‘Win-XP hole’ misrepresented by FBI, press, Gibson
Cashing in on Fear, Uncertainty and Doubt
The creation of marketing niches from Microsoft technologies is a model of perpetual motion. Redmond develops the products, and we get paid to implement, install, configure, customize, upgrade, secure, and to even break and exploit them.
Now the simple act of talking about Microsoft security is becoming a remunerative endeavor.
The recent Universal Plug and Play (UPnP) subsystem vulnerabilities in Microsoft XP, as well as some ME and 98 systems, has resulted in a media circus that has beaten out Code Red -- and there is not even an exploit yet!
Don't get me wrong -- coverage of security issues is a Good Thing. This one could be serious as it has some potential for abuse if the right people put their minds to it. And given the fact that it would primarily affect home users, few of whom will ever see this article or read a Bugtraq post, the more people that know about UPnP the better.
But the information has to be accurate. The media and corresponding subset of technical news portals are doing a terrible job of reporting factual information -- particularly on this bug. From the FBI to the LA Times to Gibson Research Corporation, they all have it wrong.
So let's take it from the top. Universal Plug and Play is the term used to collectively refer to a set of standards, protocols, and services which support pervasive networking of intelligent devices and appliances in a peer-to-peer configuration; the kind of solution that will allow your wet bar to take stock of needed items and automatically add them to your Palm Pilot's shopping list.
It is a collaborative effort between many vendors and developers including HP, Apple, and of course Microsoft.
On the default installations of XP (Home and Pro) and some ME/98 installs, the UPnP subsystem is listening for NOTIFYs from UPnP enabled devices at startup. This is the problem.
The Simple Service Discovery Protocol (SSDP) service has issues with specially formatted NOTIFY datagrams which can be used to exploit a buffer overrun to gain SYSTEM access, or perform DoS or DDoS attacks as described in an advisory from eEye Digital Securiy, who discovered the bug.
Microsoft has released a patch and posted the fix on Windows Update. My issue is that so many people have rushed to be authorities on this bug that many didn't bother to get their facts straight before posting fixes and writing articles about it. The NIPC advisory gives people specific instructions on how to disable the "UPnP Device Host" on XP and has been widely linked to by many.
Unfortunately, this does absolutely nothing. I both phoned and emailed NIPC to inform them that the UPnP Service itself has nothing to do with this bug, and that the "SSDP Discovery Service" is the issue, but to date they still have not updated the site.
In addition to misinformation, ad-hungry media outlets like the LA Times are doing what they can to bring in the hits, headlining articles with FUD -- industry shorthand for Fear, Uncertainty and Doubt -- like "XP Patch Leaves Door Wide Open" that is not only completely wrong, but contains no detailed information about the issue, or even links on where to find the advisories.
At least the author admits that though he wrote a book on how to use XP, he could not figure out how to disable a service.
And of course Steve Gibson jumped on the bandwagon with a page dedicated to saturating the issue with his own special blend of FUD that is almost elevated to an art form. In a complete exit from anything security related, Gibson goes as far as to charge Microsoft with purposefully withholding an advisory and patch for this vulnerability so that Christmas sales would not be affected. This would be like me concocting some conspiracy theory where I charge the FBI for knowingly deceiving people with incorrect fix instructions so that they could still use the buffer overrun to push out Magic Lantern to seven million people. Hmmm....
It's not like it has been a slow news week for vulnerabilities -- it is just that nobody cares to talk about anything if it is not about Microsoft. In the SANS NewsBites email, more mention was given to Gibson's take on the UPnP issue than the entire coverage of David Litchfield's publication of an Oracle 9iAS remote system level buffer overrun: ten links were given to the UPnP bug; one link regarding Oracle. There was no link to the MS advisory.
And while Gartner is so kind to bestow upon us their 'prediction' that hackers will use UPnP vulnerabilities in the future (which is really an amazing illustration of their keen insight into technology trends) they also fail to comment on any of the Oracle issues. They act more like bookies than security professionals; getting paid whether we win or lose.
Microsoft's security issues are bad. And though my call on this one is that we won't see any massive worm taking advantage of this particular vulnerability, the security of the Simple Service Discovery Protocol in itself still must be addressed and secured. And though Microsoft's own development team was wrong about the effectiveness of XP's Internet Connection Firewall against direct UPnP attacks (which does in fact protect you from unicast traffic), they still have a product that allows multicast and broadcast traffic to arrive to an interface unfiltered.
XP is still the most secure consumer OS that Microsoft has developed, but there will still be more peas in the potatoes in the future.
You can't increase security by giving people the wrong information, or not enough of the right information. If you don't like Microsoft, then don't buy their products. Write your congressman. Get a job at Oracle. Wear a penguin T-shirt. Do something about it. But don't wave your Microsoft Sucks flag with your left hand while pocketing your stipend with your right unless you just want to be part of the problem.
© 2001 SecurityFocus.com, all rights reserved.
Timothy Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software.