Original URL: http://www.theregister.co.uk/2002/01/03/who_needs_hackers_when_weve/

Who needs hackers when we've got MS?

Half the work's already done

By Richard Forno

Posted in Security, 3rd January 2002 00:13 GMT

By now, people know that I'm not the world's greatest Microsoft fan. Truth be told, I'm not completely biased against the company, and will even acknowledge that it has, at various points, produced some decent products. I also don't 'bash' Microsoft because it's the 'in' thing to do these days, but because there are serious problems with the software company's products and services that they continue to ignore. In fact, some would argue, they just don't get it. Such observations, therefore, must be voiced.

The federal government and technology industry want you to believe the threats to our networks are external, not internal, where someone must be held accountable when things go wrong. Thus, we hear the rhetoric about cyber terrorists, hackers, and the so-called 'Digital Pearl Harbor' - things you can't easily point fingers at and hold someone accountable for when bad things happen. The White House would be wise to look at our nation's own self-induced vulnerabilities before rushing to spin up a sinister external threat; absent the rich target of opportunity presented by nearly all Microsoft products, hackers, crackers, and electronic evildoers would have a much harder time causing mainstream mischief every other week.

Windows XP was promoted by Microsoft as perhaps the ultimate and most secured Windows operating system the firm had ever created, and one of its key features was increased security from electronic evildoers like hackers, crackers, and so-called cyber terrorists. In fact, in a recent interview with E-Week, Microsoft Vice President Jim Allchin said that Windows XP is "...dramatically more secure than Windows 2000 or any of the prior systems." Released on October 25, it was to be the default operating system on all new personal computers sold, and its release was timed to coincide with new PC sales for the 2001 holiday season.

Unfortunately, Windows XP doesn't protect you from Microsoft, an entity some argue is more dangerous than any cyber terrorist or hacker gang.

It turns out that the Windows XP ships with a new feature called Universal Plug and Play (UPnP) enabled by default, thus allowing UPnP devices to locate each other on a local network, so that your home computer can talk to your refrigerator can talk to your toaster can talk to your stereo can send messages to your PDA, and so forth. However, as a result of this oversight, someone could remotely use this feature to exploit, control, or disrupt a system from remote locations around the world. As if computer exploits aren't bad enough, you'll soon have to worry about someone turning off your freezer and spoiling your holiday leftovers....

Note this is not to be confused with the Windows Remote Assistance feature -- promoted as one of the major benefits of using Windows XP, yet functioning in essentially the same way as the UPnP exploit. (One wonders how quickly the Remote Assistance feature will be exploited in the future as well.)

Marc Maiffret, the talented, blue-haired 'Chief Hacking Officer' of Eeye Digital Security, demonstrated the UPnP exploit to a shocked group of reporters yesterday. As a result, media and security experts are calling this "The Mother of All Exploits" for Windows XP, scrambling to inform the public about the importance of downloading and installing the fix for this problem -- a security problem not caused by a hacker or cracker, but developed and implemented exclusively by Microsoft for your computing convenience and to enhance your user experience as a 'feature' of the product.

According to an AP story, Microsoft Security Manager Scott Culp called this latest vulnerability the "the first network-based, remote compromise that I'm aware of for Windows desktop systems" and a "very serious vulnerability."

I guess it's all in how you define "compromise." How very Clintonian.

Although repeatedly interviewed by the media reporting on Microsoft-based security events over the years, Culp apparently doesn't consider any of the following Microsoft-centric security exploits as "network-based, remote compromises" for "Windows desktop systems" either -- the series of Back Orifice programs from the always-amusing Cult of the Dead Cow (cDc) to e-mail worms, Trojans, and viruses (think BadTrans) that can transmit sensitive information from systems they infect.

Did Culp miss a few days of class here and there and forget to read up on SECHOLE.EXE (July 1998), the assorted Internet Explorer cross-frame scripting exploits (September 1998) or the mid-2000 ability to remotely exploit a Windows desktop through a buffer overflow found in the Clip Art feature of Microsoft Office? And what about Windows File and Print Sharing vulnerabilities from back in 1995?

How about the seemingly-endless number of buffer overflow exploits (think CodeRed, Lion, and Nimda) that plague Microsoft Internet Information Server (IIS) -- granted, IIS isn't made for "Windows desktops" but it deserves mention given the nearly-identical software code in Microsoft's desktop and server products.

So how exactly does Microsoft classify these other types of network-centric exploits? As nuisances but the price of doing business in the wired world?

When will it end? And what to do about this latest security problem originating in Redmond?

Microsoft, as the world's largest purveyor of PC software, with an established monopoly status, needs to do the responsible thing. Rather than continue to preach security as a marketing tool for its .NET venture, an avenue for business development with new proprietary 'standards' and fee-based, censored security 'partnerships' or review its reactive measures, it should get back to the basics and look within for the solution to its internal problems that usually evolve into the world's problems.

Simply put, Microsoft needs to review its software code line-by-line and clean it up. Years of service packing, patching, re-patching, updating, critical updating, and hot-fixing Windows products have made them dirty and prone to breaking, as we see every few months. Better yet, Microsoft needs to revisit the basic design of Windows - namely, removing the shared code between applications and the underlying Windows operating system (like the pervasiveness of the Web-enabled Internet Explorer across each Windows application and system.) Like a car, it's time to bring the Windows code into the shop for a major tune-up. Actually, a worldwide recall might in order.

In addition, Microsoft must not ensure its products work well together, but also conduct much more aggressive 'abuse testing' of its software (e.g., XP) before it gets released to the Real World. Such testing should be done by independent third parties and conducted in a transparent, public manner to preclude any claims of bias in the results of such testing.

In general, Microsoft should conduct what the rest of the computing community considers a real "beta test" -- namely, making sure that a supposedly finished application works as intended, using experienced users to test the functionality, durability, and security of the product in a real-world, real-use, take-no-prisoners environment....not use its much ballyhooed 'beta test' periods as the opportunity to market advance copies of their products, many of which never seem to get out of the beta stage even when they're officially released for sale!

In none of the interviews regarding the UPnP situation has Culp admitted that Eeye did the responsible thing by informing Microsoft and waiting for the fix to be available from Microsoft before releasing information on this critical exploit to the internet community, something many folks in the security community (all outside of Microsoft) consider 'responsible disclosure.' According to reports, it took Microsoft nearly two months to release a patch after learning of the exploit. While Eeye's actions were praiseworthy, I wouldn't wait so long before mentioning such a critical security problem to the community.

Realistically, a vendor should be able to examine and verify a reported exploit -- particularly one as critical as this one -- and release a patch or publish corrective guidance to the public in about two weeks. In this case, Microsoft -- had it decided it was in its interest to do so -- could have easily assigned fourteen thousand programmer man-days (1000 programmers x 14 days) to address the problem within two weeks. Eeye was very generous in giving Microsoft so long to fix the problem, although why it took nearly two months for Microsoft to address the problem raises some disturbing questions.

Perhaps acknowledging this would be contrary to the tone and contents of Culp's October 2001 missive calling for a Microsoft-based Vatican of Vulnerability to quell the public disclosure of security vulnerabilities and implement software security through obscurity and public ignorance. More interestingly, Eeye reported the UPnP exploit to Microsoft back in October (according to sources at Eeye, the day after Windows XP was released).

Was Microsoft's two-month silence on this critical exploit a business decision to avoid public embarrassment on a new product so close to the holiday (e.g., "new PC purchasing") season? We can only wonder.

Microsoft is by far the most notorious in their vulnerability announcements, legalese, and cover-their-tail security alerts, something CDC member Tweety Fish noted in a 1999 interview discussing the growing number of Microsoft-generated security problems back then. He noted that Microsoft "will not consider any given security risk a problem until it becomes a problem in the press." Or, to put it another way, it's not really a problem until Microsoft says so.

Actions speak louder than words. Microsoft pays security plenty of lip service for marketing and public relations spin control, but the firm's history of addressing security problems falls quite short of what security professionals would consider a robust, long-term commitment to dealing effectively with the matter. Thus, it's up to third parties like Eeye and other research firms to continue serving as a "check and balance" against a future of vendor-induced security-through-obscurity and public ignorance.

Thanks to Eeye's responsible disclosure of this catastrophic vulnerability in Windows XP, not only is the Internet a bit safer, but their actions prove once again that voluntary disclosure of vulnerability information is possible without a fee-based vendor-sponsored private club.

© 2001 InfoWarrior.org, all rights reserved.

Richard Forno is Chief Technology Officer for a Dulles, Virginia firm providing information assurance support to the national security and intelligence communities.