Everyone from the FBI to the L.A. Times has something scary to say about the new XP vulnerability. Here's why they all have it wrong.
We won't see any massive worm taking advantage of this particular vulnerability.
Now the simple act of talking about Microsoft security is becoming a remunerative endeavor.
The recent Universal Plug and Play (UPnP) subsystem vulnerabilities in Microsoft XP, as well as some ME and 98 systems, has resulted in a media circus that has beaten out Code Red -- and there is not even an exploit yet!
Don't get me wrong -- coverage of security issues is a Good Thing. This one could be serious as it has some potential for abuse if the right people put their minds to it. And given the fact that it would primarily affect home users, few of whom will ever see this article or read a Bugtraq post, the more people that know about UPnP the better.
But the information has to be accurate. The media and corresponding subset of technical news portals are do a terrible job of reporting factual information -- particularly on this bug. From the FBI to the L.A. Times to GRC, they all have it wrong. So let's take it from the top.
Universal Plug and Play is the term used to collectively refer to a set of standards, protocols, and services used to support pervasive networking of intelligent devices and appliances in a peer-to-peer configuration; the kind of solution that will allow your wet bar to take stock of needed items and automatically add them to your Palm Pilot's shopping list. It is a collaborative effort between many vendors and developers including HP, Apple, and of course Microsoft.
On the default installations of XP (Home and Pro) and some ME/98[e] installs, the UPnP subsystem is listening for NOTIFYs from UPnP enabled devices at startup. This is the problem. The SSDP Discovery Service has issues with specially formatted NOTIFY datagrams in that they can be used to exploit a buffer overrun to gain SYSTEM access, or perform DoS or DDoS attacks as described in an
My issue is that so many people have rushed to be authorities on this bug that many didn't bother to get their facts straight before posting fixes and writing articles about it. The NIPC advisory gives people specific instructions on how to disable the "UPnP Device Host" on XP and has been widely linked to by many. Unfortunately, this does absolutely nothing. I both phoned and emailed NIPC to inform them that the UPnP Service itself has nothing to do with this bug, and that the "SSDP Discovery Service" is the issue, but to date they still have not updated the site.
In addition to misinformation, banner-ad-hungry media outlets like the L.A. Times are doing what they can to bring in the hits, headlining articles with FUD -- industry shorthand for Fear, Uncertainty and Doubt -- like "XP Patch Leaves Door Wide Open" that is not only completely wrong, but contains no detailed information about the issue, or even links on where to find the advisories. At least the author admits that though he wrote a book on how to use XP, he could not figure out how to disable a service.
And of course Steve Gibson jumped on the bandwagon with a page dedicated to saturating the issue with his own special blend of FUD that is almost elevated to an art form. In a complete exit from anything security related, Gibson goes as far as to charge Microsoft with purposefully withholding an advisory and patch for this vulnerability so that Christmas sales would not be affected.
This would be like me concocting some conspiracy theory where I charge the FBI for knowingly deceiving people with incorrect fix instructions so that they could still use the buffer overrun to push out Magic Lantern to seven million people. Hmmm... You think??
It's not like it has been a slow news week for vulnerabilities -- it is just that nobody cares to talk about anything if it is not about Microsoft. In the SANS NewsBites email, more mention was given to Gibson's take on the UPnP issue than the entire coverage of David Litchfield's publication of an Oracle 9iAS remote system level buffer overrun: ten links were given to the UPnP bug; one link regarding Oracle. There was no link to the MS advisory.
And while Gartner is so kind to bestow upon us their "prediction" that hackers will use UPnP vulnerabilities in the future (which is really an amazing illustration of their keen insight into technology trends) they also fail to comment on any of the Oracle issues. They act more like bookies than security professionals; getting paid whether we win or lose.
Microsoft's security issues are bad. And though my call on this one is that we won't see any massive worm taking advantage of this particular vulnerability, the security of the Simple Service Discovery Protocol in itself still must be addressed and secured.
And though Microsoft's own development team was wrong about the effectiveness of XP's Internet Connection Firewall against direct UPnP attacks (which does in fact protect you from unicast traffic), they still have a product that allows multicast and broadcast traffic to arrive to an interface unfiltered. XP is still the most secure consumer OS that Microsoft has developed, but there will still be more
You can't increase security by giving people the wrong information, or not enough of the right information. If you don't like Microsoft, then don't buy their products. Write your congressman. Get a job at Oracle. Wear a penguin T-shirt. Do something about it. But don't wave your Microsoft Sucks flag with your left hand while pocketing your stipend with your right unless you just want to be part of the problem.