FBI, Pentagon Talk to MS about XP Hole

(eternal_software) writes: "The Associated Press is reporting that the FBI and Defense Department are talking to Microsoft about the serious flaws found in the XP operating system. As we all know, the most recent flaw allowed any XP machine to be hijacked simply by connecting it to the internet. The government is getting involved because of growing U.S. concerns about risks to the 'net as a whole." In fact, the FBI would like you to go a bit beyond the MS patch. davecl points out the updated page put out by the National Infrastructure Protection Center about this vulnerability as well.

Serious Stuff

[smooc]

Although I refuse putting a Windows box directly on the internet (and btw neither a linux-box) even for home use, I know a lot of people who do.
Especially all the unaware homeusers like my landlord for example. For systemadmins it already difficult to keep up to date with all the patches even with the various *update programs, at least they are firewalled

And yet they (the homeusers) are the most vulnerable!

And Microsoft proclaimed this was its most secure OS ever.

National/International Security Concerns

[ackthpt]

Utterly fascinating that the DoJ (FBI) is looking into these flaws for the difficulty exploits could cause people, after basically letting M$ off the hook in the monopoly punishment phase. Hope the states prevail, and if you haven't written your opinion in (to the court), here's another reason why monopoly for a universally adoptedand used O/S is bad.

Public comment is invited within 60 days of the date of this notice. Such comments, and responses thereto, will be published in the Federal Register and filed with the Court. Comments should be directed to Renata Hesse, Trial Attorney, Suite 1200, Antitrust Division, Department of Justice, 601 D Street NW, Washington, DC 20530; (facsimile) 202-616-9937 or 202-307-1545; or e-mail microsoft.atr@usdoj.gov. While comments may also be sent by regular mail, in light of recent events affecting the delivery of all types of mail to the Department of Justice, including U.S. Postal Service and other commercial delivery services, and current uncertainties concerning when the timely delivery of this mail may resume, the Department strongly encourages, whenever possible, that comments be submitted via email or facsimile.

After all the blather and FUD from Redmond, they again pushed a product out the door with great media hype which is again unsecure. It would be so ironic if Microsoft were punished for this kind of negligence after getting a slap on the wrist. I don't expect that to happen though.

Re:all rightey then!

[lseltzer]

three options, and it asks you which you want:

1) download updates automatically and ask the user whether to install them
2) notify the user automatically that updates are available and ask them whether to download and install them
3) none of this

It's to be expected...

[jmichaelg]

...that security will suffer when you make an os too easy to use. It's an age-old tradeoff: security vs. ease of use. Moreover, with more features comes more complexity and with more complexity come more security holes.

Don't want to check to see if there's a patch needed for your OS? Don't worry, we'll have the OS check for you. We can't guarantee that your computer will be talking to our servers when it downloads the patches but hey! it'll be automatic! Come to think of it, we can't even secure our own servers so we're not too sure what you'll be downloading even if you are talking to our servers but hey! - it's automatic!

I can't think of a better argument for limiting the services an os provides than this fiasco.

UPNP is all about handling NATed devices

[weave]

I haven't seent his mentioned much, but UPNP is all about handling NATed devices. There is a UPNP SDK developed for Linux, but until someone builds a useful kernel module out of it, Linux users are SOL (or maybe they are fortunate).

Why care? Well, I found out after installing MSN Messenger that most of the features are useless behind a NATed network unless your router/firewall understands UPNP. Of course, Microsoft ICS and Servers understand it. I was getting frustrated since I couldn't use MSN messenger except for messages behind my home linux firewall. ICQ features like file transfer work fine by port forwarding the necessary ports or using a kernel module for it.

So, here's the interesting bit. UPNP works by telling the other client on the other end what your private IP address is. Microsoft's docs say this is necessary for the other client to be able to find out how to talk back to you. I think this is stupid. The other end of an MSN connection just needs to look at the source IP in the packets it receives and just send there and hope the owner of the IP knows what to do.

However, UPNP apparently knows how to handled multiple chains of NAT networks, kinda like I guess an old fashioned UUCP bang path. Problem is, it seems like one can modify that "bang path" to route return packets to false places. Can you say DDOS?

So I sent a rant to my friends about this on December 10, and about how UPNP is a security hole waiting to happen according to posts I read out of google searches...

Here's my rant...

I read the tech article about msn messenger and NAT devices. In order to do pretty much anything beyond chat, you can't be behind a NAT device unless that NAT device is a Microsoft device.

Basically, it suggests installing Windows ICS for home users and corporate users should use a 2000 server for NAT and msn's extra features will work.

Fuckers...

ICQ works just fine behind a NAT. They are basically just trying once again to leverage one product to sell another....

Their explanation is that the client must send its IP address to the other user so it knows where to send files, audio, video, etc, and since it's got a private IP, it screws up. So it needs to query the NAT device for what ITS IP is. But that's really stupid since there is already a connection open for chatting and all the other client has to do is look at that connection for the source IP and use that instead and everything else would just work....

Someone on a newsgroup said this is another security hole waiting to happen. Basically, it's trusting client for security. I send a connection to your msn messenger client and tell it what IP to send its stuff to? What if I send it the IP address of someone I am trying to DOS? Arrgh...

They'll never learn...

Microsoft claims UPNP is a universal open standard. It'd be interesting to learn more about its origins and who is really controlling development of it, security of it, etc. Microsoft claims all manner of peripheral vendors will be supporting it.

Is the concept itself as flawed as it seems, or is this just yet another case of Microsoft's implementation of something being flawed?

Re:UPNP is all about handling NATed devices

[weave]

Sorry, bad link in my comment above. The UPNP Linux SDK is at upnp.sourceforge.net

Re:did anybody notice this....

[mESSDan]

No, it is a part of XP, in the system properties, it's called Automatic Updates. It's also available in Win98/ME through the Critical Updates program you can get through Windows Update. You can turn it off at will.

Does it?

[barzok]

I set up an XP Home Edition box on 12/14 and after installation, went to Windows Update. Found a dozen (4 critical, 4 non-critical) updates waiting for me.

Re:Trust us!

[Oily+Tuna]

You can disable UP&P and SSDP before connecting. Instructions for doing this can be found by non-internet means.

net stop ssdpsrv
net stop upnphost

Re:Just a thought/Microsoft a target?

[fanatic]

Microsoft might be on their list for these reasons:

How about the biggest reasons:

• They hire lots of foreign programmers, (see their support for H1B visas) making them pathetically easy to infitrate
• they neither know nor care about security - never have, never will, couldn't fix it if they wanted to because their corporate culture is 'features, Features, FEATURES!'

Gov shouldn't be using MS anyway

[MrResistor]

That statement isn't meant from the point of view of OSS zealotry (although I certainly have some feelings in that direction), but because the NSA has never rated an MS product as being secure in a networked environment. Part of the NSA's job is to issue information security recomendations, which other agencies are then supposed to use when putting together their systems.

IIRC, NT at some point was rated secure when not networked.

Re:Gov shouldn't be using MS anyway

[SuiteSisterMary]

An OS is never rated secure; a system is rated secure. That includes OS, hardware, programs running, and physical setup, amoung several other things. Note that most standard UNIX systems are immediately disqualified from the first 'secure' rating of C2 because they tend not to have ACLs, amoung other requirements.

NTFS Journaling

[_Sprocket_]

How much longer has Windows (NT) had a journaling filesystem than Linux?

My understanding is that NTFS' journaling was rudimentary at best. It hasn't been until its recent incarnation (introduced with Win2k) that its managed anything close to a true journaling file system.

Did you say "Free Karma"?

[Dog+and+Pony]

Hehe. Worth a try, I guess. Here is one link about that very thing:

You are welcome. :)