasons:

          How about the biggest reasons:
          • They hire lots of foreign programmers, (see their support for H1B visas) making them pathetically easy to infitrate
          • they neither know nor care about security - never have, never will, couldn't fix it if they wanted to because their corporate culture is 'features, Features, FEATURES!'
    • Nonsense (Score:3, Funny)

      by ackthpt (218170)
      This is the DoJ (FBI) we're talking about, they want to thank Bill personally for keeping them all busy and employed during these uncertain economic times. Also, I'm sure there's a card with a box of chocolates on the way to Redmond from McAfee.
      • Also, I'm sure there's a card with a box of chocolates on the way to Redmond from McAfee.

        Anyone else got to see the demo version of McAfee ActiveShield installed on new HP systems? One of my friends called me over one day because he said his antivirus had found a virus on his computer. I told him just to hir repair and if that didn't work, hit delete, then he told me there were no repair or delete buttons.

        When I went to look at the problem, I saw ActiveShield had popped up a dialog, "McAfee ActuiveShield has detected an infection in this file somefile.mp3.vbs VBS/Love Letter." With a button that took you to the McAfee website where you could remove this virus using McAfee online for "only 39.95." After getting him NAV, we found that it had infected every eligible file on the system (about 23,000), and LoveLetter of course overwrites the original files.

        I found his restore disks and went back to my Power Mac.

    • Re:Just a thought (Score:5, Insightful)

      by colatek (525301) <[douglasnorton] [at] [comcast.net]> on Saturday December 22, 2001 @11:17AM (#2741403)
      I have to agree with the the one post on the site I linked to above. Microsoft knew about the security hole in XP for 5 weeks yet they continued to tout it as the most secure system ever. I believe it was irresponsible of them not to at least inform the government about this bug. Heck, I think they should have gone as far as tell the consumers. The whole thing tells me that Microsoft cares nothing more than their bottom line (yes I know that they are a business, but this could be a national security issue). I think that there is criminal negligence here. I think there is grounds for consumer fraud. I for one am going to write the states attorney and ask them what stance they are going to take on this issue.
      • Re:Just a thought (Score:3, Interesting)

        I believe it was irresponsible of them not to at least inform the government about this bug. Heck, I think they should have gone as far as tell the consumers.

        Given that AOL can afford to stuff the mailboxes of the entire US with CD's, Microsoft ought to be able to afford a replacement CD for their paying customers. Instead, they expect you to risk further compromise by going online to get a patch.


        They wouldn't even admit that there was a problem until the Washington Post held their feet to the fire. Must be nice to know Uncle Bill cares about his customers ... It's even nicer not to be one of his customers.

    • I think it's even worse than how you present it:

      A witness says that Al-Queda deliberately set out to leave back doors and security holes in XP.

      XP then has the worst hole of any Microsoft OS, ever.

      The FBI suddenly has a lot of questions. They damn well should.
  • hmmm...interesting (Score:4, Insightful)

    by metrix007 (200091) on Saturday December 22, 2001 @08:41AM (#2741082)
    the fact remains, ms code *can* be secure, obviously just not xp, good to see them getting their act togethor
  • by Anonymous Coward on Saturday December 22, 2001 @08:43AM (#2741083)
    MS XP patch disabled network card on my computer!

    I guess the computer is really safe now.
  • by Merik (172436) on Saturday December 22, 2001 @08:43AM (#2741084) Homepage
    "Microsoft explained that a new feature of Windows XP can automatically download the free fix, which takes several minutes, and prompt consumers to install it. "

    thats really messed up that and scary

    (Hmmm.. magic latern)
    • This isn't such a bad feature if you think about it. Well, if it did it like OSX did, I'd be happier, but I can't say that XP does. It should prompt and then dowdnload if affirmative.

      But that's my humble opinion, which isn't as scary or so scary or whatever...
    • by Alien54 (180860) on Saturday December 22, 2001 @09:26AM (#2741177) Journal
      "Microsoft explained that a new feature of Windows XP can automatically download the free fix, which takes several minutes, and prompt consumers to install it. "

      Nevermind that such an exploit could also be used to do just the same thing and send people off to download a "patch" form a psuedo MS site.

      Suddenly people are taking seriously the idea that MS can present a problem for national security, when this was dismissed as a trollish comment before.

      The fantasy is the unlikely end result with Bill Gates and buddies being arrested for treason for the software. yes it is just a fantasy. ,p.But isn't Xmas the time of year for dreams? ;)

      • Nevermind that such an exploit could also be used to do just the same thing and send people off to download a "patch" form a psuedo MS site.

        Probably not as easily done as it appears on the surface. I suspect (though I could be wrong) that there would be some kind of key-signing of the update patch that's done by MS and then checked by XP before installing the same.

        Or maybe not. This is, after all, Microsoft. But still, it seems an obvious precaution to me.
        • I suspect (though I could be wrong) that there would be some kind of key-signing of the update patch that's done by MS and then checked by XP before installing the same.

          I am sure that someone could human engineer the error messages. and since they would actually never go to MS, but maybe to some Bogus Site, like Microsoft-security.com some folks could be fooled by this. I am thinking of the Pay-Pal Scam [arstechnica.com] that was running around a few days back, using simple email. It wouldn't be that hard for people who were expert to fudge something to send a user to La la land, with appropriate dialogs, disclaimers, etc. etc.

    • No, it is a part of XP, in the system properties, it's called Automatic Updates. It's also available in Win98/ME through the Critical Updates program you can get through Windows Update. You can turn it off at will.
    • "Microsoft explained that a new feature of Windows XP can automatically download the free fix, which takes several minutes, and prompt consumers to install it. "


      thats really messed up that and scary


      Yeah, scary like apt-get.

      Then again, at least MS patches are signed, which makes things not quite so easy to trojan [securityfocus.com]. (Yeah, signatures aren't everything [counterpane.com], I know.) Unless, of course, you don't trust MS not to trojan their software, in which case why are you running it?

      Auto-update systems are good, so long as they prompt the user, which it appears XP's does.
  • How much you want to bet that no one sees this as a problem with Microsoft? One can only hope this emboldens the anti-trust crusaders and their cause.

  • Trust us! (Score:4, Interesting)

    by robinjo (15698) on Saturday December 22, 2001 @08:46AM (#2741090)

    Microsoft has known for five weeks that XP had a serious security hole. They didn't do anything to warn customers who bought XP during that time. They just kept telling how XP is so secure.

    It's unbeliavable what Microsoft can get away with. I don't think the hole and the patch are the important issues here. I'm shocked how Microsoft can lie to the whole world for five weeks and people still trust them.

    Microsoft should have withdrawn XP and fixed it. Expecially as they don't even have any serious competitors. What they showed was that they don't care about the safety of their customers. They just want to make money no matter what.

    • Re:Trust us! (Score:5, Interesting)

      by uchian (454825) on Saturday December 22, 2001 @09:07AM (#2741134) Homepage
      Microsoft should have withdrawn XP and fixed it. Expecially as they don't even have any serious competitors. What they showed was that they don't care about the safety of their customers. They just want to make money no matter what.

      In my opinion they should _STILL_ withdraw it and fix it.

      By this, I mean that they should recall every vulnerable CD off of shelves, and send everyone who they know has bought one a new copy that is already patched.

      Computers bought with Windows XP preinstalled should have the offer of being recalled to have the patch applied, and everyone should be sent an updated recovery disk.

      Why? Because otherwise, 90% of computers out there, run by the technologically clueless population will never get this patch applied.
      • by eggz128 (447435) on Saturday December 22, 2001 @09:33AM (#2741188)
        Why? Because otherwise, 90% of computers out there, run by the technologically clueless population will never get this patch applied.

        Yes they will. Thats what the auto updater is for. It downloads the patch in background while the technologically clueless user is browsing, then prompts them to install it by asking them "We send you this update in order to have your advice".

        You can guess what the standard response will be.
        • Re:Trust us! (Score:2, Interesting)

          by uchian (454825)
          Hmmm... Great. But we still get a race between the autoinstaller downloading the patch, and the attacks from the all new improved Code Red XP which isn't out yet but which I guess there are at least one or two versions of being written in back bedrooms the world over.

          If I recall, on average I was getting one attack every fifteen minutes from Code Red. So how long does this patch take to download? Especially since it's happening in the background, I guess that means it takes a lower priority over a users normal browsing.
          • Re:Trust us! (Score:2, Informative)

            by Oily Tuna (542581)
            You can disable UP&P and SSDP before connecting. Instructions for doing this can be found by non-internet means.

            net stop ssdpsrv
            net stop upnphost
        • Re:Trust us! (Score:3, Insightful)

          by staeci (85394)
          I don't know about anyone else I if I was writing trojans/virii etc for XP the first thing it would do would be to disable auto-update and make sure that it stays off.
    • Re:Trust us! (Score:5, Insightful)

      by Masem (1171) on Saturday December 22, 2001 @09:08AM (#2741135)
      Remember that Microsoft wants to push a security model in which new bugs are reported only to the vendor and possibly a NDA-signed security group, and then in 'sufficient time' ( There's a part of me that says, ok, this type of reporting for a bug with this amount of security implications is probably a good thing, as if the bug was reported before the patch was available, you'd already have 'owned' XP boxes out there before MS had the patch. In the fashion they approached it, the amount of damage to XP (or other OSes) boxes will be minimized.

      But I feel there MUST be some preannouncement on such bugs, even if the details are minimal. Whenever you work on something, you cannot expect that someone else in the world is not also working on the same thing, but not for the same purposes. In the case here, eEye, the group that found the bug, was looking for it for purposes of good, but I would not expect that someone else, maybe a malicious group, was also narrowing in on the bug 5 weeks ago when eEye reported it to MS. (And then you have to add cyber-espionge that might have garnered that info for themselves?). In the 5 weeks it took MS to verify the bug and develop and test the patch, that other group might have caught up and started 'owning' boxes already. A preannouncement of the bug, simply outlining the effects, and any short-term security measures, would have prevented that group from having any significant harm on the boxes if they did exist.

      I know from a previous discussion that many sysadmins, when a new bug is discovered, want to know all the details up front so they can test the bug before and after fixing on their systems. This is understandable, but I think in the cases of bugs that can affect a significant large number of systems, such as this XP bug, that limited disclousure is better. I think a key step that could be done is institute a small group of trusted security people; bugs that are found are reported to the vendor and to this group. A person(s) from the group verifies the bug and puts out a digitalled signed statement that this bug exists, and that certain steps can be taken to correct it. Because of the status of these people, if they claim to have verified the fix, then that should be considered to be truthful, and thus limiting the need of sysadmins having to have full details to test it themselves. After a short period (no more than 6 weeks), the full details should be released, regardless if a patch from the vendor was available or not. That way, the limited disclosure lets the sysadmins know there's something going on and there's step they can take to prevent problems, and it gives the vendor time to fix the problem before that information falls into the hands of malicious people.

      • when a new bug is discovered, want to know all the details up front so they can test the bug before and after fixing on their systems.
        All of the links I've followed was a little light on details, which leads me to believe this vulnerability is pretty low level in the kernal stuff. Patches to fundemental kernal services can have far reaching side-effects, in short a patched WindowsXP would be basicaly a new OS compaired to an unpatched Machine; and all existing security testing is out-the window and you start from scratch.

        I think that they should be forced to burn a CD and mass mail them to consumers/ and display them at software outlets. It should contain there precious patches, and tutorials on computer security starting at newbee level. Gee how would have thought that the ease-of-usage features of M$ software might lead to security vulnerabilites.
    • by kresmoi (542683)
      Isn't this the point where the government should be stepping in to do somethi...oh wait. nevermind.
  • Serious Stuff (Score:2, Informative)

    by smooc (59753)
    Although I refuse putting a Windows box directly on the internet (and btw neither a linux-box) even for home use, I know a lot of people who do.
    Especially all the unaware homeusers like my landlord for example. For systemadmins it already difficult to keep up to date with all the patches even with the various *update programs, at least they are firewalled

    And yet they (the homeusers) are the most vulnerable!

    And Microsoft proclaimed this was its most secure OS ever.
  • by Beautyon (214567) on Saturday December 22, 2001 @08:53AM (#2741107) Homepage
    The British and German govermnents have both realized that Open Source software is the way to go for many reasons, and are now deploying these superior solutions (or planning to) across all departments.

    What the makers of Linux distributions must do is concentrate on usability (and by extension consistency) and further refining their installers so that anyone off of the street can choose and then run Linux as painlessly as they have done with all the different windoze generations.

    Ximian are the closest to making easy to use tools that even my Aunt Grace (70) can use. A fully blown distribution from Ximian would be "most welcome" to use parliamentary language.

    • The British and German govermnents have both realized that Open Source software is the way to go for many reasons, and are now deploying these superior solutions (or planning to) across all departments.
      Yeah, it does look that way when the UK government plans to buy 500,000 copies of Windows XP [theregister.co.uk].
    • I won't comment on the "usability" of the desktops other than to say that almost all desktops under *nix that I've used(KDE, GNOME, plain 'ol Sawfish or IceWM) are extraordinarily easy to use. They're hard to learn(well, maybe not KDE and to a lesser extent GNOME), but they're absolutely amazing to use.

      Be sure to seperate "ease of use" from "ease of learning" :) Windows is easy for almost everyone to learn, because almost everyone has had exposure. But it's a bitch to use.

      I *will*, however, comment about installations. You're on drugs. It's that simple :) Mandrake is *easier* to install than Windows. Go ahead and try it. The installation is smoother, all hardware is autodetected, everything is just EASY. Windows installation isn't nearly so nice. I'm not saying it's their fault - after all, Windows is almost always preinstalled. They really havn't had much motivation to make a really kickass installer.
      • A big part of the 'ploit seems to revolve around M$ trying to do a "hardware detect" over the LAN to load the proper OS or third party "drivers". They are suprised that network boundries are primarily psycological, so their ease-of-use feature leaks out into the internet and causes security problems.
        Linux® on the other hand demands much more standards compliance and relies less on "drivers" to provide translation layers and introduction of security and or performance problems.

        And I agree, I just did a WindowME® install a few months ago, on a freshly formated hard-drive SuSE has blown Windows out of the water for a couple years on ease of install, auto-detected hardware not to mention ease of use. I do disagre with modern Linux desktops being hard to learn, for the same functionality as windows its about the same or easier to learn, but you can do alot more on the desktop in *nix than windows. (I like the way jaws drop when I change screen resolutions, and jump back and forth between six different screens and have twenty differnt apps running at the same time, from windows users.)
  • by Anonymous Coward
    . . . the only backdoors in Windows XP are supposed to be the ones negotiated in the antitrust "settlement."

    ~~~

  • all rightey then! (Score:4, Interesting)

    by Jburkholder (28127) on Saturday December 22, 2001 @08:54AM (#2741110)
    Microsoft explained that a new feature of Windows XP can automatically download the free fix, which takes several minutes, and prompt consumers to install it.

    I must be living under a rock because this is the first I've heard of this. XP just starts downloading files without any action from the user? Does anyone beside me feel uncomfortable about that?
    • Re:all rightey then! (Score:2, Informative)

      by lseltzer (311306)
      three options, and it asks you which you want:

      1) download updates automatically and ask the user whether to install them
      2) notify the user automatically that updates are available and ask them whether to download and install them
      3) none of this
    • You must be under a rock. Windows ME had Automatic Update Notification too.
  • the arrogance (Score:4, Insightful)

    by kubla2000 (218039) on Saturday December 22, 2001 @09:00AM (#2741120) Homepage
    The arrogance of microsoft is astonishing.

    I honestly and truly hope that the US government brings them to their knees about this. That's wishful thinking, I know. However, two statements in particular in the Yahoo! article surprised me:

    1. Microsoft declined to tell U.S. officials Friday how many consumers downloaded and installed its fix during the first 24 hours it was available.
    2. Microsoft also indicated it would not send e-mail reminders to Windows XP customers to remind them of the importance of installing the patch.

    The reasons for point 1 are quite clear though. Acting on point 1 would indicate what a fiction the sales figures for XP really are.

    Point 2 is more difficult to fathom... perhaps they're hoping people won't notice? Why on earth, other than their disdain for non-corporate users, wouldn't they send out the reminder? Or even a reminder stressing the improtance of installing the auto-updater?

    • Re:the arrogance (Score:5, Insightful)

      by hacker (14635) <hacker@gnu-designs.com> on Saturday December 22, 2001 @12:13PM (#2741547)
      1. Microsoft declined to tell U.S. officials Friday how many consumers downloaded and installed its fix during the first 24 hours it was available.

      The reasons for point 1 are quite clear though. Acting on point 1 would indicate what a fiction the sales figures for XP really are.

      Or that 2 million copies were sold, and 9 million people required the patch.

      Point 2 is more difficult to fathom... perhaps they're hoping people won't notice? Why on earth, other than their disdain for non-corporate users, wouldn't they send out the reminder? Or even a reminder stressing the improtance of installing the auto-updater?

      I can give you several reasons:
      • The longer a problem exists, the more support calls they will get to address it. Support calls to Microsoft are not free. Read: coffers.
      • The longer a problem exists, the more time they have to sell product that is vulnerable to it (see 1. above)
      • The longer a problem exists, they more they can milk their training program and create a new MCSE test for "Securing the Enterprise", or some such drivel.
      • They can't probably email everyone that purchased XP, because the piracy for it has gone through the roof. Every-single-person I've spoken to (more than 2 dozen) that have XP installed tell me that they pirated it. Nice going, Microsoft, that was a good plan.
      • Wasn't the whole point of XP and the "online ease of installation" supposed to automatically send you fixes?
    • >>1. Microsoft declined to tell U.S. officials Friday how many consumers downloaded and installed its fix during the first 24 hours it was available.

      >The reasons for point 1 are quite clear though. Acting on point 1 would indicate what a fiction the sales figures for XP really are.

      Funny, my first reaction was "they won't tell how many ACTUALLY downloaded the patch versus the number of sales" That way they wouldn't have to tell the fbi that after 24 hours only "5%" (fictionnal number) were patched, this goes without saying that it would make their fast "security"-patching model look terribly bad in practice (even if good on paper).
    • The arrogance of the US government is far bigger than M$'s. When they take over, things usually do not get better.
  • Several experts said they had already managed to duplicate within their research labs so-called "denial of service" attacks made possible by the Windows XP flaws. Such attacks can overwhelm Web sites and prevent their use by legitimate visitors.
    Another risk, that hackers can implant rogue software on vulnerable computers, was conidered more remote because of the technical sophistication needed.

    Now IANASK (script kiddie), but isn't implanting "rogue software" a critical step in getting a DDOS up and running? It'd be nice if tech journalists knew a little about what they're reporting, especially the ones who get their paychecks from MS. On the other hand, it'd be nicer if coders knew a little more about what they're doing- especially the ones who get their paychecks from MS.

    • Not in this case. The DDoS attack method they were talking about was using the XP exploit to force MANY replies to a PnP(plug and play)device message, from MANY machines, by simply sending the correct info to specific ports on any XP/Me/98 machines. Spoof the return IP where that info is supposed to go, to the IP of your most hated web page for example, and boom, instant DDoS attack that is amazingly anonymous, and would probably be very effective.

      The only "hard" part would be tagging a bunch of XP machines on cable or better to be used for the attack.

      This should scare you.

      High skill level black-hat types getting system access on all machines running XP worldwide shouldn't scare you quite as much, but that is also THEORETICALLY possible through this hole.
  • by ackthpt (218170) on Saturday December 22, 2001 @09:09AM (#2741136) Homepage Journal
    Utterly fascinating that the DoJ (FBI) is looking into these flaws for the difficulty exploits could cause people, after basically letting M$ off the hook in the monopoly punishment phase. Hope the states prevail, and if you haven't written your opinion in (to the court), here's another reason why monopoly for a universally adoptedand used O/S is bad.

    Public comment is invited within 60 days of the date of this notice. Such comments, and responses thereto, will be published in the Federal Register and filed with the Court. Comments should be directed to Renata Hesse, Trial Attorney, Suite 1200, Antitrust Division, Department of Justice, 601 D Street NW, Washington, DC 20530; (facsimile) 202-616-9937 or 202-307-1545; or e-mail microsoft.atr@usdoj.gov. While comments may also be sent by regular mail, in light of recent events affecting the delivery of all types of mail to the Department of Justice, including U.S. Postal Service and other commercial delivery services, and current uncertainties concerning when the timely delivery of this mail may resume, the Department strongly encourages, whenever possible, that comments be submitted via email or facsimile.

    After all the blather and FUD from Redmond, they again pushed a product out the door with great media hype which is again unsecure. It would be so ironic if Microsoft were punished for this kind of negligence after getting a slap on the wrist. I don't expect that to happen though.

  • by Jacco de Leeuw (4646) on Saturday December 22, 2001 @09:14AM (#2741149) Homepage
    "... that this backdoor would not be found for at least 2 years after this Bin Laden thing blows over!!"

    "Yeah, but those eEye guys didn't want to be on our Security-Through-Obscurity team! And we had all these great goodies for them!"

    • "... that this backdoor would not be found for at least 2 years after this Bin Laden thing blows over!!"

      I hear you.. However, this ofcourse is just the obvious leak that was supposed to be found real quick. The Official FBI Approved Backdoor (OFAB) will not be found until two years after Bin Laden is blown up :)

      to e-mail me, please remove all yourclothes

      viezerik... :P

  • by jmichaelg (148257) on Saturday December 22, 2001 @09:18AM (#2741155) Journal
    ...that security will suffer when you make an os too easy to use. It's an age-old tradeoff: security vs. ease of use. Moreover, with more features comes more complexity and with more complexity come more security holes.

    Don't want to check to see if there's a patch needed for your OS? Don't worry, we'll have the OS check for you. We can't guarantee that your computer will be talking to our servers when it downloads the patches but hey! it'll be automatic! Come to think of it, we can't even secure our own servers so we're not too sure what you'll be downloading even if you are talking to our servers but hey! - it's automatic!

    I can't think of a better argument for limiting the services an os provides than this fiasco.
  • with all these blackdoors already 'embedded' in the OS...

    would make project Magic Lantern useless and idiotic.
  • by weave (48069) on Saturday December 22, 2001 @09:26AM (#2741175) Journal
    I haven't seent his mentioned much, but UPNP is all about handling NATed devices. There is a UPNP SDK developed for Linux, but until someone builds a useful kernel module out of it, Linux users are SOL (or maybe they are fortunate).

    Why care? Well, I found out after installing MSN Messenger that most of the features are useless behind a NATed network unless your router/firewall understands UPNP. Of course, Microsoft ICS and Servers understand it. I was getting frustrated since I couldn't use MSN messenger except for messages behind my home linux firewall. ICQ features like file transfer work fine by port forwarding the necessary ports or using a kernel module for it.

    So, here's the interesting bit. UPNP works by telling the other client on the other end what your private IP address is. Microsoft's docs say this is necessary for the other client to be able to find out how to talk back to you. I think this is stupid. The other end of an MSN connection just needs to look at the source IP in the packets it receives and just send there and hope the owner of the IP knows what to do.

    However, UPNP apparently knows how to handled multiple chains of NAT networks, kinda like I guess an old fashioned UUCP bang path. Problem is, it seems like one can modify that "bang path" to route return packets to false places. Can you say DDOS?

    So I sent a rant to my friends about this on December 10, and about how UPNP is a security hole waiting to happen according to posts I read out of google searches...

    Here's my rant...

    I read the tech article about msn messenger and NAT devices. In order to do pretty much anything beyond chat, you can't be behind a NAT device unless that NAT device is a Microsoft device.

    Basically, it suggests installing Windows ICS for home users and corporate users should use a 2000 server for NAT and msn's extra features will work.

    Fuckers...

    ICQ works just fine behind a NAT. They are basically just trying once again to leverage one product to sell another....

    Their explanation is that the client must send its IP address to the other user so it knows where to send files, audio, video, etc, and since it's got a private IP, it screws up. So it needs to query the NAT device for what ITS IP is. But that's really stupid since there is already a connection open for chatting and all the other client has to do is look at that connection for the source IP and use that instead and everything else would just work....

    Someone on a newsgroup said this is another security hole waiting to happen. Basically, it's trusting client for security. I send a connection to your msn messenger client and tell it what IP to send its stuff to? What if I send it the IP address of someone I am trying to DOS? Arrgh...

    They'll never learn...

    Microsoft claims UPNP is a universal open standard. It'd be interesting to learn more about its origins and who is really controlling development of it, security of it, etc. Microsoft claims all manner of peripheral vendors will be supporting it.

    Is the concept itself as flawed as it seems, or is this just yet another case of Microsoft's implementation of something being flawed?

    • Sorry, bad link in my comment above. The UPNP Linux SDK is at upnp.sourceforge.net [sourceforge.net]
    • But isn't that because most NAT devices currently will only route port-specific traffic to a single, specified private IP? How else are you going to be able to specify which machine behind the NAT gets the traffic intended for it? MAC? IP? The sender's gotta know which machine behind the NAT gets the traffic and the NAT's gotta know where to route it to, and current NATs aren't all that smart. I'd prefer it if they'd come up with something other than private IP's, because that's slightly more info than I'd care to share. I'd rather see a system where a session cookie is created when the person logs on and use a router that can distinguish cookies, but they aren't giving us that option are they?
    • Basically, it's trusting client for security.

      Microsoft has sort of a history of this. With Terminal Services, they log the IP address the client gives the server, instead of doing a getpeername() or something. (See this Bugtraq post [securityfocus.com].)

      You've got to wonder what they are smoking. Maybe they're stuck back in the DTP/FTP days (1970s and '80s), but the nature of networking sure has changed since then, and wise programmers learn from the mistakes of the past.

      Anyway, you want to talk protocols that break horribly with NAT, let's talk IPSec's out-of-band key-enchange mechanism. Grrrrr.

      Am I the only one that thinks that long before IPv6 becomes common, everyone + dog will be behind NAT? Even when IPv6 becomes common, will the ISPs really give home users the 48 bits they're supposed to? Making protocols that work with NAT is not that hard, and as you point out, is better for security than some of the alternatives.

      Grrrr. Thanks for reminding me of all this suppressed anger regarding stupid protocols. :P
    • Is the concept itself as flawed as it seems, or is this just yet another case of Microsoft's implementation of something being flawed?

      I think the MS implementation is the problem, not the concept. Most people get a bee in their bonnet about this because they think it breaks the NAT "security" model.

      Problem is, NAT provides security because it breaks routing, not because it is a security system by itself. That someone has come up with a routing/networking technique that keeps NAT's address translation ability *and* provides inbound connection capabiltiies is really pretty cool.

      However, because NAT has traditionally provided the secondary benefit of security to the interior network, any system that implements a way to connect to interior networks through NAT should provide at least three security models:
      • No interior access. Should be the default setting as it most closely matches the behavior expected from traditional NAT
      • Interior access to specific defined machines. Like current static NAT mappings.
      • Full interior access. Should require manual intervention to achieve this state.
  • by Ryu2 (89645) on Saturday December 22, 2001 @09:34AM (#2741192) Homepage Journal
    In epidemiology, one of the mitigating factors of the spread of any disease is simply the diverse genetic makeup of the targeted population.

    The opposite to this is what's called a monoculture, where one particular genetic structure is present in the large majority of the population. Such situations will usually not last long, beacuse once something is found that affects that population, it spreads quickly and decisively.

    With Windows having such a large share of the market as it is, could this be considered the electronic equivalent of a monoculture? Would one major virus or security flaw cause much more damage to the net than otherwise would have happened, because of the homogenity of the net's computer systems in terms of OS?

    Whether the king is Linux or Windows or MacOS, or..., is having a near monopoly market share ofany one OS a good thing in light of this philosophy? Hmm. GFood for thought.
    • Windows is Prostitute and Microsoft is her Pimp. The Pimp wants the Prostitute to be easier and more accessable and doesn't want to inconvience the John by making them use a condom, so naturally the Prostitute is going to get a few diseases. The Pimp will want to keep the disease a secrect, but will also want the Prostitute to keep working. So she is going to spread the disease around alot before it gets treated.
    • With Windows having such a large share of the market as it is, could this be considered the electronic equivalent of a monoculture?

      Actually a monoculture of clones.
  • by Zarathustra.fi (513464) on Saturday December 22, 2001 @09:39AM (#2741209)
    I'm thinking new computers that have been bought this Christmas as presents. I wonder how many of these computers are preinstalled with Windows XP. As we speak, these computers are all wrapped in gift papers; who will patch them? Do people even have time to do anything else except get prepared for the big day? And are people aware of the severe security flaw?

    Probably quite many of those computers go to people who are going to have it as their first computer. And what are they going to do first? Turn it on. And probably, go online with it..

    And the crackers will be waiting for the easy prey.
  • by wift (164108) on Saturday December 22, 2001 @09:44AM (#2741215) Journal
    where Burns and Smithers goes through high security steel doors, scanning stations, gates and end up in the control room that has a old screen door to the outdoors in it allowing a stray dog in. Seems to me that sums up Microsoft's entire security structure.

    bonus karma points to anyone who correctly identifies the show number.

    "Oh for christ sake"- Montgomery Burns after discovering a stray dog in his XP like high security control room.
  • You know (Score:3, Interesting)

    by ASIO (193653) on Saturday December 22, 2001 @09:46AM (#2741219) Homepage
    This would be a damm good way to get Magic Lantern on a whole lot of systems.

    This was mentioned earlier, but now the FBI is pushin it as well, Coincedence??
  • frustrated FBI (Score:3, Insightful)

    by WildBeast (189336) on Saturday December 22, 2001 @09:55AM (#2741233) Journal
    They failed to protect the country from terrorists and now they're trying to rebuild their reputation among the population by getting involved in the Internet. Th

    Looks like MS isn't the only one with good marketers :)
  • by AdamBa (64128) on Saturday December 22, 2001 @10:20AM (#2741289) Homepage
    There was two bugs reported here. One in SSDP that makes it possible to use XP to launch denial of service attacks, one that is reported as a buffer overflow.

    So what is up with those buffer overflows...do Microsoft developers hate users and not care about quality? Well, no. It only takes one buffer overflow in the whole system that hundreds of developers have worked on, to make it vulnerable.

    At Microsoft the ultimate way people are valued is at review time when bonuses, stock options, and raises are awarded. Do developers get hosed for leaving buffer overflows in? Well, not as of when I left (April 2000). But maybe that will change, slowly.

    Eventually you have to stop accepting excuses like "Gee code is really complicated and I thought I was being careful" or "we really tried to think through this design" and recognize that essentially every buffer overflow comes from being lazy as a developer, or not accounting for what kind of garbage packets can come in off the net. If Microsoft starts emphasizing that you can be fired for leaving a buffer overflow in, then things might change. Of course it's a little unfair, there is no doubt lots of clunky code in there that just doesn't happen to expose an externally exploitable buffer overflow (and merely crashes the system or something), but you start emphasizing the necessity to go over things with a fine-tooth comb to prevent buffer overflows, it will improve all the code.

    Because although there may be a few cases where someone really tried to check boundary conditions and just did it wrong in the code, in most cases developers are just being lazy about writing the code robustly to begin with. Plus if you have some code to prevent this and you write it wrong, you haven't tested your code properly anyway.

    More ruminations at this osopinion article [osopinion.com].

    - adam

    • by satch89450 (186046) on Saturday December 22, 2001 @12:17PM (#2741558) Homepage

      So what is up with those buffer overflows...do Microsoft developers hate users and not care about quality? Well, no. It only takes one buffer overflow in the whole system that hundreds of developers have worked on, to make it vulnerable.

      It takes only one buffer overflow in the whole system that any number of developers, from one to one million, have worked on to make it vulnerable.

      It doesn't matter how careful you are. Zero defects at the individual level is a pipe dream. The goal of software quality assurance is that you test code to determine whether it conforms to the specifications with no astonishing side effects. Structured implementation (use of safe libraries, re-use of validated code) can reduce the effort and increase the quality of code.

      Want to eliminate buffer overflow? It's easy. Just write a routine ONCE that sucks up characters and puts it into a buffer, debug the corner cases ONCE to ensure you can't go beyond the boundaries, and use that routine for all your work, without exception. Not even when marketing comes in and says "Hey, you didn't come out on top in performance when HAL Magazine ran their tests!" Oh, and your QA people have to actually try to execute some kind of buffer overflow as one part of their suite of test cases...

      When a buffer overflow is discovered "in the wild," you find out the source of the buffer overflow and take appropriate action -- against the coder and against QA as well. You have to show these people that you MEASURE them by this sort of stuff.

      By the way, don't forget that code should check for attempts to go "outside the box" by using unusual character sequences like ".." in URLs, too. Again, write a single block of code that does the job right, test the hell out of the corner cases, and use that code, without exception.

      A Google search yields some interesting approaches. I would like to see the adoption as part of the ANSI definition of the C language an extension to the STR* library routines that are length-safe, such as the STRL* routines found in NetBSD; see the man page [openbsd.org] and the discussion in the Secure Programs HOWTO. [linuxpowered.com]

      Don't kid anyone. Buffer overflow can be avoided, by putting in place the proper process and discipline to do the job right.

  • by weave (48069) on Saturday December 22, 2001 @11:03AM (#2741374) Journal
    The reason many hate Microsoft is because they are just so damn arrogant. You can't put yourself up on a pedestal and not expect people to look at you closely. It's the same phenomenan as some of those televangelists. They are casting themselves as holy men all the while fleecing their followers and screwing teenage secretaries.

    I remember when NT 4.0 came out (they were fairly low key with NT 3.x) and Microsoft claiming it was far more secure than UNIX and you wouldn't have buffer overflows because the source was closed and people couldn't find them even if they existed.

    I also remember many years ago them claiming NT was more secure and showing the number of submissions of security holes posted to Bugtraq (before NTbugtraq) there were for UNIX vs NT (back when nothing serious ran on NT and no one really cared less about it to look for holes).

    Now they want their code running in everything, including acting as firewall devices. I find this so fucking funny I could just split a gut. You're going to protect machines running code "x" by installing a device running much of the same code "x" to protect those machines from the world?

    I just find it a bit frightening. The entire world running on code from one manufacturer that is not open to public review. I'm even more surprised that foreign governments are so trusting of it.

    You know what's scary? We just bought an EMC disk array and had to give it an IP address for management. Did a port scan on it. WTF? It's listening on netbios ports. Use smbclient to take a gander at it and low and behold....

    Domain=[AZBYCXDWEVFU] OS=[Windows NT 4.0] Server=[NT LAN Manager 4.0]

    Workgroup Master
    AZBYCXDWEVFU CLARIION_SPB

    I call EMC and they say "Oh, the new clariions run a stripped down NT kernel in their service processors." :-( Joy... my SAN is now trusted to that super sekure Microsoft code. At least I can block it from the world through my router which, for now, is running non-Microsoft code...

    Can you imagine the harm one could do with a hole in THAT? The financial world survived WTC through redundancy and real-time mirrors of data kept in far flung locations. There are disaster recovery data centers where entire warehouses are filled with machines just waiting to kick in during a crisis. So now you have your storage area networks themselves controlled by Microsoft code. Just exploit the hole-of-the-week to get your code inside a corporate or government firewall, seek out these storage networks running NT kernel code, trash them, take out the primary and backup locations. Chaos.

    • The entire world running on code from one manufacturer that is not open to public review.

      Quite often exactly the same code. So you have a monoculture of clones. Which is even more dangerous than a regular monoculture.
  • Since the government these days seems to be all about protecting innocent corporations from us evil individuals, you'd think something this would have happened after, say, the second "ILOVEYOU"-style worm brought corporate mailservers around the country to a screeching halt-- during an administration that was actually prosecuting Microsoft for its monopolistic misdeeds.

    But now the Republicans are in office, and faced with a real conundrum: what do they do when one mega-corporation is selling dangerous, unsecure products to all the other mega-corporations? Because that's who they're thinking about here. If it warmed the cockles of your heart that the government was concerned for all those consumers who ran out and bought XP, you're delusional-- they're worried about seeing more shit like this once XP gets widely adopted in the corporate world.

    ~Philly
  • You want to get a witness to cooperate. Threaten to throw them away for a long time with trumped up charges, then plea bargain them back out on the streets in return for their cooperation.

    Want to get government backdoors in the OS that runs almost every computer in the world? Threaten the company with trumped up charges which will ruin them for life, then cut deals with them so they can return to business as usual in return for their cooperation.

  • by lildogie (54998) on Saturday December 22, 2001 @11:47AM (#2741484)
    Even the FBI is crying "buffer overflow," following in Microsoft's footsteps to divert attention for a designed-in security flaw.

    It makes sense, from the perspective of a defensive Microsoft. "Buffer overflow? Who hasn't slipped up once or twice and had a buffer overflow bug? We have our code scanners routing out the last one or two of these bugs, they'll all be gone soon and we'll all be safe."

    The bigger gaff is that they designed the OS to say "hack me" (or words to that effect) whenever some other device--any other device--asks to fondle, as it were, the OS's drivers. That this is a huge security exposure is obvious to anyone who is old enough to remember the early days of hacking. Some hotshot designers at Microsoft, (probably with degrees in marketing, not computing) designed this "hack me" feature into the OS intentionally.

    Now they have the attention of the NIPC/FBI. Even FBI agents (who, over the last 10 years, gave new meaning to the term "anti-intellegence") know that on Christmas day, millions of un-patched XP OS's are going on line, in the same 24-hour period. The hackers will be waiting to stick their electronic -er-fingers in those exposed UPNP ports and leave behind a little deposit.

    Maybe, maybe not, the FBI realizes that some of those systems will have time-delay bugs planted in the pre-patched OS's. Then, downloading the patch will produce the false security that keeps the spirit of the XP season alive throughout the coming year.

    The silver lining? Corporate PHB's, the holy grail of Microsoft marketing, will lose confidence in any of Mr.Bill's claims of reliability and security, once and for all. XP was supposed to be the one-size-fits-all OS, from palmtops to corporate web front-ends to data warehouses. (not that it was the first attempt at this unification by Microsoft, or even their competitors.) Even the golf-buddy execs are going to remember the day when the FBI started pushing patches to the monopolist's holey flagship.

    Did anybody notice, last year, when Bill Gates started to cut the cord to Microsoft? He did see the big fall coming, you know. Not as stupid as we make him out to be, eh?
  • Federal Criminal Charges need to be brought (and not dropped) against Microsoft in this case.

    This way the Government can come to a settlement with MS where those who were harmed by the hole can't sue MS.
    Along the lines of the deal struck between the tobbacco industry and government.

    Seriously, with all the digital rights issues going, certainly the compromise caused by such a hole but without
    criminal legal action against mircrosoft is only going to tell people that lady justice doesn't have her blindfold on.

    Thats' a serious problem! Assisting criminal activity knowingly.....
  • Another risk, that hackers can implant rogue software on vulnerable computers, was considered more remote because of the technical sophistication needed


    And of course technical sophistication is so rare that the chances of finding but one person in the world both able and willing to exploit it is...about 99.99%

  • If it doesn't already exist, someone should create a web page with all the big M$ security problems described chronologically. Just listed in the order they were discovered with 1-2 lines about what they do.

    It would be a neat place to refer people to who don't believe that M$ is a security problem.
  • Does anyone know if XP's built-in firewall protects these ports?
  • I might not be completely clued in here, but wouldn't such a devistating, overall vulnerability be contributed to WinXP's implimentation of RAW sockets? Or am I not correct in my understanding of the full control extent that RAW sockets allow?
  • http://www.oag.state.md.us/

    Maryland Residents should be writing our dear Mr. Curran, explaining the problem in simple terms, explaining that making users go into the internet for the patch is not sufficient for dealing with this faulty product, and demanding to see the OS recalled and a fraud investigation initiated.

    Might want to copy the DoJ, even if Ashcroft is a sell out to Redmond.

    Here's your chance, Maryland! Do us all proud.

  • by roman_mir (125474) on Saturday December 22, 2001 @02:38PM (#2741910) Homepage Journal
    ``This is the first network-based, remote compromise that I'm aware of for Windows desktop systems,'' said Scott Culp, manager of Microsoft's security response center. ``Every Windows XP user needs to immediately take action.'' He called it a ``very serious vulnerability.''

    ``This is the most secure version of Windows we have ever released,'' said Culp, adding that complex software ``will always fall short of perfection.''

    http://dailynews.yahoo.com/h/ap/20011220/tc/micr os oft_hackers_7.html
  • The real reason this is of significance is because it is finally giving MS some very bad press for their security blunders.

    Now, of course there will be dozens of MS apologists on this thread, and you can do a lot of apologizing about this bug, after all they got a patch out before there were any known uses of the exploit, and on the other hand this vulnerability leaves your computer more wide open than almost any that have come before, but I'm not interested in taking that debate any further, as that is what the rest of the thread is about.

    The reason I think this story has become significant is because this bug is actually getting reported by large news organizations. Slashdot might run an article every time some script kiddie finds a new hole in IIS, but when is the last time you heard about that on your local news?

    This bug, however, has actually been featured on all the big news organizations, thanks to the government statement. I saw a two-minute piece on it on CNN and a 30-second piece on Fox News, both feturing the governments warning that the patch would not be enough and everyone should disable UPnP on their machine. Flipping by CNN Headline News, I noticed the headline at the bottom, "Win XP hyper-vulnerable to hackers."

    It is getting people to be concerned about security that will get something done about it; security isn't a selling point right now. When was the last time you saw an OS (besides OpenBSD [openbsd.org]) listing security as its top feature?

    So think what you will about the impact of the bug itself, our government should be applauded for once for finally getting the media spotlight on security.

  • by MrResistor (120588) <peterahoff@gmail ... minus physicist> on Saturday December 22, 2001 @03:15PM (#2741986) Homepage
    That statement isn't meant from the point of view of OSS zealotry (although I certainly have some feelings in that direction), but because the NSA has never rated an MS product as being secure in a networked environment. Part of the NSA's job is to issue information security recomendations, which other agencies are then supposed to use when putting together their systems.

    IIRC, NT at some point was rated secure when not networked.

    • An OS is never rated secure; a system is rated secure. That includes OS, hardware, programs running, and physical setup, amoung several other things. Note that most standard UNIX systems are immediately disqualified from the first 'secure' rating of C2 because they tend not to have ACLs, amoung other requirements.
  • by edunbar93 (141167) on Saturday December 22, 2001 @03:54PM (#2742068)
    This is a really, really, really big one. It should be in the newspapers. Microsoft has claimed some time ago (free karma to the one who posts a link) that closed source, for-profit software and operating systems are more secure because the company can actually *hire* people to do security audits of the source code, whereas open source developers aren't motivated to do it because it's really boring, and there's no glory in it.

    Now, we all know that OpenBSD has proved them wrong, by proving not only that open source developers *want* to do hardcore security audits of the source code, but that doing hardcore security audits on source code prevents security holes from being released into the wild. OpenBSD [openbsd.org] hasn't had a remotely exploitable security hole in the default install in FOUR YEARS! Windows XP has been in release for for all of about two months, and already there's a major security exploit found.

    This proves by Microsoft's OWN ADMISSION, either they do not hire people to do the hardcore security audits they say they can, or if they do, they can't do it as well as the volunteers who "obviously" don't do it at all because there's no monetary motivation to do so.

    With lies like this, Microsoft couldn't get into a Better Business Beurau if they paid each of its members a billion dollars.

Save gas, don't use the shell.

Working...