Please create an account to participate in the Slashdot moderation system

 



Forgot your password?
typodupeerror
×
Microsoft

WinXP Security Flaw 628

Many readers have submitted word of the newest security hole in Windows XP. joshjs, for instance, writes: "Don't know if this is common knowledge at this point or not, but apparently some security researchers discovered that Windows XP's universal plug and play features contain a huge security flaw: 'A Microsoft official acknowledged that the risk to consumers was unprecedented because the glitches allow hackers to seize control of all Windows XP operating system software without requiring a computer user to do anything except connect to the Internet. ... Microsoft made available on its Web site a free fix for both home and professional editions of Windows XP and forcefully urged consumers to install it immediately.' Read more at the Washington Post's story." No OS is perfectly secure, but I bet a lot of new XP owners won't be too happy about this. Update: 12/20 20:05 GMT by T : fcrick submits a link to the same AP story at Wired, and several readers have pointed out that a patch is available. Update: 12/20 21:31 GMT by T : And as banuaba writes: "This hole also affects versions of 98 with XP File sharing installed and all versions of ME."
This discussion has been archived. No new comments can be posted.

WinXP Security Flaw

Comments Filter:
  • PNP (Score:5, Funny)

    by _typo ( 122952 ) on Thursday December 20, 2001 @03:45PM (#2733421) Homepage
    This gives "Plug and Pray" a whole new meaning.

    Plug your XP box to the internet and pray for the hackers not to find it.

    • Re:PNP (Score:3, Funny)

      If your prayers are not answered PNP should be changed to PNLSEP:

      Plug and Let Someone Else Play.
  • Well.. (Score:5, Funny)

    by Arcanix ( 140337 ) on Thursday December 20, 2001 @03:45PM (#2733430)
    It's not really Microsoft's fault, if this guy would've stayed quiet then WinXP would still be secure today.
  • Microsoft info (Score:5, Informative)

    by fatwreckfan ( 322865 ) on Thursday December 20, 2001 @03:47PM (#2733442)
    The information from Microsoft regarding this can be found here [microsoft.com], as well as a patch.
  • "This is the first network-based, remote compromise that I'm aware of for Windows desktop systems," said Scott Culp..

    HAHAHAHAHAH.. Oh man what rock has he been under?
    • by coolgeek ( 140561 ) on Thursday December 20, 2001 @03:51PM (#2733494) Homepage
      "What rock has he been smoking" is perhaps more appropriate.
      • He is refering to the operating system proper, not applications like IIS. According to him this is the first remote exploit of the Windows OS itself which allows an attacker to take over the computer. As far as I can remember, he is correct.

        So, what crack pipe have you been puffing on?
    • Technically true? (Score:5, Interesting)

      by sterno ( 16320 ) on Thursday December 20, 2001 @03:56PM (#2733545) Homepage
      Well technically this is probably true. There have been compromises of IIS, MSSQL, and other Microsoft products but the OS itself hasn't been vunerable to such attacks until now.

      Now granted, IIS comes with Windows so, is that really a seperate component? Also, by the same logic, Linux has never been exploited either has it? I mean, does Linux run any network daemons on it's own? No. So Linux, itself is bulletproof, it's just all those other things you put on top of it that can cause problems.

      I just find it amusing how Microsoft keeps changing where they want to split their hairs when distinguishing between the OS and the applications. IE is part of the OS until it gets compromised and then suddenly it's a seperate application.
      • Technically false. (Score:4, Insightful)

        by roystgnr ( 4015 ) <roy&stogners,org> on Thursday December 20, 2001 @04:21PM (#2733760) Homepage
        There have been a number of remote exploits in Win9x filesharing, first of all. I don't know of anything affecting an "out of the box" installation, but if you had a Win95 box that had any writeable shares, even password protected ones, even deeply nested in the filesystem ones, your computer could have been remotely compromised.

        Secondly, does anyone remember a little thing called Outlook Express? Sure, most of the popular worms exploited the unpatchable "Stupid User" bug, but there have been at least two that left your computer remotely compromisable from just the Preview pane of the email (thanks to HTML buffer overflows) and one that would let your computer be compromised as email was downloaded (thanks to email header buffer overflows). Of course, the preview pane bugs were really Microsoft HTML component bugs, so could be triggered by Internet Explorer hitting a malicious page even if you didn't use Outlook.

        And if there's one thing that Microsoft has taught us, it's that Internet Explorer is an essential part of the Windows(TM) Operating System eXPerience.
      • Re:Technically true? (Score:5, Informative)

        by LinuxGeek8 ( 184023 ) on Thursday December 20, 2001 @04:26PM (#2733796) Homepage
        I hate to say so, but the linux kernel had security problems too.
        The syncookies bug a few months ago is a kernel bug.
        Also the ip_conntrack_ftp bug in 2.4.3 and older is a kernel bug.
    • It's all in the spin...

      "desktop system" means not running any servers

      "compromise" doesn't include DoS (ping of death, etc)

      "remote" apparently means the user doesn't have to do anything. I mean, come on, when you try to read your mail with Outlook Express, everyone knows that your system is as good as cracked already.

      I have know idea why he used the phrase 'network-based, remote' Is there some other remote way of talking to Microsoft computers? Some radio signal you can send that instantly gives you full access?
    • So can we put him back under the rock now?
  • by bourne ( 539955 ) on Thursday December 20, 2001 @03:47PM (#2733451)

    "Oh, you wanted a DOOR to hang that lock on.... Sure, I guess we could do that..."

  • Is there any MS Windows XP bug counter on the web? Something like:

    • "1233 bugs registered up to now".

    I think it would be funny, we could also compare with Linux 2.4.x bugs. And maybe we can also have a Score thing, or something like /.

    Any suggestion? Any website that already do this?

    • Traditionally, Linux's bug-count has always been much higher. You can check out the counts at Security Focus [securityfocus.com], if you want. Most people attribute this to the open-versus-closed nature of Linux and Microsoft, though it's impossible to say for certain why. Maybe Linux is buggier. Maybe Microsoft just hides their bugs.
      • by Znork ( 31774 )
        Um, if I remember correctly, those were the aggregate statistics for _all_ linux distributions combined, including all software installed on those distributions.

        Yes, those statistics were higher than for a clean Windows install. Counted separately they were lower, last I checked. And if you'd lump similar software in Windows as is usually included in a Linux dist, you'd get a far far far worse record for Windows.
    • Is there any MS Windows XP bug counter on the web

      Here's how the MS build team could find out:

      #!/bin/sh
      cd win32/src
      echo "Bugs found: " wc -l ./*.h ./*.cpp | grep total

      Just pipe that out to some place where a web server could get to it and you have numbers.

      They have shell on Win32, right? Or maybe they build on *nix... :-)

      -B

  • I first heard about this from the drudgereport and was just about to submit about this.

    As far as the security hole goes I've heard even worse things are possible since XP now allows "raw" socket access to non-administrators.
    There's a good article by Grieder that explains all about this at www.grc.com .
  • Kinda serious? (Score:2, Interesting)

    by rmadmin ( 532701 )
    In the past, Microsoft has shrugged problems like this off extremely easy, great PR ya know. For some reason this one seams more severe to me. Will this one actually hurt MS on a larger scale? I'm doubting it, but I would like to see something rumble the giant. Wouldn't be funny if the companies product ended up ruining the company? WHEEE =)

  • Since Christmas is one of the most popular times to buy a computer for the family, I am sure this will give new Compaq, Dell, Gateway, and HP buyers some pause find before Santa arrives. Is the gift you give your family going to end up being a hacker's plaything instead of theirs? Too bad you can't walk into a Best Buy or Circuit City and buy a Linux option -- though you can get a Mac powered by Mac OS X which has a few security issues [apple.com].
    • That should be "buyers some pause five days before Santa arrives". Typoed five days and spell checked it to find. Doh! :)
    • I am sure this will give new Compaq, Dell, Gateway, and HP buyers some pause

      People who know this is just the latest symptom of Microsoft's general neglect for security won't be buying XP anyway. Those who believe Microsoft deserves their dominant position because they are the best will see that there is already a patch. Those who don't know enough to know why they should care ... well, they don't know enough to care. Who does that leave?
  • Heh (Score:5, Funny)

    by Auckerman ( 223266 ) on Thursday December 20, 2001 @03:50PM (#2733486)
    "This is the first network-based, remote compromise that I'm aware of for Windows desktop systems," said Scott Culp, manager of Microsoft's security response center."

    This speaks for itself
  • Not only Windows XP (Score:2, Informative)

    by jaxdahl ( 227487 )
    This seems to affect Windows 98 and ME, not just Windows XP!! The Universal Plug-and-Play system has to be running though. Get the patches for those 3 OS'es and read up on the details here [microsoft.com].
  • by freerangegeek ( 451133 ) on Thursday December 20, 2001 @03:54PM (#2733515)
    It's so neat to see "Intel Inside" and "Windows" stickers on all these nice software boxes. With Microsoft's new dedication to security, I'm thinking its time we print up some nice "RedCode Enabled" or "Nimda Friendly" stickers. Then all I anyone needs to do is make a visit to the local computer outlet to upgrade the Windows OS boxes they have out on the shelves to buy.

    When the big virus/worm/... that exploits this hole is announced, maybe we can print up stickers to apply to all those nice shiny new XP boxes.
  • by kryzx ( 178628 ) on Thursday December 20, 2001 @03:54PM (#2733526) Homepage Journal
    Here's a little gem from the MS XP site [microsoft.com]

    Now Windows XP offers strong security to home computer users through Internet Connection Firewall protection, which makes your information, computers, and family data safer from intruders as soon as you start using Windows XP.

    I guess that helped a lot.

  • by 2Bits ( 167227 ) on Thursday December 20, 2001 @03:55PM (#2733532)
    Man, when I found two weeks ago that I can remotely control my XP machine and appliances, I thought: "Yeah, finally, something from MS that is usefull". When I do tech support, I don't have to go the user's cubicle anymore, I can just remotely fix the problem.

    And now, this is a security hole. Man, nowaday, you can't know for sure if it's a bug or a feature anymore.

  • I would not mind a decent explaination of what Universal Plug and PLay is, what it takes to shut it off, and what it would affect.
    • by Oily Tuna ( 542581 ) on Thursday December 20, 2001 @04:02PM (#2733595) Homepage Journal
      The Universal Plug and Play (UPnP) service allows computers to discover and use network-based devices. Windows ME and XP include native UPnP services; Windows 98 and 98SE do not include a native UPnP service, but one can be installed via the Internet Connection Sharing client that ships with Windows XP. This bulletin discusses two vulnerabilities affecting these UPnP implementations. Although the vulnerabilities are unrelated, both involve how UPnP-capable computers handle the discovery of new devices on the network.

      The first vulnerability is a buffer overrun vulnerability. There is an unchecked buffer in one of the components that handle NOTIFY directives - messages that advertise the availability of UPnP-capable devices on the network. By sending a specially malformed NOTIFY directive, it would be possible for an attacker to cause code to run in the context of the UPnP service, which runs with System privileges on Windows XP. (On Windows 98 and Windows ME, all code executes as part of the operating system). This would enable the attacker to gain complete control over the system.

      The second vulnerability results because the UPnP doesn't sufficiently limit the steps to which the UPnP service will go to obtain information on using a newly discovered device. Within the NOTIFY directive that a new UPnP device sends is information telling interested computers where to obtain its device description, which lists the services the device offers and instructions for using them. By design, the device description may reside on a third-party server rather than on the device itself. However, the UPnP implementations don't adequately regulate how it performs this operation, and this gives rise to two different denial of service scenarios.

      In the first scenario, the attacker could send a NOTIFY directive to a UPnP-capable computer, specifying that the device description should be downloaded from a particular port on a particular server. If the server was configured to simply echo the download requests back to the UPnP service (e.g., by having the echo service running on the port that the computer was directed to), the computer could be made to enter an endless download cycle that could consume some or all of the system's availability. An attacker could craft and send this directive to a victim's machine directly, by using the machine's IP address. Or, he could send this same directive to a broadcast and multicast domain and attack all affected machines within earshot, consuming some or all of those systems' availability.

      In the second scenario, an attacker could specify a third-party server as the host for the device description in the NOTIFY directive. If enough machines responded to the directive, it could have the effect of flooding the third-party server with bogus requests, in a distributed denial of service attack. As with the first scenario, an attacker could either send the directives to the victim directly, or to a broadcast or multicast domain.
  • by Vicegrip ( 82853 ) on Thursday December 20, 2001 @03:58PM (#2733567) Journal
    tally of said security issues as they pop up and then document how long it takes Microsoft to fix them-- before and after the bug is publically exposed.

    I would be interested to see captured on a yearly basis the bug count of Microsoft products versus some open source products including how long each bug took to get fixed and the severity of each bug.

    Microsoft is good a spreading FUD-- but facts are hard to beat and gobbled up by the media.. I'd be willing to volunteer my time to anybody with a server and some bandwidth for a project like this: just tell me what you need me to do.
  • That was the headline in my version of the story (rejected). I thought it had a bit of pizzazz. Oh well.

    What's with them burying this info in the TechNet section anyhow? "Security by Obscurity" does not work! Now that it's on AP and the lead story on Boston.com they have to own up to it.
  • by SlashChick ( 544252 ) <ericaNO@SPAMerica.biz> on Thursday December 20, 2001 @03:59PM (#2733572) Homepage Journal
    What the article doesn't mention is that Windows 98 with XP sharing is also affected, and that any version of Windows ME is affected as well.

    If you are running Windows 98 or ME, you should immediately go to Microsoft's website [microsoft.com] and download the patch for your system.

    A more technical description can be found here [eeye.com].

    Windows 2000 is not affected.
  • Catch 22 (Score:2, Interesting)

    by jspaleta ( 136955 )
    Win XP has a security problem which opens you up to attack the moment you connect to the net...
    You need to connect to the net so you can get the patch from MS website....hmmmmmm...catch 22

    So to safely get the patch from MS you have to find a non XP computer with a zip disk or a cd burner.....

    good think there are 0.25 % of the desktops out there running linux, so XP users can grab the patch they need off a secure netenabled desktop....assuming MS lets no-IE browsers connect to the MS site to grab the patch.

    -jef
  • So, hackers can compromise your XP box if you just connect to the Internet, but to get the patch, you have to go to the MS Web site...

  • by Lumpish Scholar ( 17107 ) on Thursday December 20, 2001 @04:01PM (#2733590) Homepage Journal
    Microsoft's newest version of Windows, billed as the most secure ever, contains several serious flaws that allow hackers to steal or destroy a victim's data files across the Internet or implant rogue computer software.
    I wonder what their least secure version allows?-)
  • the feature is activated by design in every copy of Windows XP


    Microsoft standard "Take Me, I'm Yours" default settings strike again.

  • by Waffle Iron ( 339739 ) on Thursday December 20, 2001 @04:01PM (#2733593)
    "Over four hours without a remote hole in the default install!"
  • by BadDoggie ( 145310 ) on Thursday December 20, 2001 @04:03PM (#2733606) Homepage Journal
    I know I do. "Hackers" can sieze control if people connect to the Net. MS makes a free fix[1] available on their Web site. Like, through the Net. So eXPendable users are basically forced to play Russian Roulette when they get on-line.

    Oh the fun you could have with BackOrificeXP right now... User tries to get patch, Evil haX0r-d00d shoots out a pop-up and mp3: a little Strauss music and a MsgBox reading, "I don't think I can let you do that, Dave."

    woof.

    [1] As opposed to that Win95 "fix" they called Win98 that you had to pay for.

    How do you forcefully urge people?

    • Even better: Black Hat sends pop-up window that says "installing update," blocks the real one, and installs whatever his little black heart desires.

      Or nothing at all. Muahahahahaha!

      -Legion

  • A side issue... (Score:2, Interesting)

    by Jarrod Pol ( 545289 )
    Drizzle allows Microsoft to automatically download a fix to the user's machine and forcefully ask them to install it? WTF?

    If Microsoft can force an automatic download, what's to stop anyone else?

    How long til someone finds this "feature" and REALLY gives it to XP users?
  • by jkujawa ( 56195 ) on Thursday December 20, 2001 @04:04PM (#2733614) Homepage
    Along similar lines of "Writing Solid Code".

    Wait for it, wait for it...

    "Writing Secure Code" [amazon.com]
    • Don't forget the "errata" section for updated info that came up after printing:

      Do not hire programmers that wear kaftans, turbans, long tangled beards, do not bathe, ride donkeys to the interview, speak with a thick Afghan ruling class accent, and repeat slogans like, "Death to capitalist war-mongers that allow their women to read!" or "Cover your face, you Hell-bound Satan's whore!"
    • Amazon [amazon.com] has it listed as "Wriring Secure Code (With CD-ROM)"

      Wriring... hm...

      Reminds me of that Dilbert cartoon where the MSFT lackey has to leverage Microsoft's market dominance to make an typo in the Word dictionary a new industry-standard word, plus, kill himself in their Comdex booth as an example to others...
  • by foxtrot ( 14140 ) on Thursday December 20, 2001 @04:05PM (#2733616)
    Haven't you seen the commercials? A huge multi-media advertising blitz to tell us all that _Everything_ is easier in XP.

    -JDF
  • Here's some stats. (Score:2, Interesting)

    by scott1853 ( 194884 )
    By following the link on the MS Security Bulletin I received in my e-mail, and going through the update process, it took a whopping 5 minutes including the reboot.

    Now all that's required is that somebody take the total number of XP users, multiply it by 5 minutes, and then multiply it by some made-up figure for what the average IT workers makes per minute, and then the zealots will have some fuel for their fire. "Look, this latest bug cost the country a billion dollars!". While in actuality it didn't cost the country anything, and only cost each corporation a percentage of their annual revenue, small enough to be measured in millionths of a percentage point.

    Gee, I think I just wasted more time posting this comment than it took to install the update :P
  • Title: Unchecked Buffer in Universal Plug and Play can Lead to System Compromise
    Date: 20 December 2001
    Software: Windows 98, Windows 98SE, Windows ME, Windows XP
    Impact: Run code of attacker's choice
    Max Risk: Critical
    Bulletin: MS01-059

    ---
    The hole is in more than XP as you can see.

    ---
    • I find it interesting that NT and 2000 are not listed... so just what is XPs code base?
      • Well, the full posting minus the PGP sig and un/subscribe information to get around the lameness filter.

        -----

        Title: Unchecked Buffer in Universal Plug and Play can Lead
        to System Compromise
        Date: 20 December 2001
        Software: Windows 98, Windows 98SE, Windows ME, Windows XP
        Impact: Run code of attacker's choice
        Max Risk: Critical
        Bulletin: MS01-059

        Microsoft encourages customers to review the Security Bulletin at:
        http://www.microsoft.com/technet/security/bullet in /MS01-059.asp.

        Issue:
        The Universal Plug and Play (UPnP) service allows computers to
        discover and use network-based devices. Windows ME and XP
        include native UPnP services; Windows 98 and 98SE do not include a
        native UPnP service, but one can be installed via the
        Internet Connection Sharing client that ships with Windows XP. This
        bulletin discusses two vulnerabilities affecting these
        UPnP implementations. Although the vulnerabilities are unrelated,
        both involve how UPnP-capable computers handle the
        discovery of new devices on the network.

        The first vulnerability is a buffer overrun vulnerability. There is
        an unchecked buffer in one of the components that handle
        NOTIFY directives - messages that advertise the availability of
        UPnP-capable devices on the network. By sending a specially
        malformed NOTIFY directive, it would be possible for an attacker to
        cause code to run in the context of the UPnP service,
        which runs with System privileges on Windows XP. (On Windows 98 and
        Windows ME, all code executes as part of the operating
        system). This would enable the attacker to gain complete control over
        the system.

        The second vulnerability results because the UPnP doesn't
        sufficiently limit the steps to which the UPnP service will go to
        obtain information on using a newly discovered device. Within the
        NOTIFY directive that a new UPnP device sends is
        information telling interested computers where to obtain its device
        description, which lists the services the device offers
        and instructions for using them. By design, the device description
        may reside on a third-party server rather than on the
        device itself. However, the UPnP implementations don't adequately
        regulate how it performs this operation, and this gives
        rise to two different denial of service scenarios.

        In the first scenario, the attacker could send a NOTIFY directive to
        a UPnP-capable computer, specifying that the device
        description should be downloaded from a particular port on a
        particular server. If the server was configured to simply echo
        the download requests back to the UPnP service (e.g., by having the
        echo service running on the port that the computer was
        directed to), the computer could be made to enter an endless download
        cycle that could consume some or all of the system's
        availability. An attacker could craft and send this directive to a
        victim's machine directly, by using the machine's IP
        address. Or, he could send this same directive to a broadcast and
        multicast domain and attack all affected machines within
        earshot, consuming some or all of those systems' availability.

        In the second scenario, an attacker could specify a third-party
        server as the host for the device description in the NOTIFY
        directive. If enough machines responded to the directive, it could
        have the effect of flooding the third-party server with
        bogus requests, in a distributed denial of service attack. As with
        the first scenario, an attacker could either send the
        directives to the victim directly, or to a broadcast or multicast
        domain.

        Mitigating Factors:
        General:
        - Standard firewalling practices (specifically, blocking ports
        1900 and 5000) could be used to protect corporate networks
        from Internet-based attacks.

        Windows 98 and 98SE:
        - There is no native UPnP support for these systems. Windows 98
        and 98SE systems would only be affected if the Internet Connection
        Sharing Client from Windows XP had been installed on the system.
        - Windows 98 and 98SE machines that have installed the Internet
        Connection Sharing client from a Windows XP system that has
        already applied this patch are not vulnerable.

        Windows ME:
        - Windows ME provides native UPnP support, but it is neither
        installed nor running by default. (However, some OEMs do
        configure pre-built systems with the service installed and
        running).

        Windows XP:
        - Internet Connection Firewall, which runs by default, would make it
        significantly more difficult for an attacker to determine the IP
        address of an affected machine. This could impede an attacker's
        ability to attack a machine via unicast messages. However, attacks
        via multicast or broadcast would still be possible.

        Risk Rating:
        Buffer Overrun:
        - Internet servers: None
        - Intranet servers: None
        - Client systems: Critical for Windows XP, moderate for Windows 98,
        Windows 98SE and Windows ME

        Denial of service:
        - Internet servers: None
        - Intranet servers: None
        - Client systems: Moderate

        Aggregate risk:
        - Internet servers: None
        - Intranet servers: None
        - Client systems: Critical for Windows XP, moderate for Windows 98,
        Windows 98SE and Windows ME

        Patch Availability:
        - A patch is available to fix this vulnerability. Please read the
        Security Bulletin at
        http://www.microsoft.com/technet/security/bulletin /ms01-059.asp
        for information on obtaining this patch.

        Acknowledgment:
        - eEye Digital Security (http://www.eeye.com)
    • Impact: Run code of attacker's choice

      Well now. Let's get it in gear and get the whole Windows-using world playing Solitaire [slashdot.org] at once.
  • by night_flyer ( 453866 ) on Thursday December 20, 2001 @04:08PM (#2733651) Homepage
    about the same amount of time that MicroSoft said that installing XP would save?
  • maturity (Score:3, Funny)

    by geekoid ( 135745 ) <`moc.oohay' `ta' `dnaltropnidad'> on Thursday December 20, 2001 @04:09PM (#2733653) Homepage Journal
    XP is an inmature OS. There are going to be tons of problems, just like any other new OS.
    Why company would switch to ANY OS that is less then 3 years old is beyond me.
  • "No OS is perfectly secure, but I bet a lot of new XP owners won't be too happy about this."

    No doubt many would be, if Microsoft would contact each and every registered user and explain it to them. As it is, most will never realize that the new computer they bought for Christmas is wide open for anyone to steal personal information, plant trojans, etc.

    I think Microsoft should be required to mail a CD with the fix to every registered user of Windows XP, and explain in clear non-technical language what the security flaw is and why the patch is important. Hell, make 'em overnight it, too.

    ZZZZZZZzzzzzzzzz....
    Oh, hey, I must have dozed off... what a weird dream that was...heh...
  • most of the time Windows does what they want it to do, without hassles. The security risks and the threat of MS abusing their personal freedoms are remote problems that don't impinge on the daily experience of web browsing, word processing, emailing, gaming, playing CDs... Sure, once in awhile you get bit by a virus. And the cost is increasing. But there isn't an alternative that is as easy to use.

    OK, argue with me, but I've been using Linux since before the birth of RedHat. Last month I spent a full day configuring my CD-ROM burner because of incomplete or wrong documentation. In windows it just works. Today I found a nifty software package, downloaded, unzipped, untarred, and it wouldn't run because of incompatible libraries. I try to update libraries and discover I'll break dependencies. Do I want to hassle with that? NO! Does Jane Doe want to hassle with that? Hell NO! Not when she can, using windows, double-click on Setup and let the install shield work -- which it does, most of the time.

    We can gloat over how insecure windows is and how dumb the people who use it are, but that won't make more people use Linux. Many people want to ditch windows, but don't because they think, correctly, that Linux is too gear-headed. What will make them switch is if they see an alternative to windows that is at least as easy to use. The major distributors know this, and they have improved installation and the desktop environment fantastically in the past couple of years. But Linux needs an equivalent to windows' install shield so that application installation and removal is simple, transparent, and reliable.

    It's the front end, stupid!
  • priorities (Score:5, Interesting)

    by poemofatic ( 322501 ) on Thursday December 20, 2001 @04:09PM (#2733661)
    This is for those who are sympathetic to the MS responsible reporting policies:

    The flaw, discovered five weeks ago threatened to undermine widespread adoption of Microsoft's latest windows software...

    The company sold 25 million copies of Windows XP in the two weeks after it hit stores Oct. 25...

    The company released a free fix thursday.

    So beyond consideration that MS delay releasing XP until this hole is fixed. The best thing to do is keep it secret (responsible reporting) until they get around to writing the patch sometime. In fact, the biggest threat here is that it will "undermine the adoption" of XP -- i.e. they might not sell as many copies if people know there is a huge hole in the OS. No mention of threat to users, etc.

    For reference, look at the motorola exploit in the jargon file [tuxedo.org].

    I wonder how many times this has to happen before people are convinced that making bugs available and publicly releasing exploit code is the only way that the big vendors will make security a top priority.

  • The exploit (Score:5, Informative)

    by Legion303 ( 97901 ) on Thursday December 20, 2001 @04:10PM (#2733672) Homepage
    From Eeye Digital Security:

    The SYSTEM Remote exploit

    The first vulnerability, within Microsoft's implementation of the UPNP protocol, can result in an attacker gaining remote SYSTEM level access to any default installation of Windows XP. SYSTEM is the highest level of access within Windows XP.

    During testing of the UPNP service, we discovered that by sending malformed advertisements at various speeds we could cause access violations on the target machine. Most of these were due to pointers being overwritten. The following describes one instance.

    Example Session:

    NOTIFY * HTTP/1.1
    HOST: 239.255.255.250:1900
    CACHE-CONTROL: max-age=10
    LOCATION: http://IPADDRESS:PORT/.xml
    NT: urn:schemas-upnp-org:device:InternetGatewayDevice: 1
    NTS: ssdp:alive
    SERVER: EEYE/2001 UPnP/1.0 product/1.1
    USN: uuid:EEYE

    If a buffer is incremented in the protocol, port, and uri fields of the Location URL and send sessions with 10,000 microsecond intervals, access violations will begin to be observed. In one situation, The EAX and ECX registers will contain addresses that are pulled from memory that was overwritten and the svchost.exe process will access an invalid memory address at a "mov" instruction. It throws and access violation due to the fact that the destination address is an overwritten pointer, and there's nothing interesting at 0x41414141.

    During our testing we found that there were multiple points of exploitation. In our testing we found instances of stack overflows and heap overflows, both of which were exploitable. In the case of the heap overflow we saw pointers being overwritten for both buffers and functions.

    The SSDP service also listens on Multicast and Broadcast addresses. Therefore gaining SYSTEM access to an entire network of XP machines is possible with only one anonymous UDP SSDP attack session.

    Comments: First, don't mod me up as "informative"; I didn't write any of that. If you're considering modding me up as informative, consider unchecking "willing to moderate" or at least read the moderator guidelines. Second, does MS put out products with such glaring, horrible security flaws *on purpose*? As far as I know, the UPNP feature is brand new, so it shouldn't be based on any existing code base, yet MS programmers are *still* using unsafe commands (presumably) and not doing bounds checking. This is a buffer overflow vulnerability in a new product, for fuck's sake.

    -Legion

  • by Wakko Warner ( 324 ) on Thursday December 20, 2001 @04:13PM (#2733697) Homepage Journal
    ...what makes this any different from any other version of Windows?

    The best way to secure a Windows box is to take a pair of scissors to the ethernet cable.

    - A.P.
  • by cscx ( 541332 ) on Thursday December 20, 2001 @04:14PM (#2733707) Homepage
    Hold up. Let's stop this flamebait.

    For all you Linux-heads that haven't installed XP, the installer determines by asking you if you are connected directly to the Internet or if you are connected to a LAN --- if you're directly connected, YOUR CONNECTION IS AUTOMATICALLY FIREWALLED. Which means, that if MS did its math correctly, most people connecting to the Internet should already be protected, patch aside.

    Now, what if you're on a LAN? You should already be behind a firewall. So theoretically the only people vulnerable are corporate users vulnerable from attacks INSIDE the company. That narrows it down, doesn't it?

    Ooooh, it's a bug!! So what?!? I believe "security by obscurity" has proven to work this time. When did /. hear about this bug? Today. When was the patch released? Prolly before we heard about it. Nuff said.

    But then, you know, Linux doesn't have bugs (eyeroll). Why is it that when Win* has bugs, it's headline news on /., but all the bugs in the 2.4 kernel go unnoticed? Oh yeah, heh, I forgot, this is Slashdot. Honestly, guys, grow up.

    Like all the Linux boxen running pretty much any version of wu-ftpd and vulnerable versions of BIND (and there are A LOT) are safe. Hah. Why don't you look at the fact before you start posting flamebait......

  • Looking at this I do have to wonder will UPnP (Universal Plug and Play) be the next IIS in terms of exploits, viruses and worms?

    This issue is the second major *known* problem with UPnP in as many months, both involving buffer overflows of some kinds (MS01-059 & MS01-054).

    Since UPnP runs as a service with a SYSTEM level authority, rooting it gives you god-like control over the system, so this falls under the heading of a bad thing. I seem to remember that it is installed by default (currently running w2k so i cant check if it is or not).

    So what we have here is a service that seems to be exploitable, running a protocol similar to http, that is installed by default and will be a total pain to turn off, assuming of course that johnny average user even realises it is turned on!

    Getting the average user convinced to download patches for this sort of thing are going to be a hard sell as there is no perceived benefit from downloading a file which corrects a fault in something you don't know is running, and even if you did you don't fully understand the purpose of.

    IIS had similar problems, not to mention a raft of exploits (i imagine these UPnP exploits are just the tip of the iceberg) and look what that became - one of the more popular webservers - both to host sites and to write worms for...
  • That's really interesting..

    The vulnerabilities were discovered by three young security researchers with eEye Digital Security of Aliso Viejo, California, led by Marc Maiffret, a 21-year-old former hacker. In recent months, Maiffret, who calls himself the firm's "chief hacking officer," has advised the FBI and the White House on Internet security questions and testified before Congress.

    How'd you like to have that on your business card?

    Marc Maiffret
    CHO, eEye Digital Security
  • Microsoft said a new feature of Windows XP, known as "drizzle," can automatically download the free fix, which takes several minutes to download, and prompt consumers to install it.

    I bet a dollar that "drizzle" will be the next big virus backdoor...

    Microsoft also is working with other software companies, such as leading antivirus and firewall vendors, to build protection into their products.

    ...implying, perhaps, that there hasn't been any protection up until this point? :-)

  • by MillionthMonkey ( 240664 ) on Thursday December 20, 2001 @04:38PM (#2733842)
    We ran into this several months ago when we were testing some server software that we wrote. We were using port 5000 as a default. As soon as XP came out, we tested the software on it and found that we could not bind a server to port 5000 at all because it was taken. So naturally, we wondered, what in XP is listening on port 5000?
    Turns out that Microsoft picked the same port for its Plug and Play architecture, which listens on it for a connection coming (presumably) through the local TCP/IP stack. The protocol is XML (maybe SOAP, can't remember). You can receive and send configuration information by using that port (the schema is somewhere on microsoft.com) and it occurred to me even then that this looked like a potential security hole. But, I thought, this is too blatantly obvious and surely Microsoft is not so stupid as to allow access to the PnP internals from nonlocal IPs. Right? So we simply moved our software's default port setting to another port and forgot about it.

    Predictions:
    The scandal will flow off MS in a day or two, like water off a duck's back.
    The downloadable security patch will be bundled with the latest updates to Microsoft's digital rights management crap.
    Every script kiddie will have a tool within the week that scans IP ranges on port 5000 in search of the machines that have remained unpatched.
    The guy who publicized the flaw will be tried in a secret military tribunal as a cyberterrorist.
  • Techy Details (Score:2, Informative)

    by hether ( 101201 )
    Since the article is virtually useless as far as explaining what the security problem really is, here is the complete explanation from eEye
    http://www.eeye.com/html/Research/Advisories/AD200 11220.html [eeye.com]
  • Just a question (Score:5, Informative)

    by julesh ( 229690 ) on Thursday December 20, 2001 @05:00PM (#2734004)
    How are *users* supposed to know about this?

    I mean, it's OK for you and me, we read techie web sites like slashdot, and I'm subscribed to bugtraq. But 99.9% of the public out there aren't.

    So, somewhere informative should be yelling and screaming about a problem like this that affects pretty much everyone with WinME or XP.

    So, I check MS's website.

    Top article with the biggest link? No. That goes to 'Give the gift of Internet for Christmas', an advert for MSN.

    Ah, there's a Windows section just beneath - surely it'll be there? Nope. "Music, movies and more".

    Maybe it counts as 'News'? "Test Results In - Windows XP more reliable" (at least if its getting your computer rooted you're after).

    Downloads perhaps? An item at least for a security fix - the Internet Explorer one discussed last week, but no mention of any XP patches. Not even if I click "More downloads".

    Maybe if you click on the 'Windows' section? No mention. But that's for the Windows XP Home edition. Maybe the Pros think it's more useful? No. "Turn your computer into an entertainment center" - very professional.

    Aha - finally found it; chose a link from the Windows XP Home page to the Windows XP home page (note capitalisation difference) and theres a small link there "Important! Security patch for Windows XP and Windows ME users" on a page that apparently has the main intention of allowing people to choose whether they want the home edition or the professional edition sites, neither of which has the link.

    Oh, and as an aside, is it just me, but I'm using Internet Explorer 5 with default font size settings, on Win NT 4 with default font size settings, and some of the text on the security bulletin is only about 6 pixels tall and is utterly unreadable because of this?
    • Re:Just a question (Score:3, Informative)

      by radish ( 98371 )

      A lot of users run Critical Update Notification (I know I do), that pops up an alert box when you go online saying there are new patches to install. Also, using Windows Update (easily available from your Start menu!) will let you know what needs to be installed for your particular setup.

      Agreed, it is still very easy for people to be unaware, but it's not quite as easy as you make out ;-)
  • by eyeball ( 17206 ) on Thursday December 20, 2001 @05:44PM (#2734261) Journal
    Ha! I heard this on AM radio before I heard it on Slashdot.
  • by Zero__Kelvin ( 151819 ) on Thursday December 20, 2001 @07:32PM (#2734954) Homepage

    "No OS is perfectly secure, but I bet a lot of new XP owners won't be too happy about this."

    Perhaps fewer than you might think, because first they have to know about the hole, then they have to care . In my experience, the average joe doesn't understand the implications at all, and asks "why would anyone want to break into my system anyway? I have nothing of interest or value there."

    As Slashdotters we tend to highly over-estimate the level of understanding of the average joe with regard to security issues and YRO in general. Sad, but all too true 8^{
  • by MtViewGuy ( 197597 ) on Thursday December 20, 2001 @10:45PM (#2735648)
    Folks,

    I think at least Microsoft has done something to immediately close this security hole.

    If you want to get notification of any security patches for any Microsoft product, their security web page (www.microsoft.com/security) allows you to sign for for an email notification service that gives email warnings about possible security problems and available patches to correct said problem.

    It's also a good practice to regularly visit the Windows Update web page (windowsupdate.microsoft.com). That page has Critical Updates that includes security patches.

The means-and-ends moralists, or non-doers, always end up on their ends without any means. -- Saul Alinsky

Working...