| Maximum Security | ||
 |
||
 |
||
Security: freedom from danger; safety; protection; freedom from doubt or anxiety; something that makes one secure; freedom from want or poverty; the securing of buildings, valuables, government secrets, and the like from intrusion or theft. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Begin 2 QuBitize Microsoft's Security Hole(s)! One Side of the Story The federal government and technology industry want you to believe the threats to our networks are external, not internal, where someone must be held accountable when things go wrong. Thus, we hear the rhetoric about cyber terrorists, hackers, and the so-called 'Digital Pearl Harbor' - things you can't easily point fingers at and hold someone accountable for when bad things happen. The White House would be wise to look at our nation's own self-induced vulnerabilities before rushing to spin up a sinister external threat; absent the rich target of opportunity presented by nearly all Microsoft products, hackers, crackers, and electronic evildoers would have a much harder time causing mainstream mischief every other week. Windows XP was promoted by Microsoft as perhaps the ultimate and most secured Windows operating system the firm had ever created, and one of its key features was increased security from electronic evildoers like hackers, crackers, and so-called cyber terrorists. Released on October 25, it was to be the default operating system on all new personal computers sold, and its release was timed to coincide with new PC sales for the 2001 holiday season. Unfortunately, Windows XP doesn't protect you from Microsoft, an entity some argue is more dangerous than any cyber terrorist or hacker gang. It turns out that the Windows XP ships with a new feature called Universal Plug and Play (UPnP) enabled by default, thus allowing UPnP devices to locate each other on a local network, so that your home computer can talk to your refrigerator can talk to your toaster can talk to your stereo can send messages to your PDA, and so forth. However, as a result of this oversight, someone could remotely use this feature to exploit, control, or disrupt a system from remote locations around the world. As if computer exploits aren't bad enough, you'll soon have to worry about someone turning off your freezer and spoiling your holiday leftovers.... Note this is not to be confused with the Windows Remote Assistance feature -- promoted as one of the major benefits of using Windows XP, yet functioning in essentially the same way as the UPnP exploit. (One wonders how quickly the Remote Assistance feature will be exploited in the future as well.) Marc Maiffret, the talented, blue-haired 'Chief Hacking Officer' of Eeye Digital Security, demonstrated the UPnP exploit to a shocked group of reporters yesterday. As a result, media and security experts are calling this "The Mother of All Exploits" for Windows XP, scrambling to inform the public about the importance of downloading and installing the fix for this problem -- a security problem not caused by a hacker or cracker, but developed and implemented exclusively by Microsoft for your computing convenience and to enhance your user experience as a 'feature' of the product. According to an AP story, Microsoft Security Manager Scott Culp called this latest vulnerability the "the first network-based, remote compromise that I'm aware of for Windows desktop systems" and a "very serious vulnerability." I guess it's all in how you define "compromise." How very Clintonian. Although repeatedly interviewed by the media reporting on Microsoft-based security events over the years, Culp apparently doesn't consider any of the following Microsoft-centric security exploits as "network-based, remote compromises" for "Windows desktop systems" either -- the series of Back Orifice programs from the always-amusing Cult of the Dead Cow (cDc) to e-mail worms, Trojans, and viruses (think BadTrans) that can transmit sensitive information from systems they infect. Did Culp miss a few days of class here and there and forget to read up on SECHOLE.EXE (July 1998), the assorted Internet Explorer cross-frame scripting exploits (September 1998) or the mid-2000 ability to remotely exploit a Windows desktop through a buffer overflow found in the Clip Art feature of Microsoft Office? And what about Windows File and Print Sharing vulnerabilities from back in 1995? How about the seemingly-endless number of buffer overflow exploits (think CodeRed, Lion, and Nimda) that plague Microsoft Internet Information Server (IIS) -- granted, IIS isn't made for "Windows desktops" but it deserves mention given the nearly-identical software code in Microsoft's desktop and server products. So how exactly does Microsoft classify these other types of network-centric exploits? As nuisances but the price of doing business in the wired world? When will it end? And what to do about this latest security problem originating in Redmond? Microsoft, as the world's largest purveyor of PC software, with an established monopoly status, needs to do the responsible thing. Rather than continue to preach security as a marketing tool for its .NET venture, an avenue for business development with new proprietary 'standards' and fee-based, censored security 'partnerships' or review its reactive measures, it should get back to the basics and look within for the solution to its internal problems that usually evolve into the world's problems. Simply put, Microsoft needs to review its software code line-by-line and clean it up. Years of service packing, patching, re-patching, updating, critical updating, and hot-fixing Windows products have made them dirty and prone to breaking, as we see every few months. Better yet, Microsoft needs to revisit the basic design of Windows - namely, removing the shared code between applications and the underlying Windows operating system (like the pervasiveness of the Web-enabled Internet Explorer across each Windows application and system.) Like a car, it's time to bring the Windows code into the shop for a major tune-up. Actually, a worldwide recall might in order. In addition, Microsoft must not ensure its products work well together, but also conduct much more aggressive 'abuse testing' of its software (e.g., XP) before it gets released to the Real World. Such testing should be done by independent third parties and conducted in a transparent, public manner to preclude any claims of bias in the results of such testing. In general, Microsoft should conduct what the rest of the computing community considers a real "beta test" -- namely, making sure that a supposedly finished application works as intended, using experienced users to test the functionality, durability, and security of the product in a real-world, real-use, take-no-prisoners environment....not use its much ballyhooed 'beta test' periods as the opportunity to market advance copies of their products, many of which never seem to get out of the beta stage even when they're officially released for sale! In none of the interviews regarding the UPnP situation has Culp admitted that Eeye did the responsible thing by informing Microsoft and waiting for the fix to be available from Microsoft before releasing information on this critical exploit to the internet community, something many folks in the security community (all outside of Microsoft) consider 'responsible disclosure.' According to reports, it took Microsoft nearly two months to release a patch after learning of the exploit. While Eeye's actions were praiseworthy, I wouldn't wait so long before mentioning such a critical security problem to the community. Realistically, a vendor should be able to examine and verify a reported exploit -- particularly one as critical as this one -- and release a patch or publish corrective guidance to the public in about two weeks. In this case, Microsoft -- had it decided it was in its interest to do so -- could have easily assigned fourteen thousand programmer man-days (1000 programmers x 14 days) to address the problem within two weeks. Eeye was very generous in giving Microsoft so long to fix the problem, although why it took nearly two months for Microsoft to address the problem raises some disturbing questions. Perhaps acknowledging this would be contrary to the tone and contents of Culp's October 2001 missive calling for a Microsoft-based Vatican of Vulnerability to quell the public disclosure of security vulnerabilities and implement software security through obscurity and public ignorance. More interestingly, Eeye reported the UPnP exploit to Microsoft back in October (according to sources at Eeye, the day after Windows XP was released). Was Microsoft's two-month silence on this critical exploit a business decision to avoid public embarrassment on a new product so close to the holiday (e.g., "new PC purchasing") season? We can only wonder. Microsoft is by far the most notorious in their vulnerability announcements, legalese, and cover-their-tail security alerts, something CDC member Tweety Fish noted in a 1999 interview discussing the growing number of Microsoft-generated security problems back then. He noted that Microsoft "will not consider any given security risk a problem until it becomes a problem in the press." Or, to put it another way, it's not really a problem until Microsoft says so. Actions speak louder than words. Microsoft pays security plenty of lip service for marketing and public relations spin control, but the firm's history of addressing security problems falls quite short of what security professionals would consider a robust, long-term commitment to dealing effectively with the matter. Thus, it's up to third parties like Eeye and other research firms to continue serving as a "check and balance" against a future of vendor-induced security-through-obscurity and public ignorance. Thanks to Eeye's responsible disclosure of this catastrophic vulnerability in Windows XP, not only is the Internet a bit safer, but their actions prove once again that voluntary disclosure of vulnerability information is possible without a fee-based vendor-sponsored private club. The Other Side of the Story Everyone from the FBI to the LA Times has something scary to say about the new XP vulnerability. Here's why they all have it wrong. The creation of marketing niches from Microsoft technologies is a model of perpetual motion. Redmond develops the products, and we get paid to implement, install, configure, customize, upgrade, secure, and to even break and exploit them. Now the simple act of talking about Microsoft security is becoming a remunerative endeavor. The recent Universal Plug and Play (UPnP) subsystem vulnerabilities in Microsoft XP, as well as some ME and 98 systems, has resulted in a media circus that has beaten out Code Red -- and there is not even an exploit yet! Don't get me wrong -- coverage of security issues is a Good Thing. This one could be serious as it has some potential for abuse if the right people put their minds to it. And given the fact that it would primarily affect home users, few of whom will ever see this article or read a Bugtraq post, the more people that know about UPnP the better. But the information has to be accurate. The media and corresponding subset of technical news portals are doing a terrible job of reporting factual information -- particularly on this bug. From the FBI to the LA Times to Gibson Research Corporation, they all have it wrong. So let's take it from the top. Universal Plug and Play is the term used to collectively refer to a set of standards, protocols, and services which support pervasive networking of intelligent devices and appliances in a peer-to-peer configuration; the kind of solution that will allow your wet bar to take stock of needed items and automatically add them to your Palm Pilot's shopping list. It is a collaborative effort between many vendors and developers including HP, Apple, and of course Microsoft. On the default installations of XP (Home and Pro) and some ME/98[5] installs, the UPnP subsystem is listening for NOTIFYs from UPnP enabled devices at startup. This is the problem. The Simple Service Discovery Protocol (SSDP) service has issues with specially formatted NOTIFY datagrams which can be used to exploit a buffer overrun to gain SYSTEM access, or perform DoS or DDoS attacks as described in an advisory from eEye Digital Securiy, who discovered the bug. Microsoft has released a patch and posted the fix on Windows Update. My issue is that so many people have rushed to be authorities on this bug that many didn't bother to get their facts straight before posting fixes and writing articles about it. The NIPC advisory gives people specific instructions on how to disable the "UPnP Device Host" on XP and has been widely linked to by many. Unfortunately, this does absolutely nothing. I both phoned and emailed NIPC to inform them that the UPnP Service itself has nothing to do with this bug, and that the "SSDP Discovery Service" is the issue, but to date they still have not updated the site. In addition to misinformation, ad-hungry media outlets like the LA Times are doing what they can to bring in the hits, headlining articles with FUD -- industry shorthand for Fear, Uncertainty and Doubt -- like "XP Patch Leaves Door Wide Open" that is not only completely wrong, but contains no detailed information about the issue, or even links on where to find the advisories. At least the author admits that though he wrote a book on how to use XP, he could not figure out how to disable a service. And of course Steve Gibson jumped on the bandwagon with a page dedicated to saturating the issue with his own special blend of FUD that is almost elevated to an art form. In a complete exit from anything security related, Gibson goes as far as to charge Microsoft with purposefully withholding an advisory and patch for this vulnerability so that Christmas sales would not be affected. This would be like me concocting some conspiracy theory where I charge the FBI for knowingly deceiving people with incorrect fix instructions so that they could still use the buffer overrun to push out Magic Lantern to seven million people. Hmmm.... It's not like it has been a slow news week for vulnerabilities -- it is just that nobody cares to talk about anything if it is not about Microsoft. In the SANS NewsBites email, more mention was given to Gibson's take on the UPnP issue than the entire coverage of David Litchfield's publication of an Oracle 9iAS remote system level buffer overrun: ten links were given to the UPnP bug; one link regarding Oracle. There was no link to the MS advisory. And while Gartner is so kind to bestow upon us their 'prediction' that hackers will use UPnP vulnerabilities in the future (which is really an amazing illustration of their keen insight into technology trends) they also fail to comment on any of the Oracle issues. They act more like bookies than security professionals; getting paid whether we win or lose. Microsoft's security issues are bad. And though my call on this one is that we won't see any massive worm taking advantage of this particular vulnerability, the security of the Simple Service Discovery Protocol in itself still must be addressed and secured. And though Microsoft's own development team was wrong about the effectiveness of XP's Internet Connection Firewall against direct UPnP attacks (which does in fact protect you from unicast traffic), they still have a product that allows multicast and broadcast traffic to arrive to an interface unfiltered. XP is still the most secure consumer OS that Microsoft has developed, but there will still be more peas in the potatoes in the future. You can't increase security by giving people the wrong information, or not enough of the right information. If you don't like Microsoft, then don't buy their products. Write your congressman. Get a job at Oracle. Wear a penguin T-shirt. Do something about it. But don't wave your Microsoft Sucks flag with your left hand while pocketing your stipend with your right unless you just want to be part of the problem. However, you should be aware of this: A trio of flaws in the Universal Plug and Play (UPnP) service, which allows for automatic hardware detection in a network environment, can offer up total ownership of your machine to a malicious third party, Microsoft warns. First up, and by far the most serious, an unchecked buffer in a component handling NOTIFY directives affecting Win 98 and ME, and XP, the most secure Windows ever produced. By sending a malicious NOTIFY directive, an attacker can run code in the UPnP service, which runs with System privileges on XP and at the OS level on 98 and ME. This would enable the attacker to own the system. Next up, a denial of service vulnerability enabling an attacker to send a NOTIFY directive to a UPnP-capable machine, directing it to download what it needs from a particular port on a particular server. If the server were to echo the download requests, the target machine would enter an endless loop which could tie up its resources and from which the only escape is a re-boot. Third, an attacker could use the DoS vulnerability to send a NOTIFY directive to a large number of machines and direct them to a third-party server, which would then be flooded with bogus requests, and possibly overwhelmed. UPnP services are native on Win XP and ME (though not enabled by default on ME), and are only present on 98 if support for Internet connection sharing is enabled. However, the fact that you haven't enabled this service doesn't necessarily mean you're safe if you have an OEM box. It might well have been enabled at the factory; so if you're in doubt, be sure to install the correct patch (below). The flaws were discovered by eEye Digital Security. Microsoft has posted three patches on its TechWeb site. Feds grill MS on Windows security US Defense Department and FBI officials contacted Microsoft in December to express their concern over the recently-disclosed security bugs affecting all versions of Windows, the Associated Press reports. The Feds were particularly concerned that the bug gives up root on Win-XP, ironically touted as the most secure Windows OS ever developed, the wire service says. Additionally, the Feds sought assurance that the patches MS has issued are adequate to bung the holes without causing problems for the machines they're installed on. According to MS, the patches are absolutely fabulous and will be installed via the Windows auto-update feature. Users who prefer to download them individually may do so here. The bugs at issue are actually three flaws in the Windows Universal Plug and Play (UPnP) service. One of them can be exploited to gain System or OS-level access to any Windows machine using the service. Two others can be exploited for denial of service attacks, including the much-feared distributed variety. We find it a healthy development that the Feds are finally showing MS that their security blunders will not go unnoticed. Whether this will translate into pressure sufficient for the company to get its act together remains to be seen; but if there's any entity which might influence the Redmond Leviathan, Uncle Sam is definitely it. God knows generations of hackers have tried and failed to inspire the company to take security engineering seriously. Microsoft founder Bill Gates has finally noodled out the fact that his precious .NET initiative is never going to fly if the company continues turning out insecure products. Therefore, in a long-winded bull to all Microserfs issued Wednesday, Billg finally admits that the company has wrongly emphasized whistles and bells over security, and decrees that this shall change. "In the past, we've made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible," Gates writes. And then he reveals the epiphany he's had: "We've done a terrific job at that, but all those great features won't matter unless customers trust our software." Hallelujah. He's finally arrived on the same page as the rest of the computing world. And he claims that things are henceforth going to be different in Redmond. "So now, when we face a choice between adding features and resolving security issues, we need to choose security." Sounds great, but then he goes completely off the rails: "A good example of this is the change we made in Outlook to avoid email borne viruses." Hello? Earth to Bill -- it took years of grinding public humiliation for MS to make a simple modification preventing malicious executables from launching automatically in Outlook. If this is Gates' idea of a security job well done, then all we have here is another PR smokescreen. But we'll leave that for you to decide. Below is the declaration in full. -----Original Message----- From: Bill Gates Sent: Tuesday, January 15, 2002 5:22 PM To: Microsoft and Subsidiaries: All FTE Subject: Trustworthy computing Every few years I have sent out a memo talking about the highest priority for Microsoft. Two years ago, it was the kickoff of our .NET strategy. Before that, it was several memos about the importance of the Internet to our future and the ways we could make the Internet truly useful for people. Over the last year it has become clear that ensuring .NET is a platform for Trustworthy Computing is more important than any other part of our work. If we don't do this, people simply won't be willing -- or able -- to take advantage of all the other great work we do. Trustworthy Computing is the highest priority for all the work we are doing. We must lead the industry to a whole new level of Trustworthiness in computing. When we started work on Microsoft .NET more than two years ago, we set a new direction for the company -- and articulated a new way to think about our software. Rather than developing standalone applications and Web sites, today we're moving towards smart clients with rich user interfaces interacting with Web services. We're driving the XML Web services standards so that systems from all vendors can share information, while working to make Windows the best client and server for this new era. There is a lot of excitement about what this architecture makes possible. It allows the dreams about e-business that have been hyped over the last few years to become a reality. It enables people to collaborate in new ways, including how they read, communicate, share annotations, analyze information and meet. However, even more important than any of these new capabilities is the fact that it is designed from the ground up to deliver Trustworthy Computing. What I mean by this is that customers will always be able to rely on these systems to be available and to secure their information. Trustworthy Computing is computing that is as available, reliable and secure as electricity, water services and telephony. Today, in the developed world, we do not worry about electricity and water services being available. With telephony, we rely both on its availability and its security for conducting highly confidential business transactions without worrying that information about who we call or what we say will be compromised. Computing falls well short of this, ranging from the individual user who isn't willing to add a new application because it might destabilize their system, to a corporation that moves slowly to embrace e-business because today's platforms don't make the grade. The events of last year -- from September's terrorist attacks to a number of malicious and highly publicized computer viruses -- reminded every one of us how important it is to ensure the integrity and security of our critical infrastructure, whether it's the airlines or computer systems. Computing is already an important part of many people's lives. Within ten years, it will be an integral and indispensable part of almost everything we do. Microsoft and the computer industry will only succeed in that world if CIOs, consumers and everyone else sees that Microsoft has created a platform for Trustworthy Computing. Every week there are reports of newly discovered security problems in all kinds of software, from individual applications and services to Windows, Linux, Unix and other platforms. We have done a great job of having teams work around the clock to deliver security fixes for any problems that arise. Our responsiveness has been unmatched -- but as an industry leader we can and must do better. Our new design approaches need to dramatically reduce the number of such issues that come up in the software that Microsoft, its partners and its customers create. We need to make it automatic for customers to get the benefits of these fixes. Eventually, our software should be so fundamentally secure that customers never even worry about it. No Trustworthy Computing platform exists today. It is only in the context of the basic redesign we have done around .NET that we can achieve this. The key design decisions we made around .NET include the advances we need to deliver on this vision. Visual Studio .NET is the first multi-language tool that is optimized for the creation of secure code, so it is a key foundation element. I've spent the past few months working with Craig Mundie's group and others across the company to define what achieving Trustworthy Computing will entail, and to focus our efforts on building trust into every one of our products and services. Key aspects include: Availability: Our products should always be available when our customers need them. System outages should become a thing of the past because of a software architecture that supports redundancy and automatic recovery. Self-management should allow for service resumption without user intervention in almost every case. Security: The data our software and services store on behalf of our customers should be protected from harm and used or modified only in appropriate ways. Security models should be easy for developers to understand and build into their applications. Privacy: Users should be in control of how their data is used. Policies for information use should be clear to the user. Users should be in control of when and if they receive information to make best use of their time. It should be easy for users to specify appropriate use of their information including controlling the use of email they send. Trustworthiness is a much broader concept than security, and winning our customers' trust involves more than just fixing bugs and achieving "five-nines" availability. It's a fundamental challenge that spans the entire computing ecosystem, from individual chips all the way to global Internet services. It's about smart software, services and industry-wide cooperation. There are many changes Microsoft needs to make as a company to ensure and keep our customers' trust at every level - from the way we develop software, to our support efforts, to our operational and business practices. As software has become ever more complex, interdependent and interconnected, our reputation as a company has in turn become more vulnerable. Flaws in a single Microsoft product, service or policy not only affect the quality of our platform and services overall, but also our customers' view of us as a company. In recent months, we've stepped up programs and services that help us create better software and increase security for our customers. Last fall, we launched the Strategic Technology Protection Program, making software like IIS and Windows .NET Server secure by default, and educating our customers on how to get -- and stay -- secure. The error-reporting features built into Office XP and Windows XP are giving us a clear view of how to raise the level of reliability. The Office team is focused on training and processes that will anticipate and prevent security problems. In December, the Visual Studio .NET team conducted a comprehensive review of every aspect of their product for potential security issues. We will be conducting similarly intensive reviews in the Windows division and throughout the company in the coming months. At the same time, we're in the process of training all our developers in the latest secure coding techniques. We've also published books like "Writing Secure Code," by Michael Howard and David LeBlanc, which gives all developers the tools they need to build secure software from the ground up. In addition, we must have even more highly trained sales, service and support people, along with offerings such as security assessments and broad security solutions. I encourage everyone at Microsoft to look at what we've done so far and think about how they can contribute. But we need to go much further. In the past, we've made our software and services more compelling for users by adding new features and functionality, and by making our platform richly extensible. We've done a terrific job at that, but all those great features won't matter unless customers trust our software. So now, when we face a choice between adding features and resolving security issues, we need to choose security. Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve. A good example of this is the changes we made in Outlook to avoid email borne viruses. If we discover a risk that a feature could compromise someone's privacy, that problem gets solved first. If there is any way we can better protect important data and minimize downtime, we should focus on this. These principles should apply at every stage of the development cycle of every kind of software we create, from operating systems and desktop applications to global Web services. Going forward, we must develop technologies and policies that help businesses better manage ever larger networks of PCs, servers and other intelligent devices, knowing that their critical business systems are safe from harm. Systems will have to become self-managing and inherently resilient. We need to prepare now for the kind of software that will make this happen, and we must be the kind of company that people can rely on to deliver it. This priority touches on all the software work we do. By delivering on Trustworthy Computing, customers will get dramatically more value out of our advances than they have in the past. The challenge here is one that Microsoft is uniquely suited to solve. Bill prE tehk shEn por faVor PABlo Bley aka Paul Alan Bley 11:58 PM |
||
 |
||
 |
||
 |
||
 |
||