[ISN] 2pg article - Who Needs Hackers? We've Got Microsoft!

From: InfoSec News (isnat_private)
Date: Mon Dec 24 2001 - 00:06:19 PST

  • Next message: William Knowles: "[ISN] Merry Christmas!"

    Forwarded from: Richard Forno <rfornoat_private>
    Article with contextual URLs:
    Length: 2 pages or so.
    Who Needs Hackers? We've Got Microsoft!
    Richard Forno 
    20 December 2001: Essay #2001-15
    (c) 2001 by Author. Permission is granted to quote, reprint or redistribute
    provided the text is not altered, and appropriate credit is given.
    By now, people know that I'm not the world's greatest Microsoft fan.
    Truth be told, I'm not completely biased against the company, and will
    even acknowledge that it has - at various points - produced some
    decent products. I also don't 'bash' Microsoft because it's the 'in'
    thing to do these days, but because there are serious problems with
    the software company's products and services that they continue to
    ignore. In fact, some would argue, they just don't get it. Such
    observations, therefore, must be voiced.
    The federal government and technology industry want you to believe the
    threats to our networks are external, not internal, where someone must
    be held accountable when things go wrong. Thus, we hear the rhetoric
    about cyberterrorists, hackers, and the so-called 'Digital Pearl
    Harbor' - things you can't easily point fingers at and hold someone
    accountable for when bad things happen. The White House would be wise
    to look at our nation's own self-induced vulnerabilities before
    rushing to spin up a sinister external threat; absent the rich target
    of opportunity presented by nearly all Microsoft products, hackers,
    crackers, and electronic evildoers would have a much harder time
    causing mainstream mischief every other week.
    Given that concern, Windows XP was promoted by Microsoft as perhaps
    the ultimate and most secured Windows operating system the firm had
    ever created, and one of its key features was increased security from
    electronic evildoers like hackers, crackers, and so-called
    cyberterrorists. In fact, in a recent interview with E-Week, Microsoft
    Vice President Jim Allchin said that Windows XP is "...dramatically
    more secure than Windows 2000 or any of the prior systems."
    Unfortunately, Windows XP doesn't protect you from Microsoft, an
    entity some argue is more dangerous than any cyberterrorist or hacker
    It turns out that the Windows XP ships with a new feature called
    Universal Plug and Play (UPnP) enabled (turned on) by default - thus
    allowing UPnP devices to locate each other on a local network, so that
    your home computer can talk to your refrigerator can talk to your
    toaster can talk to your stereo can send messages to your PDA, and so
    forth. However, as a result of this oversight, someone could remotely
    use this feature to exploit, control, or disrupt a system from remote
    locations around the world. As if computer exploits aren't bad enough,
    you'll soon have to worry about someone turning off your freezer and
    spoiling your holiday leftovers....
    Note this is not to be confused with the Windows Remote Assistance
    feature - promoted as one of the major benefits of using Windows XP,
    yet functioning in essentially the same way as the UPnP exploit. (One
    wonders how quickly the Remote Assistance feature will be exploited in
    the future as well.)
    Marc Maiffret, the talented, blue-haired 'Chief Hacking Officer' of
    Eeye Security, demonstrated the UPnP exploit to a shocked group of
    reporters yesterday. As a result, media and security experts are
    calling this "The Mother of All Exploits" for Windows XP, scrambling
    to inform the public about the importance of downloading and
    installing the fix for this problem - a security problem not caused by
    a hacker or cracker, but developed and implemented exclusively by
    Microsoft for your computing convenience and to enhance your user
    experience as a 'feature' of the product.
    According to an AP story by Ted Bridis,  Microsoft Security Manager
    Scott Culp, called this latest vulnerability the "the first
    network-based, remote compromise that I'm aware of for Windows desktop
    systems" and a "very serious vulnerability."
    I guess it's all in how you define "compromise." How very Clintonian.
    Although repeatedly interviewed by the media reporting on
    Microsoft-based security events over the years, Culp apparently
    doesn't consider any of the following Microsoft-centric security
    exploits as "network-based, remote compromises" for "Windows desktop
    systems" either - the series of Back Orifice programs from the
    always-amusing Cult of the Dead Cow (CDC) to e-mail worms, trojans,
    and viruses (think BadTrans) that can transmit sensitive information
    from systems they infect.  Did Culp miss a few days of class here and
    there and forget to read up on SECHOLE.EXE (July 1998), the assorted
    Internet Explorer cross-frame scripting exploits (September 1998) or
    the mid-2000 ability to remotely exploit a Windows desktop through a
    buffer overflow found in the Clip Art feature of Microsoft Office? And
    what about Windows File and Print Sharing vulnerabilities from back in
    1995? How about the seemingly-endless number of buffer overflow
    exploits (think CodeRed, Lion, and Nimda) that plague Microsoft
    Internet Information Server (IIS) - granted, IIS isn't made for
    "Windows desktops" but it deserves mention given the nearly-identical
    software code in Microsoft's desktop and server products.
    So how exactly does Microsoft classify these other types of
    network-centric exploits? As nuisances but the price of doing business
    in the wired world?
    When will it end? And what to do about this latest security problem
    originating in Redmond?
    Microsoft, as the world's largest purveyor of PC software, with an
    established monopoly status, needs to do the responsible thing. Rather
    than continue to preach security as a marketing tool for its .NET
    venture, an avenue for business development with new proprietary
    'standards' and fee-based, censored security 'partnerships' or review
    its reactive measures,  it should get back to the basics and look
    within for the solution to its internal problems that usually evolve
    into the world's problems.
    Simply put, Microsoft needs to review its software code line-by-line
    and clean it up. Years of service packing, patching, re-patching,
    updating, critical updating, and hotfixing Windows products have made
    them dirty and prone to breaking, as we see every few months. Better
    yet, Microsoft needs to revisit the basic design of Windows - namely,
    removing the shared code between applications and the underlying
    Windows operating system (like the pervasiveness of the Web-enabled
    Internet Explorer across each Windows application and system.) Like a
    car, it's time to bring the Windows code into the shop for a major
    tune-up. Actually, a worldwide recall might in order.
    In addition, Microsoft must not ensure its products work well
    together, but also conduct much more aggressive 'abuse testing'  of
    its software (e.g., XP) before it gets released to the Real World.
    Such testing should be done by independent third parties and conducted
    in a transparent, public manner to preclude any claims of bias in the
    results of such testing. In general, Microsoft should conduct what the
    rest of the computing community considers a real "beta test" - namely,
    making sure that a supposedly finished application works as intended,
    using experienced users to test the functionality, durability, and
    security of the product in a real-world, real-use, take-no-prisoners
    environment.....not use its much bally-hooed 'beta test' periods as
    the opportunity to market advance copies of their products, many of
    which never seem to get out of the beta stage even when they're
    officially released for sale!
    In none of the interviews regarding the UPnP situation has Culp
    admitted that Eeye did the responsible thing by informing Microsoft
    and waiting for the fix to be available from Microsoft before
    releasing information on this critical exploit to the internet
    community, something many folks in the security community (all outside
    of Microsoft) consider 'responsible disclosure.' According to reports,
    it took Microsoft nearly two months to release a patch after learning
    of the exploit. While Eeye's actions were praiseworthy, I wouldn't
    wait so long before mentioning such a critical security problem to the
    community. Realisticly, a vendor should be able to examine and verify
    a reported exploit - particularly one as critical as this one - and
    release a patch or publish corrective guidance to the public in about
    two weeks. In this case, Microsoft - had it decided it was in its
    interest to do so - could have easily assigned fourteen thousand
    programmer man-days (1000 programmers x 14 days) to address the
    problem within two weeks. Eeye was very generous in giving Microsoft
    so long to fix the problem, although why it took nearly two months for
    Microsoft to address the problem raises some disturbing questions.
    Perhaps acknowledging this would be contrary to the tone and contents
    of Culp's October 2001 missive calling for a Microsoft-based Vatican
    of Vulnerability to quell the public disclosure of security
    vulnerabilities and implement software security through obscurity and
    public ignorance. More interestingly, Eeye reported the UPnP exploit
    to Microsoft back in October (according to sources at EEye, the day
    after Windows XP was released.) Was Microsoft's two-month silence on
    this critical exploit a business decision to avoid public embarassment
    on a new product so close to the holiday (e.g., "new PC purchasing")
    season? We can only wonder.
    Microsoft is by far the most notorious in their vulnerability
    announcements, legaleese, and cover-their-tail security alerts,
    something CDC member Tweety Fish noted in a 1999 interview discussing
    the growing number of Microsoft-generated security problems back then.
    He noted that Microsoft "will not consider any given security risk a
    problem until it becomes a problem in the press." Or, to put it
    another way, it's not really a problem until Microsoft says so.
    Thanks to Eeye's responsible disclosure of this catastrophic
    vulnerability in Windows XP, not only is the Internet a bit safer, but
    their actions prove once again that voluntary disclosure of
    vulnerability information is possible without a fee-based
    vendor-sponsored club.
    EEye Security Advisory and Technical Discussion - Easy to Understand
    (20 Dec 01)
    Microsoft's Fix to the UPnP Exploit
    Article: "Microsoft," No. "Mickeysoft", Yes. (28 Nov 01)
    Article: The Freedom to Innovate Includes The Freedom to Obfuscate:
    Why Microsoft's New "Security Framework" is Just Another .NET
    Vulnerability (10 Nov 2001)
    Article: The Microsoft-English Dictionary 1.5  (What Microsoft Really
    Means To Say) (28 Nov 01)
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Mon Dec 24 2001 - 06:12:12 PST