‘Win-XP hole’ misrepresented by FBI, press, Gibson

Cashing in on Fear, Uncertainty and Doubt

  • alert
  • submit to reddit

Beginner's guide to SSL certificates

Everyone from the FBI to the

LA Times

has something scary to say about the new XP vulnerability. Here's why they all have it wrong.

The creation of marketing niches from Microsoft technologies is a model of perpetual motion. Redmond develops the products, and we get paid to implement, install, configure, customize, upgrade, secure, and to even break and exploit them.

Now the simple act of talking about Microsoft security is becoming a remunerative endeavor.

The recent Universal Plug and Play (UPnP) subsystem vulnerabilities in Microsoft XP, as well as some ME and 98 systems, has resulted in a media circus that has beaten out Code Red -- and there is not even an exploit yet!

Don't get me wrong -- coverage of security issues is a Good Thing. This one could be serious as it has some potential for abuse if the right people put their minds to it. And given the fact that it would primarily affect home users, few of whom will ever see this article or read a Bugtraq post, the more people that know about UPnP the better.

But the information has to be accurate. The media and corresponding subset of technical news portals are doing a terrible job of reporting factual information -- particularly on this bug. From the FBI to the LA Times to Gibson Research Corporation, they all have it wrong.

So let's take it from the top. Universal Plug and Play is the term used to collectively refer to a set of standards, protocols, and services which support pervasive networking of intelligent devices and appliances in a peer-to-peer configuration; the kind of solution that will allow your wet bar to take stock of needed items and automatically add them to your Palm Pilot's shopping list.

It is a collaborative effort between many vendors and developers including HP, Apple, and of course Microsoft.

On the default installations of XP (Home and Pro) and some ME/98[5] installs, the UPnP subsystem is listening for NOTIFYs from UPnP enabled devices at startup. This is the problem.

The Simple Service Discovery Protocol (SSDP) service has issues with specially formatted NOTIFY datagrams which can be used to exploit a buffer overrun to gain SYSTEM access, or perform DoS or DDoS attacks as described in an advisory from eEye Digital Securiy, who discovered the bug.

Microsoft has released a patch and posted the fix on Windows Update. My issue is that so many people have rushed to be authorities on this bug that many didn't bother to get their facts straight before posting fixes and writing articles about it. The NIPC advisory gives people specific instructions on how to disable the "UPnP Device Host" on XP and has been widely linked to by many.

Unfortunately, this does absolutely nothing. I both phoned and emailed NIPC to inform them that the UPnP Service itself has nothing to do with this bug, and that the "SSDP Discovery Service" is the issue, but to date they still have not updated the site.

In addition to misinformation, ad-hungry media outlets like the LA Times are doing what they can to bring in the hits, headlining articles with FUD -- industry shorthand for Fear, Uncertainty and Doubt -- like "XP Patch Leaves Door Wide Open" that is not only completely wrong, but contains no detailed information about the issue, or even links on where to find the advisories.

At least the author admits that though he wrote a book on how to use XP, he could not figure out how to disable a service.

And of course Steve Gibson jumped on the bandwagon with a page dedicated to saturating the issue with his own special blend of FUD that is almost elevated to an art form. In a complete exit from anything security related, Gibson goes as far as to charge Microsoft with purposefully withholding an advisory and patch for this vulnerability so that Christmas sales would not be affected. This would be like me concocting some conspiracy theory where I charge the FBI for knowingly deceiving people with incorrect fix instructions so that they could still use the buffer overrun to push out Magic Lantern to seven million people. Hmmm....

It's not like it has been a slow news week for vulnerabilities -- it is just that nobody cares to talk about anything if it is not about Microsoft. In the SANS NewsBites email, more mention was given to Gibson's take on the UPnP issue than the entire coverage of David Litchfield's publication of an Oracle 9iAS remote system level buffer overrun: ten links were given to the UPnP bug; one link regarding Oracle. There was no link to the MS advisory.

And while Gartner is so kind to bestow upon us their 'prediction' that hackers will use UPnP vulnerabilities in the future (which is really an amazing illustration of their keen insight into technology trends) they also fail to comment on any of the Oracle issues. They act more like bookies than security professionals; getting paid whether we win or lose.

Microsoft's security issues are bad. And though my call on this one is that we won't see any massive worm taking advantage of this particular vulnerability, the security of the Simple Service Discovery Protocol in itself still must be addressed and secured. And though Microsoft's own development team was wrong about the effectiveness of XP's Internet Connection Firewall against direct UPnP attacks (which does in fact protect you from unicast traffic), they still have a product that allows multicast and broadcast traffic to arrive to an interface unfiltered.

XP is still the most secure consumer OS that Microsoft has developed, but there will still be more peas in the potatoes in the future.

You can't increase security by giving people the wrong information, or not enough of the right information. If you don't like Microsoft, then don't buy their products. Write your congressman. Get a job at Oracle. Wear a penguin T-shirt. Do something about it. But don't wave your Microsoft Sucks flag with your left hand while pocketing your stipend with your right unless you just want to be part of the problem.

© 2001 SecurityFocus.com, all rights reserved.

Timothy Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software.

Related Story

MS warns of severe universal plug & play security hole

Choosing a cloud hosting partner with confidence

More from The Register

next story
Download alert: Nearly ALL top 100 Android, iOS paid apps hacked
Attack of the Clones? Yeah, but much, much scarier – report
NSA SOURCE CODE LEAK: Information slurp tools to appear online
Now you can run your own intelligence agency
Microsoft: Your Linux Docker containers are now OURS to command
New tool lets admins wrangle Linux apps from Windows
Microsoft adds video offering to Office 365. Oh NOES, you'll need Adobe Flash
Lovely presentations... but not on your Flash-hating mobe
You stupid BRICK! PCs running Avast AV can't handle Windows fixes
Fix issued, fingers pointed, forums in flames
HTML5 vs native: Harry Coder and the mudblood mobile app princes
Developers just want their ideas to generate money
prev story


Driving business with continuous operational intelligence
Introducing an innovative approach offered by ExtraHop for producing continuous operational intelligence.
Why CIOs should rethink endpoint data protection in the age of mobility
Assessing trends in data protection, specifically with respect to mobile devices, BYOD, and remote employees.
Getting started with customer-focused identity management
Learn why identity is a fundamental requirement to digital growth, and how without it there is no way to identify and engage customers in a meaningful way.
High Performance for All
While HPC is not new, it has traditionally been seen as a specialist area – is it now geared up to meet more mainstream requirements?
Protecting against web application threats using SSL
SSL encryption can protect server‐to‐server communications, client devices, cloud resources, and other endpoints in order to help prevent the risk of data loss and losing customer trust.