FBI, Pentagon Talk to MS about XP Hole 405
(eternal_software) writes: "The Associated Press is reporting that the FBI and Defense Department are talking to Microsoft about the serious flaws found in the XP operating system. As we all know, the most recent flaw allowed any XP machine to be hijacked simply by connecting it to the internet. The government is getting involved because of growing U.S. concerns about risks to the 'net as a whole." In fact, the FBI would like you to go a bit beyond the MS patch. davecl points out the updated page put out by the National Infrastructure Protection Center about this vulnerability as well.
Serious Stuff (Score:2, Informative)
Especially all the unaware homeusers like my landlord for example. For systemadmins it already difficult to keep up to date with all the patches even with the various *update programs, at least they are firewalled
And yet they (the homeusers) are the most vulnerable!
And Microsoft proclaimed this was its most secure OS ever.
National/International Security Concerns (Score:5, Informative)
After all the blather and FUD from Redmond, they again pushed a product out the door with great media hype which is again unsecure. It would be so ironic if Microsoft were punished for this kind of negligence after getting a slap on the wrist. I don't expect that to happen though.
Re:all rightey then! (Score:2, Informative)
1) download updates automatically and ask the user whether to install them
2) notify the user automatically that updates are available and ask them whether to download and install them
3) none of this
It's to be expected... (Score:3, Informative)
Don't want to check to see if there's a patch needed for your OS? Don't worry, we'll have the OS check for you. We can't guarantee that your computer will be talking to our servers when it downloads the patches but hey! it'll be automatic! Come to think of it, we can't even secure our own servers so we're not too sure what you'll be downloading even if you are talking to our servers but hey! - it's automatic!
I can't think of a better argument for limiting the services an os provides than this fiasco.
UPNP is all about handling NATed devices (Score:5, Informative)
Why care? Well, I found out after installing MSN Messenger that most of the features are useless behind a NATed network unless your router/firewall understands UPNP. Of course, Microsoft ICS and Servers understand it. I was getting frustrated since I couldn't use MSN messenger except for messages behind my home linux firewall. ICQ features like file transfer work fine by port forwarding the necessary ports or using a kernel module for it.
So, here's the interesting bit. UPNP works by telling the other client on the other end what your private IP address is. Microsoft's docs say this is necessary for the other client to be able to find out how to talk back to you. I think this is stupid. The other end of an MSN connection just needs to look at the source IP in the packets it receives and just send there and hope the owner of the IP knows what to do.
However, UPNP apparently knows how to handled multiple chains of NAT networks, kinda like I guess an old fashioned UUCP bang path. Problem is, it seems like one can modify that "bang path" to route return packets to false places. Can you say DDOS?
So I sent a rant to my friends about this on December 10, and about how UPNP is a security hole waiting to happen according to posts I read out of google searches...
Here's my rant...
Microsoft claims UPNP is a universal open standard. It'd be interesting to learn more about its origins and who is really controlling development of it, security of it, etc. Microsoft claims all manner of peripheral vendors will be supporting it.
Is the concept itself as flawed as it seems, or is this just yet another case of Microsoft's implementation of something being flawed?
Re:did anybody notice this.... (Score:3, Informative)
Does it? (Score:3, Informative)
Re:Trust us! (Score:2, Informative)
net stop ssdpsrv
net stop upnphost
Re:UPNP is all about handling NATed devices (Score:3, Informative)
Re:Just a thought/Microsoft a target? (Score:3, Informative)
How about the biggest reasons:
Gov shouldn't be using MS anyway (Score:3, Informative)
IIRC, NT at some point was rated secure when not networked.
Re:Gov shouldn't be using MS anyway (Score:3, Informative)
NTFS Journaling (Score:3, Informative)
My understanding is that NTFS' journaling was rudimentary at best. It hasn't been until its recent incarnation (introduced with Win2k) that its managed anything close to a true journaling file system.
Did you say "Free Karma"? (Score:2, Informative)
You are welcome.