| Maximum Security | ||
 |
||
 |
||
Security: freedom from danger; safety; protection; freedom from doubt or anxiety; something that makes one secure; freedom from want or poverty; the securing of buildings, valuables, government secrets, and the like from intrusion or theft. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Begin 2 QuBitize Microsoft Addresses the Security Issue Microsoft's crucial new hire Bill Gates' recent company-wide memo outlining Microsoft's vision for Trustworthy Computing has generated lots of attention, both good and bad. To some, it is more Microsoft rhetoric wrapped inside a public relations campaign designed to postpone accountability for producing secure products until they can get .NET out the door. For others, they see it as a long awaited public asseveration that Microsoft has finally put security above all else, and that they are embracing the responsibility of securing today's (and tomorrow's) Internet. It should come as no surprise to you that I number myself among the latter group. I can't help but notice that when Bill Gates makes a decree that speaks directly to securing his products, people consider it nothing but PR. But when Larry Ellison embarks on a blatant PR campaign of misinformation, people say he is raising the bar for security. Go figure. Regardless, the memo comes at a good time. As the sun sets on Howard Schmidt's days as Microsoft's chief security officer, and he prepares for his new role as the number two man at the United States' Critical Infrastructure Protection Board, Microsoft CTO Craig Mundie is already looping in key Microsoft employees in his search for a replacement. Word on the street is that Mundue may even create additional positions in order for Microsoft to fully leverage the opportunity they have at this pivotal time in the company's history. Schmidt's egress is fortuitous. Though he was instrumental in the formation of Microsoft's "trustworthy computing initiative," and the accompanying powerhouse team of security experts -- including people like Eric Schultze, David LeBlanc, and Jesper Johansson -- he was not exactly a Braveheart when it came to firing up the troops for battle. And that is just what Microsoft needs. I have long said that in order for Microsoft to truly change the way its products are produced, it would take a mandate from the top. Individual groups and departments, no matter how separately committed they are, can't impact the direction of the company if the corporate executives are not doing the steering. This is the perfect occasion for Microsoft to illustrate their commitment to security and to solidify their new priorities of security before functionality. Gates flat-out said that the entire company must put security first, and there is no way for him to back out of it now. Microsoft has spoken much of security lately, and has rolled out programs like the CTI and the Strategic Technology Protection Program. Brian Valentine has also promised a complete code-level review as the basis for Win2k's Service Pack 3. Now they need to get someone in as chief security officer who can act as a catalyst to bring the fragments of the company together into a unified force to finally take security as seriously as they need to. Of course, even with management reforms, Microsoft still has a challenge ahead in putting the "Trustworthy" into "Trustworthy Computing." If every programmer on staff were to build security directly into the development model and the company was to produce a robust and secure platform in .NET, Microsoft's new chief security officer will still have the job of earning the world's trust and getting the public to buy into the concept. Frankly, I don't know which job will be harder. I was thinking about making some predictions on who they might seek out in order to fill this crucial position, but I'm having a hard time coming up with any viable candidates. This person is going to be in the capacity of literally changing the face of global security, and will have a massive responsibility on their shoulders. It can't really be someone from the inside, as logic would dictate that it was the current management that got them into trouble in the first place. It's got to be someone who has the intelligence to see what the right thing to do is, and who has the confidence to get it done. In some bizarre world in a parallel universe, I actually see someone like Bruce Schneier in that position. Someone in his capacity could make a world of difference -- someone who would fight for security instead of playing the cover-your-rear game all day. You know, someone who would stand up for what they thought was right and not be intimidated by Bill. I don't know who it will end up being; I just hope that Bill and Steve, along with Craig and the rest of the big-wigs at Microsoft, see this as the critical decision that it is. We are all watching, and this will tell us exactly how serious Microsoft is about our security. I hope they get it right. Security hole in IE reveals data in cookies A newly reported vulnerability in Microsoft Corp.'s Internet Explorer allows hackers to steal or corrupt "cookie" information on a user's desktop through a malformed address at a Web site or in an HTML e-mail. The vulnerability means a user's personal information, such as a credit card number or home address, could be stolen by a malicious site, if other sites have stored that data on the user's hard drive. The flaw involved Microsoft's Internet Explorer 5.5 and 6.0 browsers. Microsoft rated the hole as a high security risk, but it hasn't yet come out with a patch. For now, the software manufacturer urges users to do a work-around by disabling active scripts. A full explanation and instructions for the work-around are on Microsoft's TechNet site. Microsoft spokesman Christopher Budd said the company faces a challenge in making consumers aware of the problem. "We are working with the press. We view the press as instrumental in getting out to the consumer base. As far as getting the word out, we are going high and low... because clearly we have an interest in getting the word out." He said Microsoft is taking measures such as creating easy downloads at consumer-oriented security sites to get patches. "They don't have to worry or dig into the technical [side]. We put a lot of effort into our bulletins," Budd said. "We've taken great pains to describe this in as plain English as possible. There's not going to be a single easy answer to this." The vulnerability raises more questions over Microsoft's ability to securely manage personal data through its .Net and Passport services. "I don't have faith in Passport anyway. It's like Swiss cheese. It's just another hole in the Swiss cheese called Passport," said Michele Rubenstein, a security expert in Washington and president of the EMA, a user forum within The Open Group, a IT user advocacy group. To be fair, however, Rubenstein said, Web sites that don't store data securely or that store sensitive information on cookies also must share the blame. "A well-designed Web page should not store vital or critical information in a cookie stored on a hard disk," she said. The magnitude of the hole also presents a daunting task for Microsoft in alerting consumers who may not pay attention to security bulletins and don't know how to apply work-arounds. "People like my mom, who are on the Internet, aren't aware of these things," Rubenstein said. "How is she going to learn about that, unless someone is checking on security issues for her?" In the statement posted yesterday, Microsoft said, "A malicious Web site with a malformed URL could read the contents of a user's cookie, which might contain personal information. In addition, it is possible to alter the contents of the cookie. This URL could be hosted on a Web page or contained in an HTML e-mail ... The vulnerability results because of an unsafe handling of cookies across [Internet Explorer] zones." That is, instead of restricting a Web site to access only those cookies it stored on the user's hard drive, Internet Explorer allows Web sites to grab cookies from other sites. Microsoft was notified of the vulnerability Nov. 1 by a Finnish security firm, Online Solution Ltd., another Microsoft spokesman said. At first, the firm agreed to work with Microsoft, he said, but then decided it would be a good marketing opportunity to publicize the vulnerability. Microsoft said in its advisory that the person who discovered this vulnerability has irresponsibly and deliberately made this issue public only a few days after reporting it to Microsoft. Microsoft released this statement that it said it received from Online Solution's CEO: "Finding and reporting of this kind of vulnerability is a great marketing opportunity for us ... we are willing to postpone the publication if we can find any way to work together so that our company would otherwise benefit from this. Otherwise, we don't see any reason to not report this bug and use it for our marking purposes." Online Solutions responded by saying it believed a week was sufficient time for Microsoft to come up with a patch, and that Internet Explorer users were entitled to know of the vulnerability. Windows Media Player must be patched to fix IE A trivial scrap of malicious JavaScript can defeat entirely the Platform for Privacy Preferences (P3P) 'protections' Microsoft has integrated into Internet Explorer 6, all because of a dodgy 'feature' in Windows Media Player (WMP). According to a post by privacy advocate Richard M. Smith to the BugTraq mailing list Tuesday, WMP generates by default a serial number which can be grabbed by a Web site using the simple exploit. The number can be used as a 'super cookie', as Smith calls it, enabling a nosey third party to track a victim's on-line comings and goings regardless of their cookie handling rules. Even if all cookies are deleted and privacy policy set to reject them, the WMP number can be used to track users because it's stored in the Windows Registry. It can be read with a simple ClientID request, as Smith illustrates with a demo Web page. The hole affects both IE6 and older versions of Netscape, Smith says. The coding here is embarrassingly simple: ID=WMP WIDTH=1 HEIGHT=1> "Once the ID number is available to a JavaScript program, it can be sent back to a Web site either by appending it to the URL of a Web bug or storing it in a regular Web browser cookie," Smith explains. The only fix is for users of older versions of WMP to patch their systems, and then to select the option in WMP which disables the wonderful 'feature' allowing their players to be uniquely identified. (Why anyone in his right mind would desire such a thing is quite beyond me; but the feature, incredibly, is enabled by default.) Once a user turns off the option, a unique WMP number will be generated for each IE session, so long-term tracking is impossible. "However, asking the average user to solve an Internet Explorer privacy leak by manually changing settings in a different program seems a bit much to me. Especially considering that there are many people who have never run Windows Media Player, yet they are still vulnerable to the problem," Smith notes. And indeed, the idea that a media application might be causing a Web browser to leak data in spite of its own security settings would be counter-intuitive to the casual user or computing newbie. It's only after we've become familiar with Microsoft's habits in security engineering that such a thing begins to make perfect sense. What Billg's new security effort will cost If Chairman Gates actually meant what he said in his recent memo calling for dramatically improved security in all MS products, then there are going to be some immense changes going on in Redmond. Changes in how software is created; changes in how features are integrated into them; changes in product development schedules; changes in disclosure practices. Indeed, we can determine just how serious Microsoft is by tracking the metamorphosis which a real shift towards security will necessitate. We spoke recently with Counterpane Internet Security CTO Bruce Schneier, who has a pretty clear idea what a security-serious Microsoft would look like. Schneier is cautiously optimistic, and for now would give MS the benefit of the doubt. Microsoft can do this, he says. But it will be difficult, and it will require an extraordinary shift in the Redmond culture. For one thing, Schneier says, MS is simply going to have to open its protocols to evaluation and peer review. They simply won't succeed otherwise. "I'm not talking about making it open source, but rather public source," he told us. "There is no way to achieve trustworthiness other than publication." Next, the EULA (End User License Agreement), which absolves the company of all liability, "will simply have to go." Schneier reckons that a lot of what motivated Gates to take on security is the looming threat of liability litigation. Now, Billg himself has said that product features will have to take a back seat to security for the company to earn the trust of consumers. But this will be exceptionally painful to MS software designers accustomed to working into their projects every slick bell and whistle they can think of. "Putting security ahead of features is not easy," Schneier says. "Microsoft is going to have to say things like, 'We're going to put the entire .NET initiative on hold, probably for years, while we work the security problems out.' They're going to have to stop all development on operating system features while they go through their existing code, line by line, fixing vulnerabilities, eliminating insecure functionality, and adding security features." Another mark of MS' commitment to security will be visible when the company ceases to treat vulnerabilities as a public relations problem, and deals with them openly and honestly. Microsoft's most recent inclination has been to discourage vulnerability disclosure, and persuade customers to make use of auto-update, which patches the system behind their backs. The user never knows what was wrong, or whether the fix being applied is effective. This is obviously not a way to cultivate trust, and it will have to be abandoned if MS really wants a shiny new reputation suggestive of good security. "When Netscape was serious about public scrutiny, they paid $1,000 for each security bug reported to them. Microsoft can no longer threaten, insult, or belittle independent researchers who find vulnerabilities in their products," Schneier observed. This all sounds like a radically different Microsoft from the one we know and love, and that's just the point. The company quite simply cannot achieve the goals set forth in the Billg security declaration and remain unchanged. It's undeniable that MS has the resources, both human and financial, to accomplish what it sets out to do. It's also undeniable that the company has an almost neo-Confucian tendency to substitute form for substance. But as Schneier points out, there will be signs that can't be faked, and which will indicate just how serious the Beast is with its Trusted Computing initiative. The question remains, is this a PR stunt, or is it news? Windows XP still under scrutiny Differences of opinion continue to swirl over a potentially problematic Universal Plug and Play service in Microsoft Corp.'s Windows XP operating system. The FBI's National Infrastructure Protection Center last week revised a recent security bulletin, removing a recommendation that systems administrators consider disabling the UPnP service in Windows XP (see story). After "careful review" of technical materials, the FBI agency stated that it is "satisfied" that a patch corrects a vulnerability that could lead to system compromise and "affords substantial and adequate protection" against the critical vulnerability that could lead to denial-of-service attacks. But some security experts continue to recommend that, in addition to installing the patch, users disable the UPnP service, which lets PCs discover and use newly added network-based devices, such as printers, that advertise themselves as being available. Marc Maiffret, chief hacking officer at Aliso Viejo, Calif.-based eEye Digital Security, the security firm that notified Microsoft about the UPnP vulnerabilities shortly after Windows XP was launched, charged that the UPnP protocol is "half-assed" and needs to be scrutinized more closely with security in mind. "Until they actually redo it, it's not something people should be using," Maiffret said. "It just allows for a lot of ways that you can manipulate systems or services to basically use UPnP to either hide attacks or use UPnP as a jump point for other attacks," Maiffret said. Microsoft's patch fixes the problem "as far as what we know now," but since people aren't using UPnP, the service should be disabled, he said. Russ Cooper, an analyst at TruSecure Corp. in Herndon, Va., and moderator of the Windows NTBugTraq mailing list, said UPnP "offers many more opportunities for problems," and Microsoft shouldn't have released the UPnP capability until the protocol was well thought out. "Microsoft had to modify the UPnP protocol as defined by the UPnP Forum in order to patch against vulnerabilities demonstrated by eEye," Cooper said. "If the only way to protect against the vulnerabilities is to modify the protocol, the protocol is flawed." The first version of the UPnP architecture was ratified in June 2000 by the UPnP Forum, a nonprofit group of more than 400 vendors from the consumer electronics, computing, home security, home appliance, computer networking and related industries. The forum defined and published UPnP device and service descriptions to help devices connect to each other and simplify home networking. Mark Lee, chairman of the UPnP Forum and a lead Windows product manager at Microsoft, said the forum has a security working committee that proactively looks to make sure that UPnP is a secure technology and checks out various scenarios in which UPnP technology is going to be used. He said the UPnP Forum is open to input from industry participants. "If there are ways to make the technology better, we're ready and able to listen," Lee said. A Microsoft spokesman said the company remains committed to UPnP technology and doesn't believe that "enabling UPnP in and of itself poses a security risk." "There is great customer interest in UPnP, especially as more UPnP-capable devices are becoming available," said Scott Culp, manager of Microsoft's Security Response Center. "Folks who don't want UPnP can certainly turn off the service, but just applying the patch is sufficient to return it to safe operation." Roger Gariepy, chief information technologist at Air Products and Chemicals Inc. in Allentown, Pa., said he's not sure he would "turn on a system that allows non-directly-attached devices to automatically plug into the PC." He added, "I don't think we're going to have a lot of UPnP-capable devices in the corporation." The UPnP service is enabled by default in Microsoft's Windows XP operating system, which was launched Oct. 25. It can be activated in Windows ME and installed in Windows 98 and 98SE via the Internet Connection Sharing client that ships with XP. Maiffret said eEye Digital Security notified Microsoft about the denial-of-service vulnerability in the UPnP service on Oct. 26. He said the firm told Microsoft about two more vulnerabilities, distributed denial of service and buffer overflow, in November. Microsoft announced the vulnerabilities on Dec. 20, upon releasing its patches. A company spokesman defended the time lag, noting that the company had to develop patches for four operating systems with more than 20 language versions for each. "All told, we developed well over 100 different versions of the patch," the spokesman said. He also noted that the testing requirements were significant. "Our testers worked around the clock to complete the testing in time to release the patch prior to Christmas week." Gariepy noted that security vulnerabilities aren't unique to Microsoft. "All operating system vendors need to address this far more seriously than they have in the past," he said. prE tehk shEn por faVor PABlo Bley aka Paul Alan Bley 1:10 AM Begin 2 QuBitize Microsoft's Security Hole(s)! One Side of the Story The federal government and technology industry want you to believe the threats to our networks are external, not internal, where someone must be held accountable when things go wrong. Thus, we hear the rhetoric about cyber terrorists, hackers, and the so-called 'Digital Pearl Harbor' - things you can't easily point fingers at and hold someone accountable for when bad things happen. The White House would be wise to look at our nation's own self-induced vulnerabilities before rushing to spin up a sinister external threat; absent the rich target of opportunity presented by nearly all Microsoft products, hackers, crackers, and electronic evildoers would have a much harder time causing mainstream mischief every other week. Windows XP was promoted by Microsoft as perhaps the ultimate and most secured Windows operating system the firm had ever created, and one of its key features was increased security from electronic evildoers like hackers, crackers, and so-called cyber terrorists. Released on October 25, it was to be the default operating system on all new personal computers sold, and its release was timed to coincide with new PC sales for the 2001 holiday season. Unfortunately, Windows XP doesn't protect you from Microsoft, an entity some argue is more dangerous than any cyber terrorist or hacker gang. It turns out that the Windows XP ships with a new feature called Universal Plug and Play (UPnP) enabled by default, thus allowing UPnP devices to locate each other on a local network, so that your home computer can talk to your refrigerator can talk to your toaster can talk to your stereo can send messages to your PDA, and so forth. However, as a result of this oversight, someone could remotely use this feature to exploit, control, or disrupt a system from remote locations around the world. As if computer exploits aren't bad enough, you'll soon have to worry about someone turning off your freezer and spoiling your holiday leftovers.... Note this is not to be confused with the Windows Remote Assistance feature -- promoted as one of the major benefits of using Windows XP, yet functioning in essentially the same way as the UPnP exploit. (One wonders how quickly the Remote Assistance feature will be exploited in the future as well.) Marc Maiffret, the talented, blue-haired 'Chief Hacking Officer' of Eeye Digital Security, demonstrated the UPnP exploit to a shocked group of reporters yesterday. As a result, media and security experts are calling this "The Mother of All Exploits" for Windows XP, scrambling to inform the public about the importance of downloading and installing the fix for this problem -- a security problem not caused by a hacker or cracker, but developed and implemented exclusively by Microsoft for your computing convenience and to enhance your user experience as a 'feature' of the product. According to an AP story, Microsoft Security Manager Scott Culp called this latest vulnerability the "the first network-based, remote compromise that I'm aware of for Windows desktop systems" and a "very serious vulnerability." I guess it's all in how you define "compromise." How very Clintonian. Although repeatedly interviewed by the media reporting on Microsoft-based security events over the years, Culp apparently doesn't consider any of the following Microsoft-centric security exploits as "network-based, remote compromises" for "Windows desktop systems" either -- the series of Back Orifice programs from the always-amusing Cult of the Dead Cow (cDc) to e-mail worms, Trojans, and viruses (think BadTrans) that can transmit sensitive information from systems they infect. Did Culp miss a few days of class here and there and forget to read up on SECHOLE.EXE (July 1998), the assorted Internet Explorer cross-frame scripting exploits (September 1998) or the mid-2000 ability to remotely exploit a Windows desktop through a buffer overflow found in the Clip Art feature of Microsoft Office? And what about Windows File and Print Sharing vulnerabilities from back in 1995? How about the seemingly-endless number of buffer overflow exploits (think CodeRed, Lion, and Nimda) that plague Microsoft Internet Information Server (IIS) -- granted, IIS isn't made for "Windows desktops" but it deserves mention given the nearly-identical software code in Microsoft's desktop and server products. So how exactly does Microsoft classify these other types of network-centric exploits? As nuisances but the price of doing business in the wired world? When will it end? And what to do about this latest security problem originating in Redmond? Microsoft, as the world's largest purveyor of PC software, with an established monopoly status, needs to do the responsible thing. Rather than continue to preach security as a marketing tool for its .NET venture, an avenue for business development with new proprietary 'standards' and fee-based, censored security 'partnerships' or review its reactive measures, it should get back to the basics and look within for the solution to its internal problems that usually evolve into the world's problems. Simply put, Microsoft needs to review its software code line-by-line and clean it up. Years of service packing, patching, re-patching, updating, critical updating, and hot-fixing Windows products have made them dirty and prone to breaking, as we see every few months. Better yet, Microsoft needs to revisit the basic design of Windows - namely, removing the shared code between applications and the underlying Windows operating system (like the pervasiveness of the Web-enabled Internet Explorer across each Windows application and system.) Like a car, it's time to bring the Windows code into the shop for a major tune-up. Actually, a worldwide recall might in order. In addition, Microsoft must not ensure its products work well together, but also conduct much more aggressive 'abuse testing' of its software (e.g., XP) before it gets released to the Real World. Such testing should be done by independent third parties and conducted in a transparent, public manner to preclude any claims of bias in the results of such testing. In general, Microsoft should conduct what the rest of the computing community considers a real "beta test" -- namely, making sure that a supposedly finished application works as intended, using experienced users to test the functionality, durability, and security of the product in a real-world, real-use, take-no-prisoners environment....not use its much ballyhooed 'beta test' periods as the opportunity to market advance copies of their products, many of which never seem to get out of the beta stage even when they're officially released for sale! In none of the interviews regarding the UPnP situation has Culp admitted that Eeye did the responsible thing by informing Microsoft and waiting for the fix to be available from Microsoft before releasing information on this critical exploit to the internet community, something many folks in the security community (all outside of Microsoft) consider 'responsible disclosure.' According to reports, it took Microsoft nearly two months to release a patch after learning of the exploit. While Eeye's actions were praiseworthy, I wouldn't wait so long before mentioning such a critical security problem to the community. Realistically, a vendor should be able to examine and verify a reported exploit -- particularly one as critical as this one -- and release a patch or publish corrective guidance to the public in about two weeks. In this case, Microsoft -- had it decided it was in its interest to do so -- could have easily assigned fourteen thousand programmer man-days (1000 programmers x 14 days) to address the problem within two weeks. Eeye was very generous in giving Microsoft so long to fix the problem, although why it took nearly two months for Microsoft to address the problem raises some disturbing questions. Perhaps acknowledging this would be contrary to the tone and contents of Culp's October 2001 missive calling for a Microsoft-based Vatican of Vulnerability to quell the public disclosure of security vulnerabilities and implement software security through obscurity and public ignorance. More interestingly, Eeye reported the UPnP exploit to Microsoft back in October (according to sources at Eeye, the day after Windows XP was released). Was Microsoft's two-month silence on this critical exploit a business decision to avoid public embarrassment on a new product so close to the holiday (e.g., "new PC purchasing") season? We can only wonder. Microsoft is by far the most notorious in their vulnerability announcements, legalese, and cover-their-tail security alerts, something CDC member Tweety Fish noted in a 1999 interview discussing the growing number of Microsoft-generated security problems back then. He noted that Microsoft "will not consider any given security risk a problem until it becomes a problem in the press." Or, to put it another way, it's not really a problem until Microsoft says so. Actions speak louder than words. Microsoft pays security plenty of lip service for marketing and public relations spin control, but the firm's history of addressing security problems falls quite short of what security professionals would consider a robust, long-term commitment to dealing effectively with the matter. Thus, it's up to third parties like Eeye and other research firms to continue serving as a "check and balance" against a future of vendor-induced security-through-obscurity and public ignorance. Thanks to Eeye's responsible disclosure of this catastrophic vulnerability in Windows XP, not only is the Internet a bit safer, but their actions prove once again that voluntary disclosure of vulnerability information is possible without a fee-based vendor-sponsored private club. The Other Side of the Story Everyone from the FBI to the LA Times has something scary to say about the new XP vulnerability. Here's why they all have it wrong. The creation of marketing niches from Microsoft technologies is a model of perpetual motion. Redmond develops the products, and we get paid to implement, install, configure, customize, upgrade, secure, and to even break and exploit them. Now the simple act of talking about Microsoft security is becoming a remunerative endeavor. The recent Universal Plug and Play (UPnP) subsystem vulnerabilities in Microsoft XP, as well as some ME and 98 systems, has resulted in a media circus that has beaten out Code Red -- and there is not even an exploit yet! Don't get me wrong -- coverage of security issues is a Good Thing. This one could be serious as it has some potential for abuse if the right people put their minds to it. And given the fact that it would primarily affect home users, few of whom will ever see this article or read a Bugtraq post, the more people that know about UPnP the better. But the information has to be accurate. The media and corresponding subset of technical news portals are doing a terrible job of reporting factual information -- particularly on this bug. From the FBI to the LA Times to Gibson Research Corporation, they all have it wrong. So let's take it from the top. Universal Plug and Play is the term used to collectively refer to a set of standards, protocols, and services which support pervasive networking of intelligent devices and appliances in a peer-to-peer configuration; the kind of solution that will allow your wet bar to take stock of needed items and automatically add them to your Palm Pilot's shopping list. It is a collaborative effort between many vendors and developers including HP, Apple, and of course Microsoft. On the default installations of XP (Home and Pro) and some ME/98[5] installs, the UPnP subsystem is listening for NOTIFYs from UPnP enabled devices at startup. This is the problem. The Simple Service Discovery Protocol (SSDP) service has issues with specially formatted NOTIFY datagrams which can be used to exploit a buffer overrun to gain SYSTEM access, or perform DoS or DDoS attacks as described in an advisory from eEye Digital Securiy, who discovered the bug. Microsoft has released a patch and posted the fix on Windows Update. My issue is that so many people have rushed to be authorities on this bug that many didn't bother to get their facts straight before posting fixes and writing articles about it. The NIPC advisory gives people specific instructions on how to disable the "UPnP Device Host" on XP and has been widely linked to by many. Unfortunately, this does absolutely nothing. I both phoned and emailed NIPC to inform them that the UPnP Service itself has nothing to do with this bug, and that the "SSDP Discovery Service" is the issue, but to date they still have not updated the site. In addition to misinformation, ad-hungry media outlets like the LA Times are doing what they can to bring in the hits, headlining articles with FUD -- industry shorthand for Fear, Uncertainty and Doubt -- like "XP Patch Leaves Door Wide Open" that is not only completely wrong, but contains no detailed information about the issue, or even links on where to find the advisories. At least the author admits that though he wrote a book on how to use XP, he could not figure out how to disable a service. And of course Steve Gibson jumped on the bandwagon with a page dedicated to saturating the issue with his own special blend of FUD that is almost elevated to an art form. In a complete exit from anything security related, Gibson goes as far as to charge Microsoft with purposefully withholding an advisory and patch for this vulnerability so that Christmas sales would not be affected. This would be like me concocting some conspiracy theory where I charge the FBI for knowingly deceiving people with incorrect fix instructions so that they could still use the buffer overrun to push out Magic Lantern to seven million people. Hmmm.... It's not like it has been a slow news week for vulnerabilities -- it is just that nobody cares to talk about anything if it is not about Microsoft. In the SANS NewsBites email, more mention was given to Gibson's take on the UPnP issue than the entire coverage of David Litchfield's publication of an Oracle 9iAS remote system level buffer overrun: ten links were given to the UPnP bug; one link regarding Oracle. There was no link to the MS advisory. And while Gartner is so kind to bestow upon us their 'prediction' that hackers will use UPnP vulnerabilities in the future (which is really an amazing illustration of their keen insight into technology trends) they also fail to comment on any of the Oracle issues. They act more like bookies than security professionals; getting paid whether we win or lose. Microsoft's security issues are bad. And though my call on this one is that we won't see any massive worm taking advantage of this particular vulnerability, the security of the Simple Service Discovery Protocol in itself still must be addressed and secured. And though Microsoft's own development team was wrong about the effectiveness of XP's Internet Connection Firewall against direct UPnP attacks (which does in fact protect you from unicast traffic), they still have a product that allows multicast and broadcast traffic to arrive to an interface unfiltered. XP is still the most secure consumer OS that Microsoft has developed, but there will still be more peas in the potatoes in the future. You can't increase security by giving people the wrong information, or not enough of the right information. If you don't like Microsoft, then don't buy their products. Write your congressman. Get a job at Oracle. Wear a penguin T-shirt. Do something about it. But don't wave your Microsoft Sucks flag with your left hand while pocketing your stipend with your right unless you just want to be part of the problem. However, you should be aware of this: A trio of flaws in the Universal Plug and Play (UPnP) service, which allows for automatic hardware detection in a network environment, can offer up total ownership of your machine to a malicious third party, Microsoft warns. First up, and by far the most serious, an unchecked buffer in a component handling NOTIFY directives affecting Win 98 and ME, and XP, the most secure Windows ever produced. By sending a malicious NOTIFY directive, an attacker can run code in the UPnP service, which runs with System privileges on XP and at the OS level on 98 and ME. This would enable the attacker to own the system. Next up, a denial of service vulnerability enabling an attacker to send a NOTIFY directive to a UPnP-capable machine, directing it to download what it needs from a particular port on a particular server. If the server were to echo the download requests, the target machine would enter an endless loop which could tie up its resources and from which the only escape is a re-boot. Third, an attacker could use the DoS vulnerability to send a NOTIFY directive to a large number of machines and direct them to a third-party server, which would then be flooded with bogus requests, and possibly overwhelmed. UPnP services are native on Win XP and ME (though not enabled by default on ME), and are only present on 98 if support for Internet connection sharing is enabled. However, the fact that you haven't enabled this service doesn't necessarily mean you're safe if you have an OEM box. It might well have been enabled at the factory; so if you're in doubt, be sure to install the correct patch (below). The flaws were discovered by eEye Digital Security. Microsoft has posted three patches on its TechWeb site. Feds grill MS on Windows security US Defense Department and FBI officials contacted Microsoft in December to express their concern over the recently-disclosed security bugs affecting all versions of Windows, the Associated Press reports. The Feds were particularly concerned that the bug gives up root on Win-XP, ironically touted as the most secure Windows OS ever developed, the wire service says. Additionally, the Feds sought assurance that the patches MS has issued are adequate to bung the holes without causing problems for the machines they're installed on. According to MS, the patches are absolutely fabulous and will be installed via the Windows auto-update feature. Users who prefer to download them individually may do so here. The bugs at issue are actually three flaws in the Windows Universal Plug and Play (UPnP) service. One of them can be exploited to gain System or OS-level access to any Windows machine using the service. Two others can be exploited for denial of service attacks, including the much-feared distributed variety. We find it a healthy development that the Feds are finally showing MS that their security blunders will not go unnoticed. Whether this will translate into pressure sufficient for the company to get its act together remains to be seen; but if there's any entity which might influence the Redmond Leviathan, Uncle Sam is definitely it. God knows generations of hackers have tried and failed to inspire the company to take security engineering seriously. Microsoft founder Bill Gates has finally noodled out the fact that his precious .NET initiative is never going to fly if the company continues turning out insecure products. Therefore, in a long-winded bull to all Microserfs issued Wednesday, Billg finally admits that the company has wrongly emphasized whistles and bells over security, and decrees that this shall change. "In the past, we've made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible," Gates writes. And then he reveals the epiphany he's had: "We've done a terrific job at that, but all those great features won't matter unless customers trust our software." Hallelujah. He's finally arrived on the same page as the rest of the computing world. And he claims that things are henceforth going to be different in Redmond. "So now, when we face a choice between adding features and resolving security issues, we need to choose security." Sounds great, but then he goes completely off the rails: "A good example of this is the change we made in Outlook to avoid email borne viruses." Hello? Earth to Bill -- it took years of grinding public humiliation for MS to make a simple modification preventing malicious executables from launching automatically in Outlook. If this is Gates' idea of a security job well done, then all we have here is another PR smokescreen. But we'll leave that for you to decide. Below is the declaration in full. -----Original Message----- From: Bill Gates Sent: Tuesday, January 15, 2002 5:22 PM To: Microsoft and Subsidiaries: All FTE Subject: Trustworthy computing Every few years I have sent out a memo talking about the highest priority for Microsoft. Two years ago, it was the kickoff of our .NET strategy. Before that, it was several memos about the importance of the Internet to our future and the ways we could make the Internet truly useful for people. Over the last year it has become clear that ensuring .NET is a platform for Trustworthy Computing is more important than any other part of our work. If we don't do this, people simply won't be willing -- or able -- to take advantage of all the other great work we do. Trustworthy Computing is the highest priority for all the work we are doing. We must lead the industry to a whole new level of Trustworthiness in computing. When we started work on Microsoft .NET more than two years ago, we set a new direction for the company -- and articulated a new way to think about our software. Rather than developing standalone applications and Web sites, today we're moving towards smart clients with rich user interfaces interacting with Web services. We're driving the XML Web services standards so that systems from all vendors can share information, while working to make Windows the best client and server for this new era. There is a lot of excitement about what this architecture makes possible. It allows the dreams about e-business that have been hyped over the last few years to become a reality. It enables people to collaborate in new ways, including how they read, communicate, share annotations, analyze information and meet. However, even more important than any of these new capabilities is the fact that it is designed from the ground up to deliver Trustworthy Computing. What I mean by this is that customers will always be able to rely on these systems to be available and to secure their information. Trustworthy Computing is computing that is as available, reliable and secure as electricity, water services and telephony. Today, in the developed world, we do not worry about electricity and water services being available. With telephony, we rely both on its availability and its security for conducting highly confidential business transactions without worrying that information about who we call or what we say will be compromised. Computing falls well short of this, ranging from the individual user who isn't willing to add a new application because it might destabilize their system, to a corporation that moves slowly to embrace e-business because today's platforms don't make the grade. The events of last year -- from September's terrorist attacks to a number of malicious and highly publicized computer viruses -- reminded every one of us how important it is to ensure the integrity and security of our critical infrastructure, whether it's the airlines or computer systems. Computing is already an important part of many people's lives. Within ten years, it will be an integral and indispensable part of almost everything we do. Microsoft and the computer industry will only succeed in that world if CIOs, consumers and everyone else sees that Microsoft has created a platform for Trustworthy Computing. Every week there are reports of newly discovered security problems in all kinds of software, from individual applications and services to Windows, Linux, Unix and other platforms. We have done a great job of having teams work around the clock to deliver security fixes for any problems that arise. Our responsiveness has been unmatched -- but as an industry leader we can and must do better. Our new design approaches need to dramatically reduce the number of such issues that come up in the software that Microsoft, its partners and its customers create. We need to make it automatic for customers to get the benefits of these fixes. Eventually, our software should be so fundamentally secure that customers never even worry about it. No Trustworthy Computing platform exists today. It is only in the context of the basic redesign we have done around .NET that we can achieve this. The key design decisions we made around .NET include the advances we need to deliver on this vision. Visual Studio .NET is the first multi-language tool that is optimized for the creation of secure code, so it is a key foundation element. I've spent the past few months working with Craig Mundie's group and others across the company to define what achieving Trustworthy Computing will entail, and to focus our efforts on building trust into every one of our products and services. Key aspects include: Availability: Our products should always be available when our customers need them. System outages should become a thing of the past because of a software architecture that supports redundancy and automatic recovery. Self-management should allow for service resumption without user intervention in almost every case. Security: The data our software and services store on behalf of our customers should be protected from harm and used or modified only in appropriate ways. Security models should be easy for developers to understand and build into their applications. Privacy: Users should be in control of how their data is used. Policies for information use should be clear to the user. Users should be in control of when and if they receive information to make best use of their time. It should be easy for users to specify appropriate use of their information including controlling the use of email they send. Trustworthiness is a much broader concept than security, and winning our customers' trust involves more than just fixing bugs and achieving "five-nines" availability. It's a fundamental challenge that spans the entire computing ecosystem, from individual chips all the way to global Internet services. It's about smart software, services and industry-wide cooperation. There are many changes Microsoft needs to make as a company to ensure and keep our customers' trust at every level - from the way we develop software, to our support efforts, to our operational and business practices. As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable. Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers' view of us as a company. In recent months, we've stepped up programs and services that help us create better software and increase security for our customers. Last fall, we launched the Strategic Technology Protection Program, making software like IIS and Windows .NET Server secure by default, and educating our customers on how to get -- and stay -- secure. The error-reporting features built into Office XP and Windows XP are giving us a clear view of how to raise the level of reliability. The Office team is focused on training and processes that will anticipate and prevent security problems. In December, the Visual Studio .NET team conducted a comprehensive review of every aspect of their product for potential security issues. We will be conducting similarly intensive reviews in the Windows division and throughout the company in the coming months. At the same time, we're in the process of training all our developers in the latest secure coding techniques. We've also published books like "Writing Secure Code," by Michael Howard and David LeBlanc, which gives all developers the tools they need to build secure software from the ground up. In addition, we must have even more highly trained sales, service and support people, along with offerings such as security assessments and broad security solutions. I encourage everyone at Microsoft to look at what we've done so far and think about how they can contribute. But we need to go much further. In the past, we've made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We've done a terrific job at that, but all those great features won't matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve. A good example of this is the changes we made in Outlook to avoid email borne viruses. If we discover a risk that a feature could compromise someone's privacy, that problem gets solved first. If there is any way we can better protect important data and minimize downtime, we should focus on this. These principles should apply at every stage of the development cycle of every kind of software we create, from operating systems and desktop applications to global Web services. Going forward, we must develop technologies and policies that help businesses better manage ever larger networks of PCs, servers and other intelligent devices, knowing that their critical business systems are safe from harm. Systems will have to become self-managing and inherently resilient. We need to prepare now for the kind of software that will make this happen, and we must be the kind of company that people can rely on to deliver it. This priority touches on all the software work we do. By delivering on Trustworthy Computing, customers will get dramatically more value out of our advances than they have in the past. The challenge here is one that Microsoft is uniquely suited to solve. Bill prE tehk shEn por faVor PABlo Bley aka Paul Alan Bley 11:58 PM |
||
 |
||
 |
||
 |
||
 |
||