WinXP Security Flaw

Many readers have submitted word of the newest security hole in Windows XP. joshjs, for instance, writes: "Don't know if this is common knowledge at this point or not, but apparently some security researchers discovered that Windows XP's universal plug and play features contain a huge security flaw: 'A Microsoft official acknowledged that the risk to consumers was unprecedented because the glitches allow hackers to seize control of all Windows XP operating system software without requiring a computer user to do anything except connect to the Internet. ... Microsoft made available on its Web site a free fix for both home and professional editions of Windows XP and forcefully urged consumers to install it immediately.' Read more at the Washington Post's story." No OS is perfectly secure, but I bet a lot of new XP owners won't be too happy about this. Update: 12/20 20:05 GMT by T : fcrick submits a link to the same AP story at Wired, and several readers have pointed out that a patch is available. Update: 12/20 21:31 GMT by T : And as banuaba writes: "This hole also affects versions of 98 with XP File sharing installed and all versions of ME."

Re:PNP

[tzanger]

The OS allows access to raw sockets and, therefore, the entire kernel.

Go read it again. Raw sockets is not a security flaw. Unix (including Linux and OSX) has them too. All it means is that it's easy to spoof packets. That's it.

Whoa, Nice shootin', Tex

[cscx]

Hold up. Let's stop this flamebait.

For all you Linux-heads that haven't installed XP, the installer determines by asking you if you are connected directly to the Internet or if you are connected to a LAN --- if you're directly connected, YOUR CONNECTION IS AUTOMATICALLY FIREWALLED. Which means, that if MS did its math correctly, most people connecting to the Internet should already be protected, patch aside.

Now, what if you're on a LAN? You should already be behind a firewall. So theoretically the only people vulnerable are corporate users vulnerable from attacks INSIDE the company. That narrows it down, doesn't it?

Ooooh, it's a bug!! So what?!? I believe "security by obscurity" has proven to work this time. When did /. hear about this bug? Today. When was the patch released? Prolly before we heard about it. Nuff said.

But then, you know, Linux doesn't have bugs (eyeroll). Why is it that when Win* has bugs, it's headline news on /., but all the bugs in the 2.4 kernel go unnoticed? Oh yeah, heh, I forgot, this is Slashdot. Honestly, guys, grow up.

Like all the Linux boxen running pretty much any version of wu-ftpd and vulnerable versions of BIND (and there are A LOT) are safe. Hah. Why don't you look at the fact before you start posting flamebait......

Re:Well..

[Zigg]

Ironically, he did "stay quiet". Notice that Scott Culp is practically peeing his pants in admiration of how he didn't publish details on how this is exploited.

Technically false.

[roystgnr]

There have been a number of remote exploits in Win9x filesharing, first of all. I don't know of anything affecting an "out of the box" installation, but if you had a Win95 box that had any writeable shares, even password protected ones, even deeply nested in the filesystem ones, your computer could have been remotely compromised.

Secondly, does anyone remember a little thing called Outlook Express? Sure, most of the popular worms exploited the unpatchable "Stupid User" bug, but there have been at least two that left your computer remotely compromisable from just the Preview pane of the email (thanks to HTML buffer overflows) and one that would let your computer be compromised as email was downloaded (thanks to email header buffer overflows). Of course, the preview pane bugs were really Microsoft HTML component bugs, so could be triggered by Internet Explorer hitting a malicious page even if you didn't use Outlook.

And if there's one thing that Microsoft has taught us, it's that Internet Explorer is an essential part of the Windows(TM) Operating System eXPerience.

Re:Magic Lantern

[Tackhead]

> watch the next "service pack" from Micro$oft to fix this quietly installs the Magic Lantern trojan.
>
>You don't think the Feds dropped the antitrust case for nothing, do you? ;)

...and if the Feds support the AGs in strengthening the crippled remedy presently in progress, maybe this was Magic Lantern, and it just got disabled. (If eeye.com executives are disappeared next week, I guess we'll know for sure ;-)

I may have misadjusted my tinfoil hat this morning, but it struck me that a PC configured to send out unicast malformed NOTIFY messages to exploit the previously-undisclosed UPnP hole on a specific target machine... well, it'd look to the UPnP service like piece of hardware. Hardware like a lantern, if you will, shining a light on the suspect's machine... *evil grin*

Yes, FUD

[poemofatic]

The GPL is a EULA..

EULA = "End User License Agreement". They are a way of taking away user's first sale rights. The GPL does not try to foist any license agreement on end users. In fact it states


5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works.


So you are confusing a license to redistribute something (which is required for all copyrighted works) with a license to use a copyrighted work. Microsoft has the latter in the form of EULA. Linux doesn't. Microsoft has the former in the form of often secret agreements with OEMs. Linux has the former with the publicly available GPL. Apples and oranges.

Re:NO EXPLOIT AVAILABLE

[nagora]

You missunderstand the purpose of full-disclosure. It is not intended to make life easy for skiddies, it has two reasons:

1. To force the programmers of the faulty code to fix it by giving them a deadline by which the exploit will be published. This in turn is because the black-hats will be passing the info around and the rest of us living in ignorance will lead to rooted systems eventually, even if the exploit is not disclosed. So there has to be a deadline to make sure the bug gets fixed quickly.
2. To test the manufacturer's claim that they've fixed the problem. It does happen that patches occasionally don't work.

The idea that full-disclosure means "immediate disclosure" is simply not true.

TWW

Re:There's no exploit

[nagora]

One would expect a rush of script kiddies against vulnerable machines....

How do you know there hasn't already been one. After all, security through obscurity means not telling users how bad things really are.

TWW

Re:The exploit

[nathanh]

Perhapse you could also explain why Linux kernels are still being released with glaring security and system bugs in them? (Every single 2.4.x release)? Hm? Maybe it's the SAME reason?

I daresay you're right. Now please explain to me why a free kernel which was written for motives other than profit and with no obligations to the user base, manages to produce code that is NO WORSE than an expensive piece of software from Microsoft that has gone through a proper software engineering process.

This is even more damning when you consider that Jim Allchin said

"Windows XP is dramatically more secure than Windows 2000 or any of the prior systems. Buffer overflow has been one of the attacks frequently used on the Internet. We have gone through all code and, in an automated way, found places where there could be buffer overflow, and those have been removed in Windows XP."

So Microsoft is even admitting that they went to extra effort this time to improve the quality of their code and they STILL can't beat the free software. Microsoft has all the funding to do security audits and all the facilities for code review yet they STILL produce software that is only just on-par with freeware!

Yes, Linux has problems. My incredulity stems from the fact that Microsoft has them too. If Microsoft wants to distinguish themselves from the freeware then they're going to have to offer something MORE than the freeware. Their history with security proves that they have nothing more to offer than something I can download for free.