Slashdot Mirror
WinXP Security Flaw
Many readers have submitted word of the newest security hole in Windows XP. joshjs, for instance, writes: "Don't know if this is common knowledge at this point or not, but apparently some security researchers discovered that Windows XP's universal plug and play features contain a huge security flaw: 'A Microsoft official acknowledged that the risk to consumers was unprecedented because the glitches allow hackers to seize control of all Windows XP operating system software without requiring a computer user to do anything except connect to the Internet. ... Microsoft made available on its Web site a free fix for both home and professional editions of Windows XP and forcefully urged consumers to install it immediately.' Read more at the Washington Post's story." No OS is perfectly secure, but I bet a lot of new XP owners won't be too happy about this. Update: 12/20 20:05 GMT by T : fcrick submits a link to the same AP story at Wired, and several readers have pointed out that a patch is available. Update: 12/20 21:31 GMT by T : And as banuaba writes: "This hole also affects versions of 98 with XP File sharing installed and all versions of ME."
In the past, Microsoft has shrugged problems like this off extremely easy, great PR ya know. For some reason this one seams more severe to me. Will this one actually hurt MS on a larger scale? I'm doubting it, but I would like to see something rumble the giant. Wouldn't be funny if the companies product ended up ruining the company? WHEEE =)
Can all fish swim?
Well technically this is probably true. There have been compromises of IIS, MSSQL, and other Microsoft products but the OS itself hasn't been vunerable to such attacks until now.
Now granted, IIS comes with Windows so, is that really a seperate component? Also, by the same logic, Linux has never been exploited either has it? I mean, does Linux run any network daemons on it's own? No. So Linux, itself is bulletproof, it's just all those other things you put on top of it that can cause problems.
I just find it amusing how Microsoft keeps changing where they want to split their hairs when distinguishing between the OS and the applications. IE is part of the OS until it gets compromised and then suddenly it's a seperate application.
This sig has been temporarily disconnected or is no longer in service
Win XP has a security problem which opens you up to attack the moment you connect to the net...
You need to connect to the net so you can get the patch from MS website....hmmmmmm...catch 22
So to safely get the patch from MS you have to find a non XP computer with a zip disk or a cd burner.....
good think there are 0.25 % of the desktops out there running linux, so XP users can grab the patch they need off a secure netenabled desktop....assuming MS lets no-IE browsers connect to the MS site to grab the patch.
-jef
Drizzle allows Microsoft to automatically download a fix to the user's machine and forcefully ask them to install it? WTF?
If Microsoft can force an automatic download, what's to stop anyone else?
How long til someone finds this "feature" and REALLY gives it to XP users?
By following the link on the MS Security Bulletin I received in my e-mail, and going through the update process, it took a whopping 5 minutes including the reboot.
:P
Now all that's required is that somebody take the total number of XP users, multiply it by 5 minutes, and then multiply it by some made-up figure for what the average IT workers makes per minute, and then the zealots will have some fuel for their fire. "Look, this latest bug cost the country a billion dollars!". While in actuality it didn't cost the country anything, and only cost each corporation a percentage of their annual revenue, small enough to be measured in millionths of a percentage point.
Gee, I think I just wasted more time posting this comment than it took to install the update
"No OS is perfectly secure, but I bet a lot of new XP owners won't be too happy about this."
No doubt many would be, if Microsoft would contact each and every registered user and explain it to them. As it is, most will never realize that the new computer they bought for Christmas is wide open for anyone to steal personal information, plant trojans, etc.
I think Microsoft should be required to mail a CD with the fix to every registered user of Windows XP, and explain in clear non-technical language what the security flaw is and why the patch is important. Hell, make 'em overnight it, too.
ZZZZZZZzzzzzzzzz....
Oh, hey, I must have dozed off... what a weird dream that was...heh...
most of the time Windows does what they want it to do, without hassles. The security risks and the threat of MS abusing their personal freedoms are remote problems that don't impinge on the daily experience of web browsing, word processing, emailing, gaming, playing CDs... Sure, once in awhile you get bit by a virus. And the cost is increasing. But there isn't an alternative that is as easy to use.
OK, argue with me, but I've been using Linux since before the birth of RedHat. Last month I spent a full day configuring my CD-ROM burner because of incomplete or wrong documentation. In windows it just works. Today I found a nifty software package, downloaded, unzipped, untarred, and it wouldn't run because of incompatible libraries. I try to update libraries and discover I'll break dependencies. Do I want to hassle with that? NO! Does Jane Doe want to hassle with that? Hell NO! Not when she can, using windows, double-click on Setup and let the install shield work -- which it does, most of the time.
We can gloat over how insecure windows is and how dumb the people who use it are, but that won't make more people use Linux. Many people want to ditch windows, but don't because they think, correctly, that Linux is too gear-headed. What will make them switch is if they see an alternative to windows that is at least as easy to use. The major distributors know this, and they have improved installation and the desktop environment fantastically in the past couple of years. But Linux needs an equivalent to windows' install shield so that application installation and removal is simple, transparent, and reliable.
It's the front end, stupid!
This is for those who are sympathetic to the MS responsible reporting policies:
The flaw, discovered five weeks ago threatened to undermine widespread adoption of Microsoft's latest windows software...
The company sold 25 million copies of Windows XP in the two weeks after it hit stores Oct. 25...
The company released a free fix thursday.
So beyond consideration that MS delay releasing XP until this hole is fixed. The best thing to do is keep it secret (responsible reporting) until they get around to writing the patch sometime. In fact, the biggest threat here is that it will "undermine the adoption" of XP -- i.e. they might not sell as many copies if people know there is a huge hole in the OS. No mention of threat to users, etc.
For reference, look at the motorola exploit in the jargon file.
I wonder how many times this has to happen before people are convinced that making bugs available and publicly releasing exploit code is the only way that the big vendors will make security a top priority.
When in doubt, have a man come through a door with a gun in his hand.
Looking at this I do have to wonder will UPnP (Universal Plug and Play) be the next IIS in terms of exploits, viruses and worms?
This issue is the second major *known* problem with UPnP in as many months, both involving buffer overflows of some kinds (MS01-059 & MS01-054).
Since UPnP runs as a service with a SYSTEM level authority, rooting it gives you god-like control over the system, so this falls under the heading of a bad thing. I seem to remember that it is installed by default (currently running w2k so i cant check if it is or not).
So what we have here is a service that seems to be exploitable, running a protocol similar to http, that is installed by default and will be a total pain to turn off, assuming of course that johnny average user even realises it is turned on!
Getting the average user convinced to download patches for this sort of thing are going to be a hard sell as there is no perceived benefit from downloading a file which corrects a fault in something you don't know is running, and even if you did you don't fully understand the purpose of.
IIS had similar problems, not to mention a raft of exploits (i imagine these UPnP exploits are just the tip of the iceberg) and look what that became - one of the more popular webservers - both to host sites and to write worms for...
Seriously, when your copy of XP gets permission from you to install the patch, I wonder what else is going on? I bet stuff like this will keep happening every few months and people will keep installing these automatic drizzle downloads, and the whole time Microsoft is just raking in loads of personal information from your documents in... well... "My Documents."
~ now you know
We ran into this several months ago when we were testing some server software that we wrote. We were using port 5000 as a default. As soon as XP came out, we tested the software on it and found that we could not bind a server to port 5000 at all because it was taken. So naturally, we wondered, what in XP is listening on port 5000?
Turns out that Microsoft picked the same port for its Plug and Play architecture, which listens on it for a connection coming (presumably) through the local TCP/IP stack. The protocol is XML (maybe SOAP, can't remember). You can receive and send configuration information by using that port (the schema is somewhere on microsoft.com) and it occurred to me even then that this looked like a potential security hole. But, I thought, this is too blatantly obvious and surely Microsoft is not so stupid as to allow access to the PnP internals from nonlocal IPs. Right? So we simply moved our software's default port setting to another port and forgot about it.
Predictions:
The scandal will flow off MS in a day or two, like water off a duck's back.
The downloadable security patch will be bundled with the latest updates to Microsoft's digital rights management crap.
Every script kiddie will have a tool within the week that scans IP ranges on port 5000 in search of the machines that have remained unpatched.
The guy who publicized the flaw will be tried in a secret military tribunal as a cyberterrorist.
Microsoft might wish to use this flaw to justify a more granular license renewal scheme. Windows could disable its network interface every month, allowing the user only to connect to MSN to renew his license and download the latest bug fixes. That would enable a usage based pricing model. The people who use the software the most should pay the most, right?
-next we'll see an exploit that redirects a user to "auto-update" (or "drizzle" ??) to a nefarious website (rather than MS) that installs all sorts of back doors and vulnerabilities, leaving the box wide open!
BTW- whenever I hear the word "appliances," I envision a nightmarish world of tying to get the dishwasher to work amidst a storm of DOS attacks... or the house burning down because hackers made it into the oven (where I hid all those dirty dishes)... or all the wasted food from the email virus that defrosted the fridge, or waking up in the middle of the night in a sweat because someone turned the heat to 95
Those that suggest you "dance like no one is watching" really want to see you make a complete fool of yourself.
It's a shame that we all have to wait for 'issues to be resolved...' before using an 'new' OS, driver, or application. Common phrases heard in a real environment. (real as in work/production, not home desktop or hack machine) "We're not upgrading until SP3 is available." "We advise you not upgrade to RedHat 7.0 , "Please wait atleast until redhat 7.1 is available." , etc..
As maybe your atypical programmer, I take great care in my programming. If my name is going to be assoiciated with it, I'm not realeasing shit code. I work and have worked with programmers that knowingly code flawed code and rely on QA catching the problem to buy some time. How can someone do that? Turns my stomach. So what happens if you've got a careless programmer and careless QA? Big known bug-a-boo slips out the door.
All I really would like to say is take pride in your work. Be careful and don't realease shit code. No, I don't write bug free code. Yes, I have missed deadlines, but only by days, not weeks/months. No I've never gotten slack from missing a deadline b/c I spend less time in post support. I'd rather deal with issues up front while it's fresh in the head than to fuck with code several months after the fact.
*hops off soapbox*
The consideration of the dates is correct in that the OS was released before the "5 week report". However, consider if the bug was found just days before the release. Can you imagine the cost of replacing the existing copies? All the CDs shipped to stores would have to be essentially trashed and repackaged. Not only that, but the delay would get picked up by media in a negative light. Though I'm sure Microsoft has some lovely PR people who could ease the pain, but it wouldn't be a good start for such a flagship product.
Note I didn't mention OEM installations; they can delay by another day or two, and besides, its only a new HD image they have to write out.. unless the OEM already packaged the boxen, then it is a bit different...
Never hit your grandmother with a shovel, for it leaves a bad impression on her mind...