[SECURITY-L] Who Needs Hackers? We've Got Microsoft!
Daniela Regina Barbetti
daniela em ccuec.unicamp.br
Qua Jan 16 15:25:15 -02 2002
----- Forwarded message from Cristine Hoepers <cristine em nic.br> -----
From: Cristine Hoepers <cristine em nic.br>
Subject: [S] Who Needs Hackers? We've Got Microsoft!
To: seguranca em pangeia.com.br
Date: Tue, 15 Jan 2002 17:28:45 -0200
X-Mailer: Mutt 1.0.1i
[http://www.infowarrior.org/articles/2001-15.html]
Who Needs Hackers? We've Got Microsoft!
Richard Forno
20 December 2001: Essay #2001-15
rforno em infowarrior.org
(c) 2001 by Author. Permission is granted to quote, reprint or
redistribute provided the text is not altered, and appropriate credit
is given.
Summary: The latest Microsoft bug is a doozy. Why do these things keep
cropping up?
______________________________________________________________________
This gives "Plug and Pray" a whole new meaning...
Plug your XP box to the Internet and pray the hackers don't find it.
(Slashdot)
"The only secure Microsoft software is what's still shrink-wrapped in
their warehouse..." (Forno)
______________________________________________________________________
By now, people know that I'm not the world's greatest Microsoft fan.
Truth be told, I'm not completely biased against the company, and will
even acknowledge that it has - at various points - produced some
decent products. I also don't 'bash' Microsoft because it's the 'in'
thing to do these days, but because there are serious problems with
the software company's products and services that they continue to
ignore. In fact, some would argue, they just don't get it. Such
observations, therefore, must be voiced.
The federal government and technology industry want you to believe the
threats to our networks are external, not internal, where someone
must be held accountable when things go wrong. Thus, we hear the
rhetoric about cyberterrorists, hackers, and the so-called 'Digital
Pearl Harbor' - things you can't easily point fingers at and hold
someone accountable for when bad things happen. The White House would
be wise to look at our nation's own self-induced vulnerabilities
before rushing to spin up a sinister external threat; absent the rich
target of opportunity presented by nearly all Microsoft products,
hackers, crackers, and electronic evildoers would have a much harder
time causing mainstream mischief every other week.
Windows XP was promoted by Microsoft as perhaps the ultimate and most
secured Windows operating system the firm had ever created, and one of
its key features was increased security from electronic evildoers like
hackers, crackers, and so-called cyberterrorists. In fact, in a recent
interview with E-Week, Microsoft Vice President Jim Allchin said
that Windows XP is "...dramatically more secure than Windows 2000 or
any of the prior systems." Released on October 25, it was to be the
default operating system on all new personal computers sold, and its
release was timed to coincide with new PC sales for the 2001 holiday
season.
Unfortunately, Windows XP doesn't protect you from Microsoft, an
entity some argue is more dangerous than any cyberterrorist or hacker
gang.
It turns out that the Windows XP ships with a new feature called
Universal Plug and Play (UPnP) enabled (turned on) by default -
thus allowing UPnP devices to locate each other on a local network, so
that your home computer can talk to your refrigerator can talk to
your toaster can talk to your stereo can send messages to your PDA,
and so forth. However, as a result of this oversight, someone could
remotely use this feature to exploit, control, or disrupt a system
from remote locations around the world. As if computer exploits aren't
bad enough, you'll soon have to worry about someone turning off your
freezer and spoiling your holiday leftovers....
Note this is not to be confused with the Windows Remote Assistance
feature - promoted as one of the major benefits of using Windows XP,
yet functioning in essentially the same way as the UPnP exploit. (One
wonders how quickly the Remote Assistance feature will be exploited in
the future as well.)
Marc Maiffret, the talented, blue-haired 'Chief Hacking Officer' of
Eeye Security, demonstrated the UPnP exploit to a shocked group of
reporters yesterday. As a result, media and security experts are
calling this "The Mother of All Exploits" for Windows XP, scrambling
to inform the public about the importance of downloading and
installing the fix for this problem - a security problem not caused by
a hacker or cracker, but developed and implemented exclusively by
Microsoft for your computing convenience and to enhance your user
experience as a 'feature' of the product.
According to an AP story by Ted Bridis, Microsoft Security Manager
Scott Culp, called this latest vulnerability the "the first
network-based, remote compromise that I'm aware of for Windows desktop
systems" and a "very serious vulnerability."
I guess it's all in how you define "compromise." How very Clintonian.
Although repeatedly interviewed by the media reporting on
Microsoft-based security events over the years, Culp apparently
doesn't consider any of the following Microsoft-centric security
exploits as "network-based, remote compromises" for "Windows desktop
systems" either - the series of Back Orifice programs from the
always-amusing Cult of the Dead Cow (CDC) to e-mail worms,
trojans, and viruses (think BadTrans) that can transmit sensitive
information from systems they infect. Did Culp miss a few days of
class here and there and forget to read up on SECHOLE.EXE (July
1998), the assorted Internet Explorer cross-frame scripting
exploits (September 1998) or the mid-2000 ability to remotely
exploit a Windows desktop through a buffer overflow found in the
Clip Art feature of Microsoft Office? And what about Windows File and
Print Sharing vulnerabilities from back in 1995? How about the
seemingly-endless number of buffer overflow exploits (think CodeRed,
Lion, and Nimda) that plague Microsoft Internet Information Server
(IIS) - granted, IIS isn't made for "Windows desktops" but it deserves
mention given the nearly-identical software code in Microsoft's
desktop and server products.
So how exactly does Microsoft classify these other types of
network-centric exploits? As nuisances but the price of doing business
in the wired world?
When will it end? And what to do about this latest security problem
originating in Redmond?
Microsoft, as the world's largest purveyor of PC software, with an
established monopoly status, needs to do the responsible thing. Rather
than continue to preach security as a marketing tool for its .NET
venture, an avenue for business development with new proprietary
'standards' and fee-based, censored security 'partnerships' or review
its reactive measures, it should get back to the basics and look
within for the solution to its internal problems that usually evolve
into the world's problems.
Simply put, Microsoft needs to review its software code line-by-line
and clean it up. Years of service packing, patching, re-patching,
updating, critical updating, and hotfixing Windows products have made
them dirty and prone to breaking, as we see every few months. Better
yet, Microsoft needs to revisit the basic design of Windows - namely,
removing the shared code between applications and the underlying
Windows operating system (like the pervasiveness of the Web-enabled
Internet Explorer across each Windows application and system.) Like a
car, it's time to bring the Windows code into the shop for a major
tune-up. Actually, a worldwide recall might in order.
In addition, Microsoft must not ensure its products work well
together, but also conduct much more aggressive 'abuse testing' of
its software (e.g., XP) before it gets released to the Real World.
Such testing should be done by independent third parties and conducted
in a transparent, public manner to preclude any claims of bias in the
results of such testing. In general, Microsoft should conduct what the
rest of the computing community considers a real "beta test" - namely,
making sure that a supposedly finished application works as intended,
using experienced users to test the functionality, durability, and
security of the product in a real-world, real-use, take-no-prisoners
environment.....not use its much bally-hooed 'beta test' periods as
the opportunity to market advance copies of their products, many of
which never seem to get out of the beta stage even when they're
officially released for sale!
In none of the interviews regarding the UPnP situation has Culp
admitted that Eeye did the responsible thing by informing Microsoft
and waiting for the fix to be available from Microsoft before
releasing information on this critical exploit to the internet
community, something many folks in the security community (all outside
of Microsoft) consider 'responsible disclosure.' According to reports,
it took Microsoft nearly two months to release a patch after learning
of the exploit. While Eeye's actions were praiseworthy, I wouldn't
wait so long before mentioning such a critical security problem to the
community. Realisticly, a vendor should be able to examine and verify
a reported exploit - particularly one as critical as this one - and
release a patch or publish corrective guidance to the public in about
two weeks. In this case, Microsoft - had it decided it was in its
interest to do so - could have easily assigned fourteen thousand
programmer man-days (1000 programmers x 14 days) to address the
problem within two weeks. Eeye was very generous in giving Microsoft
so long to fix the problem, although why it took nearly two months for
Microsoft to address the problem raises some disturbing questions.
Perhaps acknowledging this would be contrary to the tone and contents
of Culp's October 2001 missive calling for a Microsoft-based
Vatican of Vulnerability to quell the public disclosure of security
vulnerabilities and implement software security through obscurity and
public ignorance. More interestingly, Eeye reported the UPnP exploit
to Microsoft back in October (according to sources at EEye, the day
after Windows XP was released.) Was Microsoft's two-month silence on
this critical exploit a business decision to avoid public embarassment
on a new product so close to the holiday (e.g., "new PC purchasing")
season? We can only wonder.
Microsoft is by far the most notorious in their vulnerability
announcements, legaleese, and cover-their-tail security alerts,
something CDC member Tweety Fish noted in a 1999 interview
discussing the growing number of Microsoft-generated security problems
back then. He noted that Microsoft "will not consider any given
security risk a problem until it becomes a problem in the press." Or,
to put it another way, it's not really a problem until Microsoft says
so.
Actions speak louder than words. Microsoft pays security plenty of lip
service for marketing and public relations spin control, but the
firm's history of addressing security problems falls quite short of
what security professionals would consider a robust, long-term
committment to effectively dealing with the matter. Thus, it's up to
third parties like Eeye and other research firms to continue serving
as a "check and balance" against a future of vendor-induced
security-through-obscurity and public ignorance.
Thanks to Eeye's responsible disclosure of this catastrophic
vulnerability in Windows XP, not only is the Internet a bit safer, but
their actions prove once again that voluntary disclosure of
vulnerability information is possible without a fee-based
vendor-sponsored club.
______________________________________________________________________
Resources
EEye Security Advisory and Technical Discussion - Easy to
Understand (20 Dec 01)
Microsoft's Fix to the UPnP Exploit
Article: "Microsoft," No. "Mickeysoft", Yes. (28 Nov 01)
Article: The Freedom to Innovate Includes The Freedom to
Obfuscate: Why Microsoft's New "Security Framework" is Just Another
.NET Vulnerability (10 Nov 2001)
Article: The Microsoft-English Dictionary 1.5 (What Microsoft
Really Means To Say) (28 Nov 01)
----- End forwarded message -----
Mais detalhes sobre a lista de discussão SECURITY-L