FBI, Pentagon Talk to MS about XP Hole

(eternal_software) writes: "The Associated Press is reporting that the FBI and Defense Department are talking to Microsoft about the serious flaws found in the XP operating system. As we all know, the most recent flaw allowed any XP machine to be hijacked simply by connecting it to the internet. The government is getting involved because of growing U.S. concerns about risks to the 'net as a whole." In fact, the FBI would like you to go a bit beyond the MS patch. davecl points out the updated page put out by the National Infrastructure Protection Center about this vulnerability as well.

National/International Security Concerns

[ackthpt]

Utterly fascinating that the DoJ (FBI) is looking into these flaws for the difficulty exploits could cause people, after basically letting M$ off the hook in the monopoly punishment phase. Hope the states prevail, and if you haven't written your opinion in (to the court), here's another reason why monopoly for a universally adoptedand used O/S is bad.

Public comment is invited within 60 days of the date of this notice. Such comments, and responses thereto, will be published in the Federal Register and filed with the Court. Comments should be directed to Renata Hesse, Trial Attorney, Suite 1200, Antitrust Division, Department of Justice, 601 D Street NW, Washington, DC 20530; (facsimile) 202-616-9937 or 202-307-1545; or e-mail microsoft.atr@usdoj.gov. While comments may also be sent by regular mail, in light of recent events affecting the delivery of all types of mail to the Department of Justice, including U.S. Postal Service and other commercial delivery services, and current uncertainties concerning when the timely delivery of this mail may resume, the Department strongly encourages, whenever possible, that comments be submitted via email or facsimile.

After all the blather and FUD from Redmond, they again pushed a product out the door with great media hype which is again unsecure. It would be so ironic if Microsoft were punished for this kind of negligence after getting a slap on the wrist. I don't expect that to happen though.

UPNP is all about handling NATed devices

[weave]

I haven't seent his mentioned much, but UPNP is all about handling NATed devices. There is a UPNP SDK developed for Linux, but until someone builds a useful kernel module out of it, Linux users are SOL (or maybe they are fortunate).

Why care? Well, I found out after installing MSN Messenger that most of the features are useless behind a NATed network unless your router/firewall understands UPNP. Of course, Microsoft ICS and Servers understand it. I was getting frustrated since I couldn't use MSN messenger except for messages behind my home linux firewall. ICQ features like file transfer work fine by port forwarding the necessary ports or using a kernel module for it.

So, here's the interesting bit. UPNP works by telling the other client on the other end what your private IP address is. Microsoft's docs say this is necessary for the other client to be able to find out how to talk back to you. I think this is stupid. The other end of an MSN connection just needs to look at the source IP in the packets it receives and just send there and hope the owner of the IP knows what to do.

However, UPNP apparently knows how to handled multiple chains of NAT networks, kinda like I guess an old fashioned UUCP bang path. Problem is, it seems like one can modify that "bang path" to route return packets to false places. Can you say DDOS?

So I sent a rant to my friends about this on December 10, and about how UPNP is a security hole waiting to happen according to posts I read out of google searches...

Here's my rant...

I read the tech article about msn messenger and NAT devices. In order to do pretty much anything beyond chat, you can't be behind a NAT device unless that NAT device is a Microsoft device.

Basically, it suggests installing Windows ICS for home users and corporate users should use a 2000 server for NAT and msn's extra features will work.

Fuckers...

ICQ works just fine behind a NAT. They are basically just trying once again to leverage one product to sell another....

Their explanation is that the client must send its IP address to the other user so it knows where to send files, audio, video, etc, and since it's got a private IP, it screws up. So it needs to query the NAT device for what ITS IP is. But that's really stupid since there is already a connection open for chatting and all the other client has to do is look at that connection for the source IP and use that instead and everything else would just work....

Someone on a newsgroup said this is another security hole waiting to happen. Basically, it's trusting client for security. I send a connection to your msn messenger client and tell it what IP to send its stuff to? What if I send it the IP address of someone I am trying to DOS? Arrgh...

They'll never learn...

Microsoft claims UPNP is a universal open standard. It'd be interesting to learn more about its origins and who is really controlling development of it, security of it, etc. Microsoft claims all manner of peripheral vendors will be supporting it.

Is the concept itself as flawed as it seems, or is this just yet another case of Microsoft's implementation of something being flawed?