Slashdot Mirror
WinXP Security Flaw
Many readers have submitted word of the newest security hole in Windows XP. joshjs, for instance, writes: "Don't know if this is common knowledge at this point or not, but apparently some security researchers discovered that Windows XP's universal plug and play features contain a huge security flaw: 'A Microsoft official acknowledged that the risk to consumers was unprecedented because the glitches allow hackers to seize control of all Windows XP operating system software without requiring a computer user to do anything except connect to the Internet. ... Microsoft made available on its Web site a free fix for both home and professional editions of Windows XP and forcefully urged consumers to install it immediately.' Read more at the Washington Post's story." No OS is perfectly secure, but I bet a lot of new XP owners won't be too happy about this. Update: 12/20 20:05 GMT by T : fcrick submits a link to the same AP story at Wired, and several readers have pointed out that a patch is available. Update: 12/20 21:31 GMT by T : And as banuaba writes: "This hole also affects versions of 98 with XP File sharing installed and all versions of ME."
Plug your XP box to the internet and pray for the hackers not to find it.
Pedro Côrte-Real.
It's not really Microsoft's fault, if this guy would've stayed quiet then WinXP would still be secure today.
The information from Microsoft regarding this can be found here, as well as a patch.
"Oh, you wanted a DOOR to hang that lock on.... Sure, I guess we could do that..."
Is there any MS Windows XP bug counter on the web? Something like:
I think it would be funny, we could also compare with Linux 2.4.x bugs. And maybe we can also have a Score thing, or something like /.
Any suggestion? Any website that already do this?
-=-=-=-=
I know life isn't fair, but why can't it ever be un-fair in MY favor!?
"This is the first network-based, remote compromise that I'm aware of for Windows desktop systems," said Scott Culp, manager of Microsoft's security response center."
This speaks for itself
Burn Hollywood Burn
"What rock has he been smoking" is perhaps more appropriate.
cat
It's so neat to see "Intel Inside" and "Windows" stickers on all these nice software boxes. With Microsoft's new dedication to security, I'm thinking its time we print up some nice "RedCode Enabled" or "Nimda Friendly" stickers. Then all I anyone needs to do is make a visit to the local computer outlet to upgrade the Windows OS boxes they have out on the shelves to buy.
When the big virus/worm/... that exploits this hole is announced, maybe we can print up stickers to apply to all those nice shiny new XP boxes.
Now Windows XP offers strong security to home computer users through Internet Connection Firewall protection, which makes your information, computers, and family data safer from intruders as soon as you start using Windows XP.
I guess that helped a lot.
"I don't know half of you half as well as I should like, and I like less than half of you half as well as you deserve."
And now, this is a security hole. Man, nowaday, you can't know for sure if it's a bug or a feature anymore.
Well technically this is probably true. There have been compromises of IIS, MSSQL, and other Microsoft products but the OS itself hasn't been vunerable to such attacks until now.
Now granted, IIS comes with Windows so, is that really a seperate component? Also, by the same logic, Linux has never been exploited either has it? I mean, does Linux run any network daemons on it's own? No. So Linux, itself is bulletproof, it's just all those other things you put on top of it that can cause problems.
I just find it amusing how Microsoft keeps changing where they want to split their hairs when distinguishing between the OS and the applications. IE is part of the OS until it gets compromised and then suddenly it's a seperate application.
This sig has been temporarily disconnected or is no longer in service
tally of said security issues as they pop up and then document how long it takes Microsoft to fix them-- before and after the bug is publically exposed.
I would be interested to see captured on a yearly basis the bug count of Microsoft products versus some open source products including how long each bug took to get fixed and the severity of each bug.
Microsoft is good a spreading FUD-- but facts are hard to beat and gobbled up by the media.. I'd be willing to volunteer my time to anybody with a server and some bandwidth for a project like this: just tell me what you need me to do.
Do not spread "09 F9 11 02 9D 74 E3 5B D8 41 56 C5 63 56 88 C0" over the internet, thank you.
What the article doesn't mention is that Windows 98 with XP sharing is also affected, and that any version of Windows ME is affected as well.
If you are running Windows 98 or ME, you should immediately go to Microsoft's website and download the patch for your system.
A more technical description can be found here.
Windows 2000 is not affected.
Simpli - Your source for San Jose dedicated servers and colocation!
It's all in the spin...
"desktop system" means not running any servers
"compromise" doesn't include DoS (ping of death, etc)
"remote" apparently means the user doesn't have to do anything. I mean, come on, when you try to read your mail with Outlook Express, everyone knows that your system is as good as cracked already.
I have know idea why he used the phrase 'network-based, remote' Is there some other remote way of talking to Microsoft computers? Some radio signal you can send that instantly gives you full access?
Stupid job ads, weird spam, occasional insight at
"Over four hours without a remote hole in the default install!"
The Universal Plug and Play (UPnP) service allows computers to discover and use network-based devices. Windows ME and XP include native UPnP services; Windows 98 and 98SE do not include a native UPnP service, but one can be installed via the Internet Connection Sharing client that ships with Windows XP. This bulletin discusses two vulnerabilities affecting these UPnP implementations. Although the vulnerabilities are unrelated, both involve how UPnP-capable computers handle the discovery of new devices on the network.
The first vulnerability is a buffer overrun vulnerability. There is an unchecked buffer in one of the components that handle NOTIFY directives - messages that advertise the availability of UPnP-capable devices on the network. By sending a specially malformed NOTIFY directive, it would be possible for an attacker to cause code to run in the context of the UPnP service, which runs with System privileges on Windows XP. (On Windows 98 and Windows ME, all code executes as part of the operating system). This would enable the attacker to gain complete control over the system.
The second vulnerability results because the UPnP doesn't sufficiently limit the steps to which the UPnP service will go to obtain information on using a newly discovered device. Within the NOTIFY directive that a new UPnP device sends is information telling interested computers where to obtain its device description, which lists the services the device offers and instructions for using them. By design, the device description may reside on a third-party server rather than on the device itself. However, the UPnP implementations don't adequately regulate how it performs this operation, and this gives rise to two different denial of service scenarios.
In the first scenario, the attacker could send a NOTIFY directive to a UPnP-capable computer, specifying that the device description should be downloaded from a particular port on a particular server. If the server was configured to simply echo the download requests back to the UPnP service (e.g., by having the echo service running on the port that the computer was directed to), the computer could be made to enter an endless download cycle that could consume some or all of the system's availability. An attacker could craft and send this directive to a victim's machine directly, by using the machine's IP address. Or, he could send this same directive to a broadcast and multicast domain and attack all affected machines within earshot, consuming some or all of those systems' availability.
In the second scenario, an attacker could specify a third-party server as the host for the device description in the NOTIFY directive. If enough machines responded to the directive, it could have the effect of flooding the third-party server with bogus requests, in a distributed denial of service attack. As with the first scenario, an attacker could either send the directives to the victim directly, or to a broadcast or multicast domain.
Mmmmmmm
Oh the fun you could have with BackOrificeXP right now... User tries to get patch, Evil haX0r-d00d shoots out a pop-up and mp3: a little Strauss music and a MsgBox reading, "I don't think I can let you do that, Dave."
woof.
[1] As opposed to that Win95 "fix" they called Win98 that you had to pay for.
How do you forcefully urge people?
Along similar lines of "Writing Solid Code".
Wait for it, wait for it...
"Writing Secure Code"
Haven't you seen the commercials? A huge multi-media advertising blitz to tell us all that _Everything_ is easier in XP.
-JDF
"Anyone with any kind of "always on" connection would have to be an idiot to not engage some kind of firewall for their connection."
what about those "idiots" that aren't computer literate and that dont know what a firewall even is?
Thanks to file sharing, I purchase more CDs
Thanks to the RIAA, I buy them used...
about the same amount of time that MicroSoft said that installing XP would save?
Thanks to file sharing, I purchase more CDs
Thanks to the RIAA, I buy them used...
XP is an inmature OS. There are going to be tons of problems, just like any other new OS.
Why company would switch to ANY OS that is less then 3 years old is beyond me.
The Kruger Dunning explains most post on
This is for those who are sympathetic to the MS responsible reporting policies:
The flaw, discovered five weeks ago threatened to undermine widespread adoption of Microsoft's latest windows software...
The company sold 25 million copies of Windows XP in the two weeks after it hit stores Oct. 25...
The company released a free fix thursday.
So beyond consideration that MS delay releasing XP until this hole is fixed. The best thing to do is keep it secret (responsible reporting) until they get around to writing the patch sometime. In fact, the biggest threat here is that it will "undermine the adoption" of XP -- i.e. they might not sell as many copies if people know there is a huge hole in the OS. No mention of threat to users, etc.
For reference, look at the motorola exploit in the jargon file.
I wonder how many times this has to happen before people are convinced that making bugs available and publicly releasing exploit code is the only way that the big vendors will make security a top priority.
When in doubt, have a man come through a door with a gun in his hand.
Comments: First, don't mod me up as "informative"; I didn't write any of that. If you're considering modding me up as informative, consider unchecking "willing to moderate" or at least read the moderator guidelines. Second, does MS put out products with such glaring, horrible security flaws *on purpose*? As far as I know, the UPNP feature is brand new, so it shouldn't be based on any existing code base, yet MS programmers are *still* using unsafe commands (presumably) and not doing bounds checking. This is a buffer overflow vulnerability in a new product, for fuck's sake.
-Legion
I am sure this will give new Compaq, Dell, Gateway, and HP buyers some pause
... well, they don't know enough to care. Who does that leave?
People who know this is just the latest symptom of Microsoft's general neglect for security won't be buying XP anyway. Those who believe Microsoft deserves their dominant position because they are the best will see that there is already a patch. Those who don't know enough to know why they should care
Nope, no sig
...what makes this any different from any other version of Windows?
The best way to secure a Windows box is to take a pair of scissors to the ethernet cable.
- A.P.
"Remember when the U.S. had a drug problem, and then we declared a War On Drugs, and now you can't buy drugs anymore?"
For all you Linux-heads that haven't installed XP, the installer determines by asking you if you are connected directly to the Internet or if you are connected to a LAN --- if you're directly connected, YOUR CONNECTION IS AUTOMATICALLY FIREWALLED. Which means, that if MS did its math correctly, most people connecting to the Internet should already be protected, patch aside.
Now, what if you're on a LAN? You should already be behind a firewall. So theoretically the only people vulnerable are corporate users vulnerable from attacks INSIDE the company. That narrows it down, doesn't it?
Ooooh, it's a bug!! So what?!? I believe "security by obscurity" has proven to work this time. When did /. hear about this bug? Today. When was the patch released? Prolly before we heard about it. Nuff said.
But then, you know, Linux doesn't have bugs (eyeroll). Why is it that when Win* has bugs, it's headline news on /., but all the bugs in the 2.4 kernel go unnoticed? Oh yeah, heh, I forgot, this is Slashdot. Honestly, guys, grow up.
Like all the Linux boxen running pretty much any version of wu-ftpd and vulnerable versions of BIND (and there are A LOT) are safe. Hah. Why don't you look at the fact before you start posting flamebait......
...safer from intruders as soon as you start using Windows XP
But is it faster and more fun? I'm still waiting for that promised Windows 95 feature to be implemented in ANY version of Windows.
--
"Outlook not so good." That magic 8-ball knows everything! I'll ask about Exchange Server next.
"Linux" as a trademark is owned by Linus. Not the software.
The GNU affects you only if you wish to redistribute GNU copyrighted software. It is not an EULA, and no one is "licensed" to use or install GNU Software. Anyone can install/configure/run/modify it however they want.
When in doubt, have a man come through a door with a gun in his hand.
There have been a number of remote exploits in Win9x filesharing, first of all. I don't know of anything affecting an "out of the box" installation, but if you had a Win95 box that had any writeable shares, even password protected ones, even deeply nested in the filesystem ones, your computer could have been remotely compromised.
Secondly, does anyone remember a little thing called Outlook Express? Sure, most of the popular worms exploited the unpatchable "Stupid User" bug, but there have been at least two that left your computer remotely compromisable from just the Preview pane of the email (thanks to HTML buffer overflows) and one that would let your computer be compromised as email was downloaded (thanks to email header buffer overflows). Of course, the preview pane bugs were really Microsoft HTML component bugs, so could be triggered by Internet Explorer hitting a malicious page even if you didn't use Outlook.
And if there's one thing that Microsoft has taught us, it's that Internet Explorer is an essential part of the Windows(TM) Operating System eXPerience.
You aren't bugged as much if you uninstall Windows Messenger (ignoring that Microsoft says you're SOL if you're not running Home Edition.) Then again, you also aren't bugged if you take Windows XP off the system completely, which also helps you with today's little bug as well. I'm glad I did last week, even though I only used it for games and DVDs...
He is refering to the operating system proper, not applications like IIS. According to him this is the first remote exploit of the Windows OS itself which allows an attacker to take over the computer. As far as I can remember, he is correct.
So, what crack pipe have you been puffing on?
We ran into this several months ago when we were testing some server software that we wrote. We were using port 5000 as a default. As soon as XP came out, we tested the software on it and found that we could not bind a server to port 5000 at all because it was taken. So naturally, we wondered, what in XP is listening on port 5000?
Turns out that Microsoft picked the same port for its Plug and Play architecture, which listens on it for a connection coming (presumably) through the local TCP/IP stack. The protocol is XML (maybe SOAP, can't remember). You can receive and send configuration information by using that port (the schema is somewhere on microsoft.com) and it occurred to me even then that this looked like a potential security hole. But, I thought, this is too blatantly obvious and surely Microsoft is not so stupid as to allow access to the PnP internals from nonlocal IPs. Right? So we simply moved our software's default port setting to another port and forgot about it.
Predictions:
The scandal will flow off MS in a day or two, like water off a duck's back.
The downloadable security patch will be bundled with the latest updates to Microsoft's digital rights management crap.
Every script kiddie will have a tool within the week that scans IP ranges on port 5000 in search of the machines that have remained unpatched.
The guy who publicized the flaw will be tried in a secret military tribunal as a cyberterrorist.
>
>You don't think the Feds dropped the antitrust case for nothing, do you?
I may have misadjusted my tinfoil hat this morning, but it struck me that a PC configured to send out unicast malformed NOTIFY messages to exploit the previously-undisclosed UPnP hole on a specific target machine... well, it'd look to the UPnP service like piece of hardware. Hardware like a lantern, if you will, shining a light on the suspect's machine... *evil grin*
At risk of losing all my karma, but here goes.... if you enable XP's built in firewall on a network interface, you'll discover that you can no longer connect to the universal plug and play service on that interface. So yes, it helps a lot actually!
Lead developer, http://wisptools.net
The GPL is a EULA..
EULA = "End User License Agreement". They are a way of taking away user's first sale rights. The GPL does not try to foist any license agreement on end users. In fact it states
5. You are not required to accept this License, since you have not signed it. However, nothing else grants you permission to modify or
distribute the Program or its derivative works.
So you are confusing a license to redistribute something (which is required for all copyrighted works) with a license to use a copyrighted work. Microsoft has the latter in the form of EULA. Linux doesn't. Microsoft has the former in the form of often secret agreements with OEMs. Linux has the former with the publicly available GPL. Apples and oranges.
When in doubt, have a man come through a door with a gun in his hand.
Imagine this scenario:
:-)
1. your off-the-cd version of windows XP is vulnerable.
2. You connect to the internet to download all of the security patches.
3. WAMMO! you get struck by this code red XP exploit.
4. It get's installed before you have had a chance to install the patch.
5. It recognises the security update patch and silently/secretly ignores it.
6. Your system is still rooted, you believe you have patched your system, you don't realise until you run your favourate virus checker, Code Red XP notices and nukes your system.
7. You blame your virus software for destroying your computer and reinstall windows XP off the CD...
8. goto 1
Believable scare-mongering?
I think it's you who hasn't read it.
From memory:
"You do not have to agree to this license, because you have not signed it. However, nothing else gives you permission to redistribute or modify the software. Therefore, by redistributing or modifying the software, you indicate your agreement to this license."
(I'm sure I've got the wording wrong, but equally sure that I have the meaning correct[1]).
Note specifically that it does *not* say "nothing else gives you permission to USE the software" or "by USING the software". The GPL does not restrict use of the software in any way.
By contrast, every MS or Oracle license includes restrictions on the use of the software and requires you to agree to it (usually by a click-through) before using the software at all.
Did it honestly never occur to you that there might be a reason that you don't have to click-through the GPL before using linux or other GPL'd software?
Stuart.
[1] Sure, I could have gone to that URL and copy'n'pasted the appropriate text. I deliberately didn't do so, in the hope that the fact that I can quote the relevant section almost-verbatim from memory indicates that I know the contents of the GPL pretty well. Feel free to compare my version with the actual text - if there's any substantial difference in meaning, I'll eat my hat.
How are *users* supposed to know about this?
I mean, it's OK for you and me, we read techie web sites like slashdot, and I'm subscribed to bugtraq. But 99.9% of the public out there aren't.
So, somewhere informative should be yelling and screaming about a problem like this that affects pretty much everyone with WinME or XP.
So, I check MS's website.
Top article with the biggest link? No. That goes to 'Give the gift of Internet for Christmas', an advert for MSN.
Ah, there's a Windows section just beneath - surely it'll be there? Nope. "Music, movies and more".
Maybe it counts as 'News'? "Test Results In - Windows XP more reliable" (at least if its getting your computer rooted you're after).
Downloads perhaps? An item at least for a security fix - the Internet Explorer one discussed last week, but no mention of any XP patches. Not even if I click "More downloads".
Maybe if you click on the 'Windows' section? No mention. But that's for the Windows XP Home edition. Maybe the Pros think it's more useful? No. "Turn your computer into an entertainment center" - very professional.
Aha - finally found it; chose a link from the Windows XP Home page to the Windows XP home page (note capitalisation difference) and theres a small link there "Important! Security patch for Windows XP and Windows ME users" on a page that apparently has the main intention of allowing people to choose whether they want the home edition or the professional edition sites, neither of which has the link.
Oh, and as an aside, is it just me, but I'm using Internet Explorer 5 with default font size settings, on Win NT 4 with default font size settings, and some of the text on the security bulletin is only about 6 pixels tall and is utterly unreadable because of this?
The idea that full-disclosure means "immediate disclosure" is simply not true.
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
How do you know there hasn't already been one. After all, security through obscurity means not telling users how bad things really are.
TWW
"Encyclopedia" is to "Wikipedia" what "Library" is to "Some people at a bus stop"
Ha! I heard this on AM radio before I heard it on Slashdot.
_______
2B1ASK1
Well, who needs FBI's "Magic lantern" when Bill is already sitting in the box, operating his full stadium light show at port 1900 ?
:-)
"No OS is perfectly secure, but I bet a lot of new XP owners won't be too happy about this."
Perhaps fewer than you might think, because first they have to know about the hole, then they have to care . In my experience, the average joe doesn't understand the implications at all, and asks "why would anyone want to break into my system anyway? I have nothing of interest or value there."
As Slashdotters we tend to highly over-estimate the level of understanding of the average joe with regard to security issues and YRO in general. Sad, but all too true 8^{
Guns don't kill people; Physics kills people! - John Lithgow as Dick Solomon on Third Rock From The Sun
Folks,
I think at least Microsoft has done something to immediately close this security hole.
If you want to get notification of any security patches for any Microsoft product, their security web page (www.microsoft.com/security) allows you to sign for for an email notification service that gives email warnings about possible security problems and available patches to correct said problem.
It's also a good practice to regularly visit the Windows Update web page (windowsupdate.microsoft.com). That page has Critical Updates that includes security patches.