‘Win-XP hole’ misrepresented by FBI, press, Gibson

Cashing in on Fear, Uncertainty and Doubt

  • alert
  • submit to reddit

Internet Security Threat Report 2014

Everyone from the FBI to the

LA Times

has something scary to say about the new XP vulnerability. Here's why they all have it wrong.

The creation of marketing niches from Microsoft technologies is a model of perpetual motion. Redmond develops the products, and we get paid to implement, install, configure, customize, upgrade, secure, and to even break and exploit them.

Now the simple act of talking about Microsoft security is becoming a remunerative endeavor.

The recent Universal Plug and Play (UPnP) subsystem vulnerabilities in Microsoft XP, as well as some ME and 98 systems, has resulted in a media circus that has beaten out Code Red -- and there is not even an exploit yet!

Don't get me wrong -- coverage of security issues is a Good Thing. This one could be serious as it has some potential for abuse if the right people put their minds to it. And given the fact that it would primarily affect home users, few of whom will ever see this article or read a Bugtraq post, the more people that know about UPnP the better.

But the information has to be accurate. The media and corresponding subset of technical news portals are doing a terrible job of reporting factual information -- particularly on this bug. From the FBI to the LA Times to Gibson Research Corporation, they all have it wrong.

So let's take it from the top. Universal Plug and Play is the term used to collectively refer to a set of standards, protocols, and services which support pervasive networking of intelligent devices and appliances in a peer-to-peer configuration; the kind of solution that will allow your wet bar to take stock of needed items and automatically add them to your Palm Pilot's shopping list.

It is a collaborative effort between many vendors and developers including HP, Apple, and of course Microsoft.

On the default installations of XP (Home and Pro) and some ME/98[5] installs, the UPnP subsystem is listening for NOTIFYs from UPnP enabled devices at startup. This is the problem.

The Simple Service Discovery Protocol (SSDP) service has issues with specially formatted NOTIFY datagrams which can be used to exploit a buffer overrun to gain SYSTEM access, or perform DoS or DDoS attacks as described in an advisory from eEye Digital Securiy, who discovered the bug.

Microsoft has released a patch and posted the fix on Windows Update. My issue is that so many people have rushed to be authorities on this bug that many didn't bother to get their facts straight before posting fixes and writing articles about it. The NIPC advisory gives people specific instructions on how to disable the "UPnP Device Host" on XP and has been widely linked to by many.

Unfortunately, this does absolutely nothing. I both phoned and emailed NIPC to inform them that the UPnP Service itself has nothing to do with this bug, and that the "SSDP Discovery Service" is the issue, but to date they still have not updated the site.

In addition to misinformation, ad-hungry media outlets like the LA Times are doing what they can to bring in the hits, headlining articles with FUD -- industry shorthand for Fear, Uncertainty and Doubt -- like "XP Patch Leaves Door Wide Open" that is not only completely wrong, but contains no detailed information about the issue, or even links on where to find the advisories.

At least the author admits that though he wrote a book on how to use XP, he could not figure out how to disable a service.

And of course Steve Gibson jumped on the bandwagon with a page dedicated to saturating the issue with his own special blend of FUD that is almost elevated to an art form. In a complete exit from anything security related, Gibson goes as far as to charge Microsoft with purposefully withholding an advisory and patch for this vulnerability so that Christmas sales would not be affected. This would be like me concocting some conspiracy theory where I charge the FBI for knowingly deceiving people with incorrect fix instructions so that they could still use the buffer overrun to push out Magic Lantern to seven million people. Hmmm....

It's not like it has been a slow news week for vulnerabilities -- it is just that nobody cares to talk about anything if it is not about Microsoft. In the SANS NewsBites email, more mention was given to Gibson's take on the UPnP issue than the entire coverage of David Litchfield's publication of an Oracle 9iAS remote system level buffer overrun: ten links were given to the UPnP bug; one link regarding Oracle. There was no link to the MS advisory.

And while Gartner is so kind to bestow upon us their 'prediction' that hackers will use UPnP vulnerabilities in the future (which is really an amazing illustration of their keen insight into technology trends) they also fail to comment on any of the Oracle issues. They act more like bookies than security professionals; getting paid whether we win or lose.

Microsoft's security issues are bad. And though my call on this one is that we won't see any massive worm taking advantage of this particular vulnerability, the security of the Simple Service Discovery Protocol in itself still must be addressed and secured. And though Microsoft's own development team was wrong about the effectiveness of XP's Internet Connection Firewall against direct UPnP attacks (which does in fact protect you from unicast traffic), they still have a product that allows multicast and broadcast traffic to arrive to an interface unfiltered.

XP is still the most secure consumer OS that Microsoft has developed, but there will still be more peas in the potatoes in the future.

You can't increase security by giving people the wrong information, or not enough of the right information. If you don't like Microsoft, then don't buy their products. Write your congressman. Get a job at Oracle. Wear a penguin T-shirt. Do something about it. But don't wave your Microsoft Sucks flag with your left hand while pocketing your stipend with your right unless you just want to be part of the problem.

© 2001 SecurityFocus.com, all rights reserved.

Timothy Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software.

Related Story

MS warns of severe universal plug & play security hole

Secure remote control for conventional and virtual desktops

More from The Register

next story
Microsoft to bake Skype into IE, without plugins
Redmond thinks the Object Real-Time Communications API for WebRTC is ready to roll
Mozilla: Spidermonkey ATE Apple's JavaScriptCore, THRASHED Google V8
Moz man claims the win on rivals' own benchmarks
Microsoft promises Windows 10 will mean two-factor auth for all
Sneak peek at security features Redmond's baking into new OS
FTDI yanks chip-bricking driver from Windows Update, vows to fight on
Next driver to battle fake chips with 'non-invasive' methods
DEATH by PowerPoint: Microsoft warns of 0-day attack hidden in slides
Might put out patch in update, might chuck it out sooner
Ubuntu 14.10 tries pulling a Steve Ballmer on cloudy offerings
Oi, Windows, centOS and openSUSE – behave, we're all friends here
Apple's OS X Yosemite slurps UNSAVED docs into iCloud
Docs, email contacts... shhhlooop, up it goes
Was ist das? Eine neue Suse Linux Enterprise? Ausgezeichnet!
Version 12 first major-number Suse release since 2009
prev story


Choosing cloud Backup services
Demystify how you can address your data protection needs in your small- to medium-sized business and select the best online backup service to meet your needs.
A strategic approach to identity relationship management
ForgeRock commissioned Forrester to evaluate companies’ IAM practices and requirements when it comes to customer-facing scenarios versus employee-facing ones.
Reg Reader Research: SaaS based Email and Office Productivity Tools
Read this Reg reader report which provides advice and guidance for SMBs towards the use of SaaS based email and Office productivity tools.
New hybrid storage solutions
Tackling data challenges through emerging hybrid storage solutions that enable optimum database performance whilst managing costs and increasingly large data stores.
Business security measures using SSL
Examines the major types of threats to information security that businesses face today and the techniques for mitigating those threats.