[SECURITY-L] Who Needs Hackers? We've Got Microsoft!

Daniela Regina Barbetti daniela em ccuec.unicamp.br
Qua Jan 16 15:25:15 -02 2002


----- Forwarded message from Cristine Hoepers <cristine em nic.br> -----

From: Cristine Hoepers <cristine em nic.br>
Subject: [S] Who Needs Hackers? We've Got Microsoft!
To: seguranca em pangeia.com.br
Date: Tue, 15 Jan 2002 17:28:45 -0200
X-Mailer: Mutt 1.0.1i


[http://www.infowarrior.org/articles/2001-15.html]

   Who Needs Hackers? We've Got Microsoft!
   
   Richard Forno
   20 December 2001: Essay #2001-15
   rforno em infowarrior.org
   (c) 2001 by Author. Permission is granted to quote, reprint or
   redistribute provided the text is not altered, and appropriate credit
   is given.
   
   Summary: The latest Microsoft bug is a doozy. Why do these things keep
   cropping up?
   
   ______________________________________________________________________
                                      
             This gives "Plug and Pray" a whole new meaning...
    Plug your XP box to the Internet and pray the hackers don't find it.
                                 (Slashdot)
                                      
   "The only secure Microsoft software is what's still shrink-wrapped in
                        their warehouse..." (Forno)
   ______________________________________________________________________
   
   By now, people know that I'm not the world's greatest Microsoft fan.
   Truth be told, I'm not completely biased against the company, and will
   even acknowledge that it has - at various points - produced some
   decent products. I also don't 'bash' Microsoft because it's the 'in'
   thing to do these days, but because there are serious problems with
   the software company's products and services that they continue to
   ignore. In fact, some would argue, they just don't get it. Such
   observations, therefore, must be voiced.
   
   The federal government and technology industry want you to believe the
   threats to our networks are external, not internal, where someone
   must be held accountable when things go wrong. Thus, we hear the
   rhetoric about cyberterrorists, hackers, and the so-called 'Digital
   Pearl Harbor' - things you can't easily point fingers at and hold
   someone accountable for when bad things happen. The White House would
   be wise to look at our nation's own self-induced vulnerabilities
   before rushing to spin up a sinister external threat; absent the rich
   target of opportunity presented by nearly all Microsoft products,
   hackers, crackers, and electronic evildoers would have a much harder
   time causing mainstream mischief every other week.
   
   Windows XP was promoted by Microsoft as perhaps the ultimate and most
   secured Windows operating system the firm had ever created, and one of
   its key features was increased security from electronic evildoers like
   hackers, crackers, and so-called cyberterrorists. In fact, in a recent
   interview with E-Week, Microsoft Vice President Jim Allchin said
   that Windows XP is "...dramatically more secure than Windows 2000 or
   any of the prior systems." Released on October 25, it was to be the
   default operating system on all new personal computers sold, and its
   release was timed to coincide with new PC sales for the 2001 holiday
   season.
   
   Unfortunately, Windows XP doesn't protect you from Microsoft, an
   entity some argue is more dangerous than any cyberterrorist or hacker
   gang.
   
   It turns out that the Windows XP ships with a new feature called
   Universal Plug and Play (UPnP) enabled (turned on) by default -
   thus allowing UPnP devices to locate each other on a local network, so
   that your home computer can talk to your refrigerator can talk to
   your toaster can talk to your stereo can send messages to your PDA,
   and so forth. However, as a result of this oversight, someone could
   remotely use this feature to exploit, control, or disrupt a system
   from remote locations around the world. As if computer exploits aren't
   bad enough, you'll soon have to worry about someone turning off your
   freezer and spoiling your holiday leftovers....
   
   Note this is not to be confused with the Windows Remote Assistance
   feature - promoted as one of the major benefits of using Windows XP,
   yet functioning in essentially the same way as the UPnP exploit. (One
   wonders how quickly the Remote Assistance feature will be exploited in
   the future as well.)
   
   Marc Maiffret, the talented, blue-haired 'Chief Hacking Officer' of
   Eeye Security, demonstrated the UPnP exploit to a shocked group of
   reporters yesterday. As a result, media and security experts are
   calling this "The Mother of All Exploits" for Windows XP, scrambling
   to inform the public about the importance of downloading and
   installing the fix for this problem - a security problem not caused by
   a hacker or cracker, but developed and implemented exclusively by
   Microsoft for your computing convenience and to enhance your user
   experience as a 'feature' of the product.
   
   According to an AP story by Ted Bridis,  Microsoft Security Manager
   Scott Culp, called this latest vulnerability the "the first
   network-based, remote compromise that I'm aware of for Windows desktop
   systems" and a "very serious vulnerability."
   
   I guess it's all in how you define "compromise." How very Clintonian.
   
   Although repeatedly interviewed by the media reporting on
   Microsoft-based security events over the years, Culp apparently
   doesn't consider any of the following Microsoft-centric security
   exploits as "network-based, remote compromises" for "Windows desktop
   systems" either - the series of Back Orifice programs from the
   always-amusing Cult of the Dead Cow (CDC) to e-mail worms,
   trojans, and viruses (think BadTrans) that can transmit sensitive
   information from systems they infect.  Did Culp miss a few days of
   class here and there and forget to read up on SECHOLE.EXE (July
   1998), the assorted Internet Explorer cross-frame scripting
   exploits (September 1998) or the mid-2000 ability to remotely
   exploit a Windows desktop through a buffer overflow found in the
   Clip Art feature of Microsoft Office? And what about Windows File and
   Print Sharing vulnerabilities from back in 1995? How about the
   seemingly-endless number of buffer overflow exploits (think CodeRed,
   Lion, and Nimda) that plague Microsoft Internet Information Server
   (IIS) - granted, IIS isn't made for "Windows desktops" but it deserves
   mention given the nearly-identical software code in Microsoft's
   desktop and server products.
   
   So how exactly does Microsoft classify these other types of
   network-centric exploits? As nuisances but the price of doing business
   in the wired world?
   
   When will it end? And what to do about this latest security problem
   originating in Redmond?
   
   Microsoft, as the world's largest purveyor of PC software, with an
   established monopoly status, needs to do the responsible thing. Rather
   than continue to preach security as a marketing tool for its .NET
   venture, an avenue for business development with new proprietary
   'standards' and fee-based, censored security 'partnerships' or review
   its reactive measures,  it should get back to the basics and look
   within for the solution to its internal problems that usually evolve
   into the world's problems.
   
   Simply put, Microsoft needs to review its software code line-by-line
   and clean it up. Years of service packing, patching, re-patching,
   updating, critical updating, and hotfixing Windows products have made
   them dirty and prone to breaking, as we see every few months. Better
   yet, Microsoft needs to revisit the basic design of Windows - namely,
   removing the shared code between applications and the underlying
   Windows operating system (like the pervasiveness of the Web-enabled
   Internet Explorer across each Windows application and system.) Like a
   car, it's time to bring the Windows code into the shop for a major
   tune-up. Actually, a worldwide recall might in order.
   
   In addition, Microsoft must not ensure its products work well
   together, but also conduct much more aggressive 'abuse testing'  of
   its software (e.g., XP) before it gets released to the Real World.
   Such testing should be done by independent third parties and conducted
   in a transparent, public manner to preclude any claims of bias in the
   results of such testing. In general, Microsoft should conduct what the
   rest of the computing community considers a real "beta test" - namely,
   making sure that a supposedly finished application works as intended,
   using experienced users to test the functionality, durability, and
   security of the product in a real-world, real-use, take-no-prisoners
   environment.....not use its much bally-hooed 'beta test' periods as
   the opportunity to market advance copies of their products, many of
   which never seem to get out of the beta stage even when they're
   officially released for sale!
   
   In none of the interviews regarding the UPnP situation has Culp
   admitted that Eeye did the responsible thing by informing Microsoft
   and waiting for the fix to be available from Microsoft before
   releasing information on this critical exploit to the internet
   community, something many folks in the security community (all outside
   of Microsoft) consider 'responsible disclosure.' According to reports,
   it took Microsoft nearly two months to release a patch after learning
   of the exploit. While Eeye's actions were praiseworthy, I wouldn't
   wait so long before mentioning such a critical security problem to the
   community. Realisticly, a vendor should be able to examine and verify
   a reported exploit - particularly one as critical as this one - and
   release a patch or publish corrective guidance to the public in about
   two weeks. In this case, Microsoft - had it decided it was in its
   interest to do so - could have easily assigned fourteen thousand
   programmer man-days (1000 programmers x 14 days) to address the
   problem within two weeks. Eeye was very generous in giving Microsoft
   so long to fix the problem, although why it took nearly two months for
   Microsoft to address the problem raises some disturbing questions.
   
   Perhaps acknowledging this would be contrary to the tone and contents
   of Culp's October 2001 missive calling for a Microsoft-based
   Vatican of Vulnerability to quell the public disclosure of security
   vulnerabilities and implement software security through obscurity and
   public ignorance. More interestingly, Eeye reported the UPnP exploit
   to Microsoft back in October (according to sources at EEye, the day
   after Windows XP was released.) Was Microsoft's two-month silence on
   this critical exploit a business decision to avoid public embarassment
   on a new product so close to the holiday (e.g., "new PC purchasing")
   season? We can only wonder.
   
   Microsoft is by far the most notorious in their vulnerability
   announcements, legaleese, and cover-their-tail security alerts,
   something CDC member Tweety Fish noted in a 1999 interview
   discussing the growing number of Microsoft-generated security problems
   back then. He noted that Microsoft "will not consider any given
   security risk a problem until it becomes a problem in the press." Or,
   to put it another way, it's not really a problem until Microsoft says
   so.
   
   Actions speak louder than words. Microsoft pays security plenty of lip
   service for marketing and public relations spin control, but the
   firm's history of addressing security problems falls quite short of
   what security professionals would consider a robust, long-term
   committment to effectively dealing with the matter. Thus, it's up to
   third parties like Eeye and other research firms to continue serving
   as a "check and balance" against a future of vendor-induced
   security-through-obscurity and public ignorance.
   
   Thanks to Eeye's responsible disclosure of this catastrophic
   vulnerability in Windows XP, not only is the Internet a bit safer, but
   their actions prove once again that voluntary disclosure of
   vulnerability information is possible without a fee-based
   vendor-sponsored club.
   ______________________________________________________________________
   
   Resources
   
   EEye Security Advisory and Technical Discussion - Easy to
   Understand (20 Dec 01)
   
   Microsoft's Fix to the UPnP Exploit
   
   Article: "Microsoft," No. "Mickeysoft", Yes. (28 Nov 01)
   
   Article: The Freedom to Innovate Includes The Freedom to
   Obfuscate: Why Microsoft's New "Security Framework" is Just Another
   .NET Vulnerability (10 Nov 2001)
   
   Article: The Microsoft-English Dictionary 1.5  (What Microsoft
   Really Means To Say) (28 Nov 01)


----- End forwarded message -----




Mais detalhes sobre a lista de discussão SECURITY-L