Debate continues over security of Windows XP

From...

By Carol Sliwa

(IDG) -- Differences of opinion continue to swirl over a potentially problematic Universal Plug and Play service in Microsoft Corp.'s Windows XP operating system.

The FBI's National Infrastructure Protection Center last week revised a recent security bulletin, removing a recommendation that systems administrators consider disabling the UPnP service in Windows XP.

After "careful review" of technical materials, the FBI agency stated that it is "satisfied" that a patch corrects a vulnerability that could lead to system compromise and "affords substantial and adequate protection" against the critical vulnerability that could lead to denial-of-service attacks.

But some security experts continue to recommend that, in addition to installing the patch, users disable the UPnP service, which lets PCs discover and use newly added network-based devices, such as printers, that advertise themselves as being available.

IDG.net INFOCENTER Computerworld main page Computerworld's topic-oriented communities Computerworld's IT career center Free daily newsletters Related IDG.net Stories Windows XP sells less than Windows 98 after two months Microsoft's XP copy-protection not foolproof Windows XP: Is it safe? Features PC World.com Product Finder Mastering e-commerce by degrees Fast-track training puts nontechies in IT jobs Visit an IDG site Choose a site: IDG.net CIO Computerworld Darwin Dummies.com GamePro.com The Industry Standard ITWorld.com InfoWorld.com JavaWorld LinuxWorld Macworld Online Network World Fusion PC World Publish.com UnixInsider IDG.net search

Marc Maiffret, chief hacking officer at Aliso Viejo, California-based eEye Digital Security, the security firm that notified Microsoft about the UPnP vulnerabilities shortly after Windows XP was launched, charged that the UPnP protocol is "half-assed" and needs to be scrutinized more closely with security in mind. "Until they actually redo it, it's not something people should be using," Maiffret said.

"It just allows for a lot of ways that you can manipulate systems or services to basically use UPnP to either hide attacks or use UPnP as a jump point for other attacks," Maiffret said. Microsoft's patch fixes the problem "as far as what we know now," but since people aren't using UPnP, the service should be disabled, he said.

Russ Cooper, an analyst at TruSecure Corp. in Herndon, Virginia, and moderator of the Windows NTBugTraq mailing list, said UPnP "offers many more opportunities for problems," and Microsoft shouldn't have released the UPnP capability until the protocol was well thought out.

"Microsoft had to modify the UPnP protocol as defined by the UPnP Forum in order to patch against vulnerabilities demonstrated by eEye," Cooper said. "If the only way to protect against the vulnerabilities is to modify the protocol, the protocol is flawed."

The first version of the UPnP architecture was ratified in June 2000 by the UPnP Forum, a nonprofit group of more than 400 vendors from the consumer electronics, computing, home security, home appliance, computer networking and related industries. The forum defined and published UPnP device and service descriptions to help devices connect to each other and simplify home networking.

Mark Lee, chairman of the UPnP Forum and a lead Windows product manager at Microsoft, said the forum has a security working committee that proactively looks to make sure that UPnP is a secure technology and checks out various scenarios in which UPnP technology is going to be used. He said the UPnP Forum is open to input from industry participants. "If there are ways to make the technology better, we're ready and able to listen," Lee said.

A Microsoft spokesman said the company remains committed to UPnP technology and doesn't believe that "enabling UPnP in and of itself poses a security risk."

"There is great customer interest in UPnP, especially as more UPnP-capable devices are becoming available," said Scott Culp, manager of Microsoft's Security Response Center. "Folks who don't want UPnP can certainly turn off the service, but just applying the patch is sufficient to return it to safe operation."

Roger Gariepy, chief information technologist at Air Products and Chemicals Inc. in Allentown, Pennsylvania, said he's not sure he would "turn on a system that allows non-directly-attached devices to automatically plug into the PC." He added, "I don't think we're going to have a lot of UPnP-capable devices in the corporation."

The UPnP service is enabled by default in Microsoft's Windows XP operating system, which was launched October 25. It can be activated in Windows ME and installed in Windows 98 and 98SE via the Internet Connection Sharing client that ships with XP.

Maiffret said eEye Digital Security notified Microsoft about the denial-of-service vulnerability in the UPnP service on October 26. He said the firm told Microsoft about two more vulnerabilities, distributed denial of service and buffer overflow, in November.

Microsoft announced the vulnerabilities on December 20, upon releasing its patches. A company spokesman defended the time lag, noting that the company had to develop patches for four operating systems with more than 20 language versions for each.

"All told, we developed well over 100 different versions of the patch," the spokesman said. He also noted that the testing requirements were significant. "Our testers worked around the clock to complete the testing in time to release the patch prior to Christmas week."

Gariepy noted that security vulnerabilities aren't unique to Microsoft. "All operating system vendors need to address this far more seriously than they have in the past," he said.