Vulnerability Development mailing list archives
UPNP protocol problem (was) Windows XP Service Pack1 problem with activation
From: "Max Kennedy" <mxkennedy () fuse net>
Date: Fri, 13 Sep 2002 18:17:33 -0400
(UPNP problem mentioned third paragraph down. I believe its the first public attempt to talk about it) "I would challenge you to show me another business that is required to provide fixes for a product that you have stolen. They are limiting the updates to legitimate licensees. If said licensee has decided to (for whatever reason, good or bad) modify the code and / or files so that the software does not 'function as designed' (Product Activation...), can you not expect that there is a possibility that the patch/update won't work?" Fixes are not "benefits" to the customer, they are required so you are not rightfully sued by the customer or thrown in jail for negligence. I was talking about the wording of a Microsoft document, not the fact that they are trying to limit downloads to customers. It shows the same lack of being responsible on Microsoft's part. I throw back your challenge to you in your face. People who make baby buggies don't replace them on recalls for the benefit of the customer, they do it because it is required of them in a lawful society and because it is the right thing to do. Case in point: It was mentioned earlier this year that the universal plug and play discovery modules had buffer overflows, problem fixed, and a 'weakness' in its protocol, problem still unfixed. My system was essentially compromised *on install* because of it. Product activation attempts to connect to the internet. Win XP on bootup also sends out a general *broadcast* upnp message on startup. (outlook also sends out upnp messages by default, but they aren't general broadcast messages but messages specifically to the router). On lats run by an isp where you have an assigned local ip address whether you are logged on or not, that essentially means that your broadcast message is attempting to connect to the whole city, and it does.. Windows XP goes out an attempts to connect to other upnp devices, which namely are other windows systems since nothing else is really using that protocol. If the system is running as a gateway, your system may automatically try to use it as your router. And so it did. With multiple systems on my lat. You can say that you can turn upnp off but remember, this occurred right on install, right out of the box, before any updates were applied, as Microsoft's required product activation was being connected to on the internet. And it would be still be attempting to bridge to upnp gateways if I hadn't turned off a bunch of stuff. And as near as I can tell, not all these attempts are even hack attempts. Windows xp mucks things up, and goes out as a hack on its own. Although a weakness in the upnp protocol was mentioned last year, this is the first public message I am aware of that actually mentions a real life example of it. As far as Microsoft's wording, this is just an example of a moral problem in our society, where x is not under the same standard as y, because x is more powerful and a hypocrite. FYI: The problem mentioned with the service pack not returning an error message earlier is probably a bug. According to the documentation linked, it supposedly sends an error message out to those it deems to be a pirate. Surely it ought to have returned an error message in my case as well, a real customer. Alas, it didn't, and I had to figure out how to prove my innocence to Microsoft on my own so I could get the product I bought to work. Prove my innocence, doesn't that remind anyone of a legal principle?
Current thread:
- UPNP protocol problem (was) Windows XP Service Pack1 problem with activation Max Kennedy (Sep 17)
- RE: UPNP protocol problem (was) Windows XP Service Pack1 problem with activation Dodol Bali (Sep 18)