Slashdot Mirror
WinXP Security Flaw
Many readers have submitted word of the newest security hole in Windows XP. joshjs, for instance, writes: "Don't know if this is common knowledge at this point or not, but apparently some security researchers discovered that Windows XP's universal plug and play features contain a huge security flaw: 'A Microsoft official acknowledged that the risk to consumers was unprecedented because the glitches allow hackers to seize control of all Windows XP operating system software without requiring a computer user to do anything except connect to the Internet. ... Microsoft made available on its Web site a free fix for both home and professional editions of Windows XP and forcefully urged consumers to install it immediately.' Read more at the Washington Post's story." No OS is perfectly secure, but I bet a lot of new XP owners won't be too happy about this. Update: 12/20 20:05 GMT by T : fcrick submits a link to the same AP story at Wired, and several readers have pointed out that a patch is available. Update: 12/20 21:31 GMT by T : And as banuaba writes: "This hole also affects versions of 98 with XP File sharing installed and all versions of ME."
The information from Microsoft regarding this can be found here, as well as a patch.
I first heard about this from the drudgereport and was just about to submit about this.
As far as the security hole goes I've heard even worse things are possible since XP now allows "raw" socket access to non-administrators.
There's a good article by Grieder that explains all about this at www.grc.com .
http://www.microsoft.com/technet/treeview/default. asp?url=/technet/security/bulletin/MS01-059.asp
This seems to affect Windows 98 and ME, not just Windows XP!! The Universal Plug-and-Play system has to be running though. Get the patches for those 3 OS'es and read up on the details here.
What the article doesn't mention is that Windows 98 with XP sharing is also affected, and that any version of Windows ME is affected as well.
If you are running Windows 98 or ME, you should immediately go to Microsoft's website and download the patch for your system.
A more technical description can be found here.
Windows 2000 is not affected.
Simpli - Your source for San Jose dedicated servers and colocation!
The Universal Plug and Play (UPnP) service allows computers to discover and use network-based devices. Windows ME and XP include native UPnP services; Windows 98 and 98SE do not include a native UPnP service, but one can be installed via the Internet Connection Sharing client that ships with Windows XP. This bulletin discusses two vulnerabilities affecting these UPnP implementations. Although the vulnerabilities are unrelated, both involve how UPnP-capable computers handle the discovery of new devices on the network.
The first vulnerability is a buffer overrun vulnerability. There is an unchecked buffer in one of the components that handle NOTIFY directives - messages that advertise the availability of UPnP-capable devices on the network. By sending a specially malformed NOTIFY directive, it would be possible for an attacker to cause code to run in the context of the UPnP service, which runs with System privileges on Windows XP. (On Windows 98 and Windows ME, all code executes as part of the operating system). This would enable the attacker to gain complete control over the system.
The second vulnerability results because the UPnP doesn't sufficiently limit the steps to which the UPnP service will go to obtain information on using a newly discovered device. Within the NOTIFY directive that a new UPnP device sends is information telling interested computers where to obtain its device description, which lists the services the device offers and instructions for using them. By design, the device description may reside on a third-party server rather than on the device itself. However, the UPnP implementations don't adequately regulate how it performs this operation, and this gives rise to two different denial of service scenarios.
In the first scenario, the attacker could send a NOTIFY directive to a UPnP-capable computer, specifying that the device description should be downloaded from a particular port on a particular server. If the server was configured to simply echo the download requests back to the UPnP service (e.g., by having the echo service running on the port that the computer was directed to), the computer could be made to enter an endless download cycle that could consume some or all of the system's availability. An attacker could craft and send this directive to a victim's machine directly, by using the machine's IP address. Or, he could send this same directive to a broadcast and multicast domain and attack all affected machines within earshot, consuming some or all of those systems' availability.
In the second scenario, an attacker could specify a third-party server as the host for the device description in the NOTIFY directive. If enough machines responded to the directive, it could have the effect of flooding the third-party server with bogus requests, in a distributed denial of service attack. As with the first scenario, an attacker could either send the directives to the victim directly, or to a broadcast or multicast domain.
Mmmmmmm
The first vulnerability is a buffer overrun vulnerability.
Microsoft specifically said they reviewed all the code in Windows XP for buffer overruns. http://www.vnunet.com/News/1125281
No, the difference is that in Linux (for example), you must be a priviledged user (root) to do raw sockets. In XP, last I heard, any user could do it.
Comments: First, don't mod me up as "informative"; I didn't write any of that. If you're considering modding me up as informative, consider unchecking "willing to moderate" or at least read the moderator guidelines. Second, does MS put out products with such glaring, horrible security flaws *on purpose*? As far as I know, the UPNP feature is brand new, so it shouldn't be based on any existing code base, yet MS programmers are *still* using unsafe commands (presumably) and not doing bounds checking. This is a buffer overflow vulnerability in a new product, for fuck's sake.
-Legion
Ummm....
Solaris, AIX login holeSSH and OpenSSH Comparisons (note the Update about SSHv1 security bulletin...)
Running BIND 4 or 8? Upgrade!
The Twenty Most Critical Internet Security Holes (Includes "General," "Windows," and "Unix" vulnerabilities)
Open-Source != Security; PGP Provides Cautionary Tale
Debian 2.2 "Has Major Security Issues"? UPDATED
Vulnerability In SSH1
SSH Secure Shell 3.0.0 Remote Hole ("is a gaping remote hole on various unixes.")
Garfinkel Warns Of Linux Virus "Epidemic"
ProFTPD, Wuarchive Ftpd Compromised
Looks like the DO post a big announcement when holes are found in Linux or software usually bundled with. Fancy that.
Well, the full posting minus the PGP sig and un/subscribe information to get around the lameness filter.
t in /MS01-059.asp.
n /ms01-059.asp
-----
Title: Unchecked Buffer in Universal Plug and Play can Lead
to System Compromise
Date: 20 December 2001
Software: Windows 98, Windows 98SE, Windows ME, Windows XP
Impact: Run code of attacker's choice
Max Risk: Critical
Bulletin: MS01-059
Microsoft encourages customers to review the Security Bulletin at:
http://www.microsoft.com/technet/security/bulle
Issue:
The Universal Plug and Play (UPnP) service allows computers to
discover and use network-based devices. Windows ME and XP
include native UPnP services; Windows 98 and 98SE do not include a
native UPnP service, but one can be installed via the
Internet Connection Sharing client that ships with Windows XP. This
bulletin discusses two vulnerabilities affecting these
UPnP implementations. Although the vulnerabilities are unrelated,
both involve how UPnP-capable computers handle the
discovery of new devices on the network.
The first vulnerability is a buffer overrun vulnerability. There is
an unchecked buffer in one of the components that handle
NOTIFY directives - messages that advertise the availability of
UPnP-capable devices on the network. By sending a specially
malformed NOTIFY directive, it would be possible for an attacker to
cause code to run in the context of the UPnP service,
which runs with System privileges on Windows XP. (On Windows 98 and
Windows ME, all code executes as part of the operating
system). This would enable the attacker to gain complete control over
the system.
The second vulnerability results because the UPnP doesn't
sufficiently limit the steps to which the UPnP service will go to
obtain information on using a newly discovered device. Within the
NOTIFY directive that a new UPnP device sends is
information telling interested computers where to obtain its device
description, which lists the services the device offers
and instructions for using them. By design, the device description
may reside on a third-party server rather than on the
device itself. However, the UPnP implementations don't adequately
regulate how it performs this operation, and this gives
rise to two different denial of service scenarios.
In the first scenario, the attacker could send a NOTIFY directive to
a UPnP-capable computer, specifying that the device
description should be downloaded from a particular port on a
particular server. If the server was configured to simply echo
the download requests back to the UPnP service (e.g., by having the
echo service running on the port that the computer was
directed to), the computer could be made to enter an endless download
cycle that could consume some or all of the system's
availability. An attacker could craft and send this directive to a
victim's machine directly, by using the machine's IP
address. Or, he could send this same directive to a broadcast and
multicast domain and attack all affected machines within
earshot, consuming some or all of those systems' availability.
In the second scenario, an attacker could specify a third-party
server as the host for the device description in the NOTIFY
directive. If enough machines responded to the directive, it could
have the effect of flooding the third-party server with
bogus requests, in a distributed denial of service attack. As with
the first scenario, an attacker could either send the
directives to the victim directly, or to a broadcast or multicast
domain.
Mitigating Factors:
General:
- Standard firewalling practices (specifically, blocking ports
1900 and 5000) could be used to protect corporate networks
from Internet-based attacks.
Windows 98 and 98SE:
- There is no native UPnP support for these systems. Windows 98
and 98SE systems would only be affected if the Internet Connection
Sharing Client from Windows XP had been installed on the system.
- Windows 98 and 98SE machines that have installed the Internet
Connection Sharing client from a Windows XP system that has
already applied this patch are not vulnerable.
Windows ME:
- Windows ME provides native UPnP support, but it is neither
installed nor running by default. (However, some OEMs do
configure pre-built systems with the service installed and
running).
Windows XP:
- Internet Connection Firewall, which runs by default, would make it
significantly more difficult for an attacker to determine the IP
address of an affected machine. This could impede an attacker's
ability to attack a machine via unicast messages. However, attacks
via multicast or broadcast would still be possible.
Risk Rating:
Buffer Overrun:
- Internet servers: None
- Intranet servers: None
- Client systems: Critical for Windows XP, moderate for Windows 98,
Windows 98SE and Windows ME
Denial of service:
- Internet servers: None
- Intranet servers: None
- Client systems: Moderate
Aggregate risk:
- Internet servers: None
- Intranet servers: None
- Client systems: Critical for Windows XP, moderate for Windows 98,
Windows 98SE and Windows ME
Patch Availability:
- A patch is available to fix this vulnerability. Please read the
Security Bulletin at
http://www.microsoft.com/technet/security/bulleti
for information on obtaining this patch.
Acknowledgment:
- eEye Digital Security (http://www.eeye.com)
"Linux" as a trademark is owned by Linus. Not the software.
The GNU affects you only if you wish to redistribute GNU copyrighted software. It is not an EULA, and no one is "licensed" to use or install GNU Software. Anyone can install/configure/run/modify it however they want.
When in doubt, have a man come through a door with a gun in his hand.
I hate to say so, but the linux kernel had security problems too.
The syncookies bug a few months ago is a kernel bug.
Also the ip_conntrack_ftp bug in 2.4.3 and older is a kernel bug.
Well, don't worry about that. We can get you back before you leave. (Dr. Who)
He is refering to the operating system proper, not applications like IIS. According to him this is the first remote exploit of the Windows OS itself which allows an attacker to take over the computer. As far as I can remember, he is correct.
So, what crack pipe have you been puffing on?
Since the article is virtually useless as far as explaining what the security problem really is, here is the complete explanation from eEye0 11220.html
http://www.eeye.com/html/Research/Advisories/AD20
Most people would die sooner than think; in fact, they do.
At risk of losing all my karma, but here goes.... if you enable XP's built in firewall on a network interface, you'll discover that you can no longer connect to the universal plug and play service on that interface. So yes, it helps a lot actually!
Lead developer, http://wisptools.net
I think it's you who hasn't read it.
From memory:
"You do not have to agree to this license, because you have not signed it. However, nothing else gives you permission to redistribute or modify the software. Therefore, by redistributing or modifying the software, you indicate your agreement to this license."
(I'm sure I've got the wording wrong, but equally sure that I have the meaning correct[1]).
Note specifically that it does *not* say "nothing else gives you permission to USE the software" or "by USING the software". The GPL does not restrict use of the software in any way.
By contrast, every MS or Oracle license includes restrictions on the use of the software and requires you to agree to it (usually by a click-through) before using the software at all.
Did it honestly never occur to you that there might be a reason that you don't have to click-through the GPL before using linux or other GPL'd software?
Stuart.
[1] Sure, I could have gone to that URL and copy'n'pasted the appropriate text. I deliberately didn't do so, in the hope that the fact that I can quote the relevant section almost-verbatim from memory indicates that I know the contents of the GPL pretty well. Feel free to compare my version with the actual text - if there's any substantial difference in meaning, I'll eat my hat.
the OS itself hasn't been vunerable to such attacks until now
What? Are you really saying that NT/2000 base product has never had a remote exploit!
Check:
MS01-007
MS00-070
MS00-047
MS00-021
And that's just from MS's site and the last couple years. Microsoft's real recommendation is to just firewall RPC services, so take _that_ for what it's worth.
How are *users* supposed to know about this?
I mean, it's OK for you and me, we read techie web sites like slashdot, and I'm subscribed to bugtraq. But 99.9% of the public out there aren't.
So, somewhere informative should be yelling and screaming about a problem like this that affects pretty much everyone with WinME or XP.
So, I check MS's website.
Top article with the biggest link? No. That goes to 'Give the gift of Internet for Christmas', an advert for MSN.
Ah, there's a Windows section just beneath - surely it'll be there? Nope. "Music, movies and more".
Maybe it counts as 'News'? "Test Results In - Windows XP more reliable" (at least if its getting your computer rooted you're after).
Downloads perhaps? An item at least for a security fix - the Internet Explorer one discussed last week, but no mention of any XP patches. Not even if I click "More downloads".
Maybe if you click on the 'Windows' section? No mention. But that's for the Windows XP Home edition. Maybe the Pros think it's more useful? No. "Turn your computer into an entertainment center" - very professional.
Aha - finally found it; chose a link from the Windows XP Home page to the Windows XP home page (note capitalisation difference) and theres a small link there "Important! Security patch for Windows XP and Windows ME users" on a page that apparently has the main intention of allowing people to choose whether they want the home edition or the professional edition sites, neither of which has the link.
Oh, and as an aside, is it just me, but I'm using Internet Explorer 5 with default font size settings, on Win NT 4 with default font size settings, and some of the text on the security bulletin is only about 6 pixels tall and is utterly unreadable because of this?
Um, if I remember correctly, those were the aggregate statistics for _all_ linux distributions combined, including all software installed on those distributions.
Yes, those statistics were higher than for a clean Windows install. Counted separately they were lower, last I checked. And if you'd lump similar software in Windows as is usually included in a Linux dist, you'd get a far far far worse record for Windows.
The GPL is very different legally. It conditionally grants rights which you would not otherwise have under normal copyright laws. If you decide not to agree to its terms, then you are merely bound by normal copyright law, which is even more restrictive. And, for this reason, you are allowed to refuse to agree to the GPL. (Try that with a normal EULA!)
The GPL is not an END USER licence, because it has no implications for the end user. It only affects those who modify or distribute the software (and its restrictions only affect those who distribute it).
This was not reported before WinXP was launched.
We are now 3 weeks into December. This was reported to MS 5 weeks ago, or about 2 weeks into November. WinXP "hit stores Oct. 25" or about 3 weeks before this was reported.
Not that I like this sitting unpatched for 5 weeks, but it would be a bit hard for MS to delay releasing an OS for a bug that has not been found yet.
This is my sig. There are many like it but this one is... Oops. Frank, I've got your sig again! Where's mine?
Folks,
I think at least Microsoft has done something to immediately close this security hole.
If you want to get notification of any security patches for any Microsoft product, their security web page (www.microsoft.com/security) allows you to sign for for an email notification service that gives email warnings about possible security problems and available patches to correct said problem.
It's also a good practice to regularly visit the Windows Update web page (windowsupdate.microsoft.com). That page has Critical Updates that includes security patches.