Microsoft States Full TCP/IP Too Dangerous

daria42 writes "To fully implement the TCP/IP protocol in Windows XP would make creating denial of service attacks 'entirely too trivial', Microsoft has claimed. The company was responding to claims by Nmap author and well-known security expert Fyodor that by repeatedly disabling the ability to send TCP/IP packets via the 'raw sockets' avenue, Microsoft was asking the security community to 'pick their poison': either cripple their operating system or leave it open to hackers. Admitting that a recent security patch had intentionally disabled a community-developed workaround to Microsoft's TCP/IP changes - which were first implemented in Windows XP Service Pack 2 - the company claimed it had received little negative feedback on the issue."

News Flash: Butter is good on toast!

[TripMaster+Monkey]

News Flash: Butter is good on toast!

From the Article:

"Supporting packet sends from simple user-mode raw sockets makes it entirely too trivial for compromised systems under control of hackers to launch massive distributed denial of service attacks," Microsoft warned in a statement to ZDNet Australia .

Interesting that M$ sees fit to lecture us on the dangers of raw sockets now, given their prior stand on the issue.

Re:News Flash: Butter is good on toast!

[Deathlizard]

True, but you can make it very difficult to change it.

For example, you can make it an addon in "Add/remove Programs" like they do with UPNP. that way, in most cases you would need to put the Windows XP CD into the machine in order to install open Raw Sockets.

Yes the malware could include the files to install Unrestriced Raw sockets, but if the files to enable Raw Sockets are protected and restriced correctly it would be dfficult for any program other than Windows to modify them.

Ulterior motives

[bmw]

It's quite obvious that Microsoft has other motives for doing this as this really doesn't do anything to improve security. As was quoted in the article, Fyodor correctly points out that Windows (AFAIK) is the only operating system to put such restrictions on raw sockets and it certainly has not helped their dismal security.

Of course, there's always the possibility of ignorance...

Never attribute to malice that which is adequately explained by
stupidity.

but I really have to doubt that Microsoft is quite this dumb. They've got a lot of really tallented people working there so you have to think that someone would have thought about this. Then again, they have demonstrated a supreme lack of understanding when it comes to security so who knows.

Re:Ulterior motives

Then again, they have demonstrated a supreme lack of understanding when it comes to security so who knows.

Actually, I think we're seeing the maturation of a "corral the wagons" paranoia in Microsoft's culture. Lacking the ability to push any serious innovation internally (let's be serious, most of Microsoft's innovations during the past 20 years were brought in through acquisitions or copycat development ala VMS for NT, liberal borrowing from OS/2, Apple and Mach, etc). Now that antitrust severely limits acquisition growth, Microsoft is facing the same threat that broke Worldcom. Unable to make significant acquisitions, unable to meet growth internally, and now unable to cook the books like Worldcom, Microsoft's certain to get very defensive as the pressures heat up.

I thought I saw the beginnings of this phenomenon in 1998 at the IPv6 summit, where Microsoft's techs at the conference were explaining their implementation at first with great pride, only to be somewhat ashamed at how much they hadn't followed the specification very well, had numerous bugs and compatibility issues, and were clearly well behind everyone else. Nearly every other operating system had a much more mature implementation. (How long did that IPv6 stack remain a beta too?)

Amazingly, Microsoft is now attempting to patent IPv6 through a copy-cat specification (as was discussed on slashdot). Somehow it's not amusing when the kid who was not very successful in his participation in the group assignment decides to take exclusive credit for the group's effort.

So now Microsoft is blaming IPv4's engineering (when just like IPv6, everyone else seemed to understand and master the assignment EXCEPT Microsoft)?

As a teacher of mine once said to perpetual underachievers in class: Perhaps you might consider a career in food service instead?

Responding to Steve Gibson

[darylb]

Microsoft is just responding to Steve Gibson, of Gibson Research, who has hounded them for making raw sockets accessible to all programs in the past.

Re:Responding to Steve Gibson

[Bryson]

And he is wrong.

To be clear: The security problem is that the net routs any
packets it can, and some TCP/IP stacks will choke upon
*receiving* (a flood of) bad packets. Trying to make it
difficult to *send* those packets from Windows is essentially
useless.

Removing raw socket support from an operation system is a
trivial, bogus attempt to hide the problem without fixing it. A
root-compromised system can send raw packets no matter what the
vendor implements.

There are two reasonable places at which to resist these denial-
of-service attack: At the hosts, we can tolerate bogus-packet-
floods with things like SYN-cookies or random-early-drop; in
the routing infrastructure, we could halt floods of hostile
messages from reaching their destinations.

Microsoft's approach here is nonsense. If an attacker takes
control of a system, he can send from it any packets he wants.

--
--Bryan

FMEA

[millahtime]

Failure Modes and Effects Analysis... I would love to see that done on windows. Maybe find the problem itself rather than work around it and leave the faulires in there. Bad by design.

So when...

[RailGunner]

So, they're going to re-disable raw sockets? I'd suggest that the IP implementation on SP2 is broken already. For example - when will you be able to send more than 8K in a single packet using a Java Socket on Windows XP Service Pack 2?

String sString = "Some string more than 8K";
Socket client;
PrintWriter sock_out;
try
{
client = new Socket (InetAddress.getByName
("127.0.0.1"), 5678);
sock_out = new PrintWriter
(client.getOutputStream(), true);
sock_out.flush();
sock_out.println (sString);
sock_out.close();
client.close();
}
catch (EOFException eof)
{

}
catch (IOException e)
{

}

Try it yourself - see if you can receive more than 8K in a recv() call in Windows XP SP2. You can't.
If you do the same on Linux or OS X, you can. On Windows XP SP1, you can.

Thanks, Microsoft.

Replacement

[Mr_Silver]

As soon as I saw this, it made me rememeber this article by Cringely (written in August 2001) which discusses the "problem" of raw sockets.

From it:

According to these programmers, Microsoft wants to replace TCP/IP with a proprietary protocol -- a protocol owned by Microsoft -- that it will tout as being more secure. Actually, the new protocol would likely be TCP/IP with some of the reserved fields used as pointers to proprietary extensions, quite similar to Vines IP, if you remember that product from Banyan Systems. I'll call it TCP/MS.

How do you push for the acceptance of a new protocol? First, make the old one unworkable by placing millions of exploitable TCP/IP stacks out on the Net, ready-to-use by any teenage sociopath. When the Net slows or crashes, the blame would not be assigned to Microsoft. Then ship the new protocol with every new copy of Windows, and install it with every Windows Update over the Internet. Zero to 100 million copies could happen in less than a year, and that year could be prior to the new protocol even being announced. It could be shipping right now.

Food for thought.

Re:Baby, meet bathwater.

[shird]

Or perhaps if you are going to write apps that require such low level network access, you should be using a packet driver (or whatever the mechanism is in windows) to do that.

The same can be said for any access to hardware that could be considered unnecessary for typical applications or 'harmful' to the hardware (harmful in the sense that it is 'harmful' to the network and your connection).

I think what MS has done is quite acceptable, given the number of trojans uot there that are DoS'ing and spamming like crazy. Trojans that are on the systems often because of user stupidity rather than an insecure OS. As long as it is possible to actually write such a 'driver' (I think there is a different name for it, but I can't remmeber).

MS Windows Server 2003 also has buggy TCP/IP

[spadadot]

I wrote an article about a very serious problem related to Windows Server 2003 TCP/IP.

Here's a quote : "Trying to set up a Windows Media streaming server to stream high-quality videos, I came across what I can now call a TCP/IP bug in Windows Server 2003 (Standard Edition). In some (not unusual) situations, the server simply cannot use all available bandwidth between itself and the client.
[...]
Eventually, I came to accept the idea that Windows Server 2003, an OS designed for server tasks, is not able to fill a 2Mbit/s ADSL connection. Yes I know it sounds incredible but I've been looking without success for another conclusion for the past 3 months."

Read the full technical explanation and see what Microsoft has to say about it : Microsoft Windows Server 2003 Buggy TCP/IP ?

Re:A wise decision

[NoMoreNicksLeft]

Set my girlfriend up with a non-admin account. So, I end up having to install all her software for her... except at the time, things like ICQ simply wouldn't run right, even when installed by admin and ran as user. Many of those have changed, many haven't. Still too many dumb apps and games that won't run with anything less, even if you did manage to install them.

What I really need, is a firefox theme that looks like IE, and a desktop theme that looks like XP. She'd never know the difference. (and when wine fails to run the dumb shareware games she tries to install, I'd be like "They must not have programmed them very well, I can't make them work!".)

The Metro of netoworking protocols

[SuperKendall]

Yes, the path becomes clear...

Abandon the industry standard for VMs (Java) and roll your own (.Net).

Abandon the industry standard for portable documents (PDF) and roll your own (Metro).

Abandon the industry standard for networking (TCP/IP) and roll your own (???).

Each sounds more improbable than the last. Yet the first one has happened, the second is going to happen, and thus the third seems much less improbable than it would have otherwise.

Re:Hammer, meet nail.

[cirisme]

The brain damaged part has nothing to do with TCP/IP, because their implementation has nothing to do with security.

Seriously? You really think it's their brain damaged TCP/IP implementation that's at fault? Think again. It may be bad, but giving every program access to raw sockets is a bit silly considering how easy it is to get programs into Windows. But this is a good move, a better one would to have been to make it so it's not as simple to get untrusted programs running in Windows but I digress.

Something is wrong, alright

[ajs318]

The various BSD flavours support raw sockets. So does Solaris, and even Linux for that matter.

The difference with the Unix-like systems is that ordinary users don't get to poke about with dangerous stuff.

The real point is that Windows software has for too long depended on the assumption that the user has full unfettered access to every resource on the computer -- an assumption which had to cease to be true when Windows became network-aware, because in a networked environment some things are properly restricted. Yet for the best part of ten years, Windows continued to run without privilege separation; and application programmers took advantage of that, creating code which turned out to be fundamentally broken.

Face it, the bathwater is minging and the baby is dead -- there is nothing worth saving in the whole sorry mess. Whether bad water killed the baby, the dead baby made the water worse, or the two are unconnected, isn't really important right now. What is important is to get rid of them both, scrub out the bathtub and start again.

Of course, if you're going to switch to a new version of Windows -- which would have to be totally incompatible with all that sloppily-written software needing root access for no good reason -- then that would be about as big a change as switching to some other operating system. That must worry Microsoft .....

Re:Baby, meet bathwater.

[Slashcrap]

Quoted from there is basically. If you want to use hand-crafted TCP/UDP packets over a raw IP connection, you must enable the Internet Connection Firewall.

I was about to reply pointing out that you had obviously meant to say, "disable the Firewall".

Then I read the Knowledgebase article.

God, that's retarded. The firewall doesn't do jack shit to block outgoing traffic anyway. Why the hell should it be safer to allow raw sockets when it's on?

The problem lies somewhere else

[MemoryDragon]

In a system which grants admin priviledges to every user of course raw sockets can be dangerous. But the problem is less raw sockets, the problem is more the system itself which uses it.

Pushing more people towards Linux

I work for a company that sells a high-end network security scanning product. We have been dealing with this XP issue now for almost 2 years, and we are not the only ones who have complained to Microsoft. We have pushed our complaints as far through the channels as we can. Microsoft isn't listening.

Their response is: buy Windows Server 2003 if you want raw sockets. We asked them if there was any guarantee that they would not break the raw sockets feature in 2003, and they would not give us that guarantee. Besides, Windows Server 2003 ships with a lot of stuff we would have to disable to make the box even remotely secure.

Our CEO even registered a complaint with Microsoft, saying "We pay to use your software and you are hurting our business and hurting our customers and costing us money with this change. And you have heard our complaints and you are ignoring them." Microsoft responded that they would pass our criticism up the chain, and that's the last we heard.

That's why it irritates me to read in the article that Microsoft has had "little negative feedback" on this issue. I'm sure we're not the only paying customer of Microsoft that has been affected. And they are not telling the truth when they say that "the only thing affected by this change is fingerprinting software": port scanning is affected too.

So we have started recommending that our customers use the Linux version of our product. Now Microsoft is losing hundreds of thousands of dollars of revenue per quarter just from our company.

Re:Hammer, meet nail.

[RealProgrammer]

I think you misunderstood the GP post. It's XP in general that's brain-damaged, not the XP TCP/IP stack.

Microsoft is trying to blame the design of TCP/IP instead of the design of Windows. Everybody else makes it work; why can't they?

Re:Steve "Ahab" Gibson

Microsoft agrees with him because this is an easier excuse than trying to fix Windows so not everyone website's active-X control has admin privileges.

The real solution to the problem isn't breaking networking functionality depending on if you bought the cheap or expensive version of the OS.

The real solution would be to restrict raw sockets to require Administrator/root privileges, and make it harder for the averages Outlook attachment to get root privileges.

Microsoft, on the other hand, sees this as an excuse to not fix Outlook and Internet Explorer, and instead sell more of the expensive version.