Forwarded from: "Marc Maiffret" <marcat_private> CC: <mrs_aida_capistranoat_private> we found the DoS and reported it to MS the day after XP shipped. they started working on that patch. then not to long after (forget exactly how long) we found the DDoS and reported it. then not to long after we found and reported the overflow. the overflow is trivial to fix cause its a programming mistake. the dos is a bit harder to fix and kind of sticky because it has to do with design flaws in UPNP. the ddos is a pain to fix. the guys that wrote the specs for the UPNP protocol designed a flawed protocol. anyone that follows the protocol specs will create a flawed system, as happened with XP. fixing the DDoS attack is a sticky situation. you have to go against how the protocol was designed which means you potentially are going to break third party systems that were designed to use UPNP. microsoft did a good job fixing the ddos in their UPNP implementation. they were able to fix it and hopefully not completely break a lot of peoples ability to use UPNP. however i am sure there are (i know there are) a lot of third party hardware device makers (wireless ethernet, home hub/firewalls, toasters (hah) etc...) which are probably also vulnerable to a lot of UPNP protocol level flaws. people need to hold off on using UPNP until the protocol has been written (rewritten) with security in mind. I am not sure how someone was able to spec the UPNP protocol and not see the glaring theortical (yet proven once the spec is written as code) flaws in how UPNP is suppose to communicate. hopefully the UPNP protocol does not catch on in its current form otherwise we'll see a lot of devices being exploited because they'll make the same mistakes that were in XP. oh well how do you stop a technology thats already being shoved everywhere as the next greatest thing? this will be one of those cases where everyone has to be bitten before they pull back their shoddy technology, rework it, then re-release it. its hard though for the engineers at some companies to explain to management why they need to delay shipping their product for a few months until they fix design flaw problems. :-o my nipple just got shocked. must be my new christmas gift that zaps me when i start rambling. i'll shutup now. all in all MS took 2 months for 3 vulnerability and we dont think they were trying to stall or something of that nature. Signed, Marc Maiffret Chief Hacking Officer eEye Digital Security T.949.349.9062 F.949.349.9538 http://eEye.com/Retina - Network Security Scanner http://eEye.com/Iris - Network Traffic Analyzer http://eEye.com/SecureIIS - Stop known and unknown IIS vulnerabilities | -----Original Message----- | From: mrs_aida_capistranoat_private | [mailto:mrs_aida_capistranoat_private] | Sent: Thursday, December 27, 2001 2:41 PM | To: isnat_private | Cc: marcat_private | Subject: PATCH DELAY? Buffer Overflow in UPnP Service On Microsoft | Windows | | | | -----BEGIN PGP SIGNED MESSAGE----- | | Hi there, | | I posted this to the main security lists today, but no one seems | interested. Chris at vulnwatch.org suggest I send it to attrition | and I am copying Marc, in case he wishes to verify this chain of | events or not. One can never tell if Microsoft is telling the | truth or not :-( | | | | Dear Ladies and Gentlemen, | | The following official statement was published in a Microsoft | news group on the 26th of December 2001 when many participants | queried why it took nearly two months for a patch to be developed | to address the Buffer Overflow in UPnP Service On Microsoft Windows | | http://www.eeye.com/html/Research/Advisories/AD20011220.html | http://www.microsoft.com/technet/security/bulletin/MS01-059.asp | | It does not explain why these defective goods continued to ship | for the Christmas sales season but might be of interest to people | on these security mailing lists: | | direct link to news article on the server: | | news://news.microsoft.com/#qAgniljBHA.2260@tkmsftngp07 | | <squirt> [...] - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Fri Dec 28 2001 - 06:04:02 PST