'Win-XP hole' mis-represented by FBI, press, Gibson

By x34
in Back Page News

 Share

Recommended Posts

Explorer

x34

Posted
Posted

Interesting story...there's a lot of 'bandwagon-ing' going on....

http://www.theregister.co.uk/content/55/23517.html

Everyone from the FBI to the LA Times has something scary to say about the new XP vulnerability. Here's why they all have it wrong.

The creation of marketing niches from Microsoft technologies is a model of perpetual motion. Redmond develops the products, and we get paid to implement, install, configure, customize, upgrade, secure, and to even break and exploit them.

Now the simple act of talking about Microsoft security is becoming a remunerative endeavor.

The recent Universal Plug and Play (UPnP) subsystem vulnerabilities in Microsoft XP, as well as some ME and 98 systems, has resulted in a media circus that has beaten out Code Red -- and there is not even an exploit yet!

Don't get me wrong -- coverage of security issues is a Good Thing. This one could be serious as it has some potential for abuse if the right people put their minds to it. And given the fact that it would primarily affect home users, few of whom will ever see this article or read a Bugtraq post, the more people that know about UPnP the better.

But the information has to be accurate. The media and corresponding subset of technical news portals are doing a terrible job of reporting factual information -- particularly on this bug. From the FBI to the LA Times to Gibson Research Corporation, they all have it wrong.

So let's take it from the top. Universal Plug and Play is the term used to collectively refer to a set of standards, protocols, and services which support pervasive networking of intelligent devices and appliances in a peer-to-peer configuration; the kind of solution that will allow your wet bar to take stock of needed items and automatically add them to your Palm Pilot's shopping list.

It is a collaborative effort between many vendors and developers including HP, Apple, and of course Microsoft.

On the default installations of XP (Home and Pro) and some ME/98[5] installs, the UPnP subsystem is listening for NOTIFYs from UPnP enabled devices at startup. This is the problem.

The Simple Service Discovery Protocol (SSDP) service has issues with specially formatted NOTIFY datagrams which can be used to exploit a buffer overrun to gain SYSTEM access, or perform DoS or DDoS attacks as described in an advisory from eEye Digital Securiy, who discovered the bug.

Microsoft has released a patch and posted the fix on Windows Update. My issue is that so many people have rushed to be authorities on this bug that many didn't bother to get their facts straight before posting fixes and writing articles about it. The NIPC advisory gives people specific instructions on how to disable the "UPnP Device Host" on XP and has been widely linked to by many.

Unfortunately, this does absolutely nothing. I both phoned and emailed NIPC to inform them that the UPnP Service itself has nothing to do with this bug, and that the "SSDP Discovery Service" is the issue, but to date they still have not updated the site.

In addition to misinformation, ad-hungry media outlets like the LA Times are doing what they can to bring in the hits, headlining articles with FUD -- industry shorthand for Fear, Uncertainty and Doubt -- like "XP Patch Leaves Door Wide Open" that is not only completely wrong, but contains no detailed information about the issue, or even links on where to find the advisories.

At least the author admits that though he wrote a book on how to use XP, he could not figure out how to disable a service.

And of course Steve Gibson jumped on the bandwagon with a page dedicated to saturating the issue with his own special blend of FUD that is almost elevated to an art form. In a complete exit from anything security related, Gibson goes as far as to charge Microsoft with purposefully withholding an advisory and patch for this vulnerability so that Christmas sales would not be affected. This would be like me concocting some conspiracy theory where I charge the FBI for knowingly deceiving people with incorrect fix instructions so that they could still use the buffer overrun to push out Magic Lantern to seven million people. Hmmm....

It's not like it has been a slow news week for vulnerabilities -- it is just that nobody cares to talk about anything if it is not about Microsoft. In the SANS NewsBites email, more mention was given to Gibson's take on the UPnP issue than the entire coverage of David Litchfield's publication of an Oracle 9iAS remote system level buffer overrun: ten links were given to the UPnP bug; one link regarding Oracle. There was no link to the MS advisory.

And while Gartner is so kind to bestow upon us their 'prediction' that hackers will use UPnP vulnerabilities in the future (which is really an amazing illustration of their keen insight into technology trends) they also fail to comment on any of the Oracle issues. They act more like bookies than security professionals; getting paid whether we win or lose.

Microsoft's security issues are bad. And though my call on this one is that we won't see any massive worm taking advantage of this particular vulnerability, the security of the Simple Service Discovery Protocol in itself still must be addressed and secured. And though Microsoft's own development team was wrong about the effectiveness of XP's Internet Connection Firewall against direct UPnP attacks (which does in fact protect you from unicast traffic), they still have a product that allows multicast and broadcast traffic to arrive to an interface unfiltered.

XP is still the most secure consumer OS that Microsoft has developed, but there will still be more peas in the potatoes in the future.

You can't increase security by giving people the wrong information, or not enough of the right information. If you don't like Microsoft, then don't buy their products. Write your congressman. Get a job at Oracle. Wear a penguin T-shirt. Do something about it. But don't wave your Microsoft Sucks flag with your left hand while pocketing your stipend with your right unless you just want to be part of the problem.

? 2001 SecurityFocus.com, all rights reserved.

Timothy Mullen is CIO and Chief Software Architect for AnchorIS.Com, a developer of secure, enterprise-based accounting software.

Link to comment
Share on other sites
Grand Master

Jon

Posted
Posted

I thought that story is absolutely great reading, sums up my feelings completely.

Sooo many people have jumped in trying to become experts in this bug, and just like he says, they keep getting their facts wrong, **** even the 'cheif hacking officer' from eEye got one detail wrong on bugtraq (re: win98).

As for Steve Gibson, what can you say? The guys an attention seeking moron, unfortunetly, sites like www.labmice.net keep recommending him as an authority.

WHYWHYWHYWHYWHYWHYWHY

The only thing hes an authority in is the art of bullsh*tting!

/me runs off in a strop, looking for a large plank to beat mr gibson with

Link to comment
Share on other sites
Experienced

CustardFD

Posted
Posted

I totally agree with that. MS are slated far more than other companys for secutiry holes in general. Prehaps that is beacuse their products are generally the most widely used, but I still don't think they should be slated any more. Just make sure that everyone knows. If most people used the windows automatic update thingy then that should be adequite for a majority of home users.

As for this security bug in general, didn't MS releace a press statement a while a ago saying they had removed all unsigned buffers so buffer underruns were impossible, or was that only the kernel?

Edit: Can I find a 2nd plank of wood to beat Mr Gibson with?:D

Link to comment
Share on other sites
This topic is now closed to further replies.
 Share
Go to topic listing

  • Recently Browsing   0 members

    • No registered users viewing this page.