2pg article - Who Needs Hackers? We've Got Microsoft!

[InfoSec News <isn () c4i org>]

Forwarded from: Richard Forno <rforno () infowarrior org>

Article with contextual URLs:
http://www.infowarrior.org/articles/2001-15.html

Length: 2 pages or so.

Who Needs Hackers? We've Got Microsoft!

Richard Forno 
20 December 2001: Essay #2001-15
rforno () infowarrior org

(c) 2001 by Author. Permission is granted to quote, reprint or redistribute
provided the text is not altered, and appropriate credit is given.

By now, people know that I'm not the world's greatest Microsoft fan.
Truth be told, I'm not completely biased against the company, and will
even acknowledge that it has - at various points - produced some
decent products. I also don't 'bash' Microsoft because it's the 'in'
thing to do these days, but because there are serious problems with
the software company's products and services that they continue to
ignore. In fact, some would argue, they just don't get it. Such
observations, therefore, must be voiced.

The federal government and technology industry want you to believe the
threats to our networks are external, not internal, where someone must
be held accountable when things go wrong. Thus, we hear the rhetoric
about cyberterrorists, hackers, and the so-called 'Digital Pearl
Harbor' - things you can't easily point fingers at and hold someone
accountable for when bad things happen. The White House would be wise
to look at our nation's own self-induced vulnerabilities before
rushing to spin up a sinister external threat; absent the rich target
of opportunity presented by nearly all Microsoft products, hackers,
crackers, and electronic evildoers would have a much harder time
causing mainstream mischief every other week.

Given that concern, Windows XP was promoted by Microsoft as perhaps
the ultimate and most secured Windows operating system the firm had
ever created, and one of its key features was increased security from
electronic evildoers like hackers, crackers, and so-called
cyberterrorists. In fact, in a recent interview with E-Week, Microsoft
Vice President Jim Allchin said that Windows XP is "...dramatically
more secure than Windows 2000 or any of the prior systems."

Unfortunately, Windows XP doesn't protect you from Microsoft, an
entity some argue is more dangerous than any cyberterrorist or hacker
gang.

It turns out that the Windows XP ships with a new feature called
Universal Plug and Play (UPnP) enabled (turned on) by default - thus
allowing UPnP devices to locate each other on a local network, so that
your home computer can talk to your refrigerator can talk to your
toaster can talk to your stereo can send messages to your PDA, and so
forth. However, as a result of this oversight, someone could remotely
use this feature to exploit, control, or disrupt a system from remote
locations around the world. As if computer exploits aren't bad enough,
you'll soon have to worry about someone turning off your freezer and
spoiling your holiday leftovers....

Note this is not to be confused with the Windows Remote Assistance
feature - promoted as one of the major benefits of using Windows XP,
yet functioning in essentially the same way as the UPnP exploit. (One
wonders how quickly the Remote Assistance feature will be exploited in
the future as well.)

Marc Maiffret, the talented, blue-haired 'Chief Hacking Officer' of
Eeye Security, demonstrated the UPnP exploit to a shocked group of
reporters yesterday. As a result, media and security experts are
calling this "The Mother of All Exploits" for Windows XP, scrambling
to inform the public about the importance of downloading and
installing the fix for this problem - a security problem not caused by
a hacker or cracker, but developed and implemented exclusively by
Microsoft for your computing convenience and to enhance your user
experience as a 'feature' of the product.

According to an AP story by Ted Bridis,  Microsoft Security Manager
Scott Culp, called this latest vulnerability the "the first
network-based, remote compromise that I'm aware of for Windows desktop
systems" and a "very serious vulnerability."

I guess it's all in how you define "compromise." How very Clintonian.

Although repeatedly interviewed by the media reporting on
Microsoft-based security events over the years, Culp apparently
doesn't consider any of the following Microsoft-centric security
exploits as "network-based, remote compromises" for "Windows desktop
systems" either - the series of Back Orifice programs from the
always-amusing Cult of the Dead Cow (CDC) to e-mail worms, trojans,
and viruses (think BadTrans) that can transmit sensitive information
from systems they infect.  Did Culp miss a few days of class here and
there and forget to read up on SECHOLE.EXE (July 1998), the assorted
Internet Explorer cross-frame scripting exploits (September 1998) or
the mid-2000 ability to remotely exploit a Windows desktop through a
buffer overflow found in the Clip Art feature of Microsoft Office? And
what about Windows File and Print Sharing vulnerabilities from back in
1995? How about the seemingly-endless number of buffer overflow
exploits (think CodeRed, Lion, and Nimda) that plague Microsoft
Internet Information Server (IIS) - granted, IIS isn't made for
"Windows desktops" but it deserves mention given the nearly-identical
software code in Microsoft's desktop and server products.

So how exactly does Microsoft classify these other types of
network-centric exploits? As nuisances but the price of doing business
in the wired world?

When will it end? And what to do about this latest security problem
originating in Redmond?

Microsoft, as the world's largest purveyor of PC software, with an
established monopoly status, needs to do the responsible thing. Rather
than continue to preach security as a marketing tool for its .NET
venture, an avenue for business development with new proprietary
'standards' and fee-based, censored security 'partnerships' or review
its reactive measures,  it should get back to the basics and look
within for the solution to its internal problems that usually evolve
into the world's problems.

Simply put, Microsoft needs to review its software code line-by-line
and clean it up. Years of service packing, patching, re-patching,
updating, critical updating, and hotfixing Windows products have made
them dirty and prone to breaking, as we see every few months. Better
yet, Microsoft needs to revisit the basic design of Windows - namely,
removing the shared code between applications and the underlying
Windows operating system (like the pervasiveness of the Web-enabled
Internet Explorer across each Windows application and system.) Like a
car, it's time to bring the Windows code into the shop for a major
tune-up. Actually, a worldwide recall might in order.

In addition, Microsoft must not ensure its products work well
together, but also conduct much more aggressive 'abuse testing'  of
its software (e.g., XP) before it gets released to the Real World.
Such testing should be done by independent third parties and conducted
in a transparent, public manner to preclude any claims of bias in the
results of such testing. In general, Microsoft should conduct what the
rest of the computing community considers a real "beta test" - namely,
making sure that a supposedly finished application works as intended,
using experienced users to test the functionality, durability, and
security of the product in a real-world, real-use, take-no-prisoners
environment.....not use its much bally-hooed 'beta test' periods as
the opportunity to market advance copies of their products, many of
which never seem to get out of the beta stage even when they're
officially released for sale!

In none of the interviews regarding the UPnP situation has Culp
admitted that Eeye did the responsible thing by informing Microsoft
and waiting for the fix to be available from Microsoft before
releasing information on this critical exploit to the internet
community, something many folks in the security community (all outside
of Microsoft) consider 'responsible disclosure.' According to reports,
it took Microsoft nearly two months to release a patch after learning
of the exploit. While Eeye's actions were praiseworthy, I wouldn't
wait so long before mentioning such a critical security problem to the
community. Realisticly, a vendor should be able to examine and verify
a reported exploit - particularly one as critical as this one - and
release a patch or publish corrective guidance to the public in about
two weeks. In this case, Microsoft - had it decided it was in its
interest to do so - could have easily assigned fourteen thousand
programmer man-days (1000 programmers x 14 days) to address the
problem within two weeks. Eeye was very generous in giving Microsoft
so long to fix the problem, although why it took nearly two months for
Microsoft to address the problem raises some disturbing questions.

Perhaps acknowledging this would be contrary to the tone and contents
of Culp's October 2001 missive calling for a Microsoft-based Vatican
of Vulnerability to quell the public disclosure of security
vulnerabilities and implement software security through obscurity and
public ignorance. More interestingly, Eeye reported the UPnP exploit
to Microsoft back in October (according to sources at EEye, the day
after Windows XP was released.) Was Microsoft's two-month silence on
this critical exploit a business decision to avoid public embarassment
on a new product so close to the holiday (e.g., "new PC purchasing")
season? We can only wonder.

Microsoft is by far the most notorious in their vulnerability
announcements, legaleese, and cover-their-tail security alerts,
something CDC member Tweety Fish noted in a 1999 interview discussing
the growing number of Microsoft-generated security problems back then.
He noted that Microsoft "will not consider any given security risk a
problem until it becomes a problem in the press." Or, to put it
another way, it's not really a problem until Microsoft says so.

Thanks to Eeye's responsible disclosure of this catastrophic
vulnerability in Windows XP, not only is the Internet a bit safer, but
their actions prove once again that voluntary disclosure of
vulnerability information is possible without a fee-based
vendor-sponsored club.

Resources

EEye Security Advisory and Technical Discussion - Easy to Understand
(20 Dec 01)

Microsoft's Fix to the UPnP Exploit

Article: "Microsoft," No. "Mickeysoft", Yes. (28 Nov 01)

Article: The Freedom to Innovate Includes The Freedom to Obfuscate:
Why Microsoft's New "Security Framework" is Just Another .NET
Vulnerability (10 Nov 2001)

Article: The Microsoft-English Dictionary 1.5  (What Microsoft Really
Means To Say) (28 Nov 01)



-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.