Skip to comments.
FBI Urges Consumers, Companies to Take Additional Steps to Safeguard Windows XP
Fox News ^
| Friday Dec 21, 2001
Posted on 12/22/2001 6:09:21 AM PST by webster
Edited on 04/22/2004 12:31:57 AM PDT by Jim Robinson.
WASHINGTON — The FBI's top cyber-security unit warned consumers and corporations Friday night to take new steps beyond those recommended by Microsoft Corp. to protect against hackers who might try to attack major flaws discovered in the newest version of Windows software.
(Excerpt) Read more at foxnews.com ...
TOPICS: News/Current Events
You can find instructions to disable "universal plug & play" HERE
posted on 12/22/2001 6:09:21 AM PST
Windows '95......works for me. Foolproof.
posted on 12/22/2001 6:15:05 AM PST
Comment #3 Removed by Moderator
Or, buy a Mac...
posted on 12/22/2001 6:20:52 AM PST
Are they recommending Linux or especially OpenBSD as alternatives? Works for me.
posted on 12/22/2001 6:23:36 AM PST
The fox is afraid someone else is going to get in the hen-house.
posted on 12/22/2001 6:24:10 AM PST
...top industry experts sought reassurance from Microsoft that the free software fix it offered effectively stops hackers from attacking the Windows XP flaws.
I thought XP was the greatest thing since sliced bread; the most secure OS ever devised by man.
It's begining to look like the best way to keep XP safe from outside attacks is, unplug it from any network. If you need to talk to the net; use something else.
posted on 12/22/2001 6:26:12 AM PST
Windows '95......works for me. Foolproof.
While I wouldn't go so far as to call it "foolproof," I'm sticking with '95.
posted on 12/22/2001 6:26:55 AM PST
Yes...it appears Steve Gibson (Creator of Zone Alarm) was correct about XP's problems. Read more here
posted on 12/22/2001 6:29:42 AM PST
posted on 12/22/2001 6:35:03 AM PST
You know, I can recall Gibson talking about this months before XP was released. And he was, it turns out, a voice crying in the wilderness.
What's galling now -- and it must be Really Galling for Gibson -- is the news reports concerning this "unexpected" security hole credit people other than Gibson for discovering it.
posted on 12/22/2001 6:39:19 AM PST
Comment #13 Removed by Moderator
A buffer overflow big enough to drive a Mack truck thru.
This is an unbelievable technical "oversight" by Microsoft.
This startling screwup is the best argument I've seen to keep the O/S market competative.
I don't understand why folks don't secure their 'puter boxes (of any OS flavor) with a hardware firewall. It is easy and inexpensive while requiring no attention for monitoring software.
Oh well, the internet has been public for only 10 years .......
posted on 12/22/2001 6:52:16 AM PST
The fix was posted on the Microsoft Windows Update site yesterday. Just go there to install it painlessly.
For those who are especially paranoid, I don't see why you can't turn off univeral P&P and then turn it back on just before installing a new piece of hardware. Then turn it off again. But that seems like too much trouble to me. I don't think the FBI are the best place to go for computer advice.
posted on 12/22/2001 6:52:43 AM PST
Here ya go again boss!!!! ROTFLMAO.
posted on 12/22/2001 6:56:07 AM PST
Yes, agreed...I run both a hardware and software firewall.
posted on 12/22/2001 7:00:58 AM PST
The vulnerability appears to affect only clients, not servers. Clients affected include Windows XP, Windows ME client running Universal PnP (which may have been turned on by default during manufacturer's installs), and Windows 98 and Windows 98 SE clients which are running UPnP downloaded from Windows XP clients.
The news media is doing the public a disservice by emphasizing that this vulnerability is associated with Windows XP and not with UPnP. Windows ME users, in particular, should be certain to either confirm that UPnP is turned off or to download and apply the fix.
Buffer overruns are an old and well known type of vulnerability. It is amazing that Microsoft wouldn't have tested for it.
On the other hand, this is an obscure message in an obscure service, and it would be a wonderful place for a 3-letter agency to hide its backdoor for installing its keyboard snooping program. At any rate, this should pretty much ensure that foreign governments adopt Linux instead of Windows.
Former federal agent calls XP a threat to national security
By John Fontana
Network World, 10/15/01
A computer forensics expert and retired federal agent is trying to convince the U.S. government that Windows XP is a threat to national security and its distribution should be postponed.
Michael Anderson, president of New Technologies, says data "scrubbing" features in Windows XP Professional will make it impossible for federal agents and law enforcement to find and reconstruct digital evidence buried on computers, particularly those seized from terrorists.
While Anderson concedes that XP's data "scrubbing" and encrypted file system features are desired by law enforcement and others for keeping data secure, he says the timing of XP is bad.
Your reactionJoin the discussion on this article.
"This is an intelligence issue," says Anderson, who provides computer forensics training, software and consulting to military and law enforcement agencies. "The government and Microsoft need to think this thing through."
Some security experts are unconvinced, however.
"This may be going a little too far," says Charles Kolodgy, an analyst with market research firm IDC. "Do you ban shredding, burning of paper?" Kolodgy also says the argument is ironic given that Microsoft is often criticized for leaving so many security features disabled by default. Others say privacy is also an issue.
But Anderson, who retired in 1996 from the U.S. Treasury, where he was a special agent, says the government should force Microsoft to postpone the release of the Professional version of XP in light of the Sept. 11 terrorist attacks. Windows XP launches Oct. 25, ironically, at an event in New York City.
Anderson, whose business is based in Oregon, has detailed his concerns in letters to his state's congressional representatives in Washington, D.C.
A spokesman for Sen. Ron Wyden (D-Ore.), a member of the Select Committee on Intelligence, says the senator was forwarding Anderson's letter to Attorney General John Ashcroft. "We are asking the Justice Department to take a look. We think it is their issue," the spokesman says.
Chuck Guzis, president of Sydex, which develops data conversion and emulation software, also has written to Congress.
"We just need to delay this software," he says. "We don't have the [forensics] tools or methodology in place to combat XP."
Anderson's concerns stem from the fact that even when data is deleted from a computer it still resides on the hard drive for a period of time. This is known as ambient data. Experts can reconstruct ambient data to recover files and e-mails. Such work was done to produce evidence in the trial of Iran-Contra figure Gen. Oliver North and in the Monica Lewinsky scandal.
Windows XP Professional has a feature called data recovery. By default, that mechanism is turned off, meaning that ambient data is "scrubbed" from the hard drive. Anderson says that means terrorists could use it to hide their digital tracks.
"XP will slam the door on all that forensics work," Anderson says. But Microsoft says security in XP as in other Microsoft products isn't created in a vacuum.
"We work with others in the industry and government agencies to develop security policies that take into account law enforcement concerns," says Jim Desler, the corporate spokesman for Microsoft.
He acknowledges that savvy terrorists can use third-party tools, such as Evidence Eraser by Mad Hornet, to stifle forensics work but says Windows XP makes it available by default to anyone buying XP Professional
posted on 12/22/2001 7:34:24 AM PST
How come whenever Microsoft has a catastrophe like this - you disappear for several days? Get in here and defend your operating system!
Remember your recent boast that you can 'lock down' your systems against any and all intruders? Did you have your WinXP computer secured against this security disaster?
I know how to make Windows safe from hackers - yank out the Internet cable.
posted on 12/22/2001 7:35:54 AM PST
UPNP - Multiple Remote Windows XP/ME/98 Vulnerabilities
December 20, 2001
Microsoft Windows XP (All default systems)
Microsoft Windows 98 (Certain configurations)
Microsoft Windows 98SE (Certain configurations)
Microsoft Windows ME (Certain configurations)
Windows XP ships by default with a UPNP (Universal Plug and Play) service which can be used to detect and integrate with UPNP aware devices. Windows ME does not ship by default with the UPNP service; however, some OEM versions do provide the UPNP service by default. Also, it is possible to install the Windows XP Internet Connection Sharing on top of Windows 98, therefore making it vulnerable.
As described on upnp.org: "UPNP architecture offers pervasive peer-to-peer network connectivity of PCs of all form factors, intelligent appliances, and wireless devices. UPNP architecture leverages TCP/IP and the Web to enable seamless proximity networking in addition to control and data transfer among networked devices in the home, office, and everywhere in between".
We at eEye believe that there are several security issues with the UPNP protocol itself; however, these more generic issues are out of the scope of this advisory. Expect a detailed paper to be released from eEye within the coming weeks.
This advisory covers three vulnerabilities within Microsoft's UPNP implementation. A remotely exploitable buffer overflow to gain SYSTEM level access to any default installation of Windows XP, a Denial-of-Service (DoS) attack, and a Distributed Denial-of-Service (DDoS) attack.
1. The SYSTEM Remote Exploit
The first vulnerability within Microsoft's implementation of the UPNP protocol can result in an attacker gaining remote SYSTEM level access to any default installation of Windows XP. SYSTEM is the highest level of access within Windows XP.
During testing of the UPNP service, we discovered that by sending malformed advertisements at various speeds we could cause access violations on the target machine. Most of these violations were due to pointers being overwritten. The following describes one instance of our testing:
NOTIFY * HTTP/1.1
SERVER: EEYE/2001 UPnP/1.0 product/1.1
If a buffer is incremented in the protocol, port, and uri fields of the Location URL and send sessions with 10,000 microsecond intervals, access violations will begin to be observed. In one situation, The EAX and ECX registers will contain addresses that are pulled from the memory that was overwritten and the svchost.exe process will access an invalid memory address at a "mov" instruction. It throws an access violation due to the fact that the destination address is an overwritten pointer, but there is nothing interesting at 0x41414141.
During our testing we discovered that there are multiple points of exploitation. We found instances of stack overflows and heap overflows, both of which were exploitable. In the case of the heap overflow we saw pointers being overwritten for both buffers and functions.
The SSDP service also listens on Multicast and Broadcast addresses. Therefore gaining SYSTEM access to an entire network of XP machines is possible with only one anonymous UDP SSDP attack session.
2. The DoS and DDoS
UPNP consists of multiple protocols, one of which being the Simple Service Discovery Protocol (SSDP). When a UPNP enabled device is installed on a network, whether it be a computer, network device, or even a household appliance, the device sends out an advertisement to notify control points of its existence. On a default XP installation, no support is added for device control as it would be the case in an installation of UPNP from "Network Services".
Although Microsoft added default support for an "InternetGatewayDevice", if a sniffer is run on a network with XP, XP can be observed searching for this device as XP is loading. This support was added to aid leading network hardware manufactures in making UPnP enabled "gateway devices".
By sending a malicious spoofed UDP packet containing an SSDP advertisement, an attacker can force the XP/ME client to connect back to a specified IP address and pass on a specified HTTP/HTTPS request.
An example session:
NOTIFY * HTTP/1.1
NT: urn: schemas-upnp-org:device:InternetGatewayDevice:1
SERVER: EEYE/2001 UPnP/1.0 PASSITON/1.1
The above packet data needs to be sent as a UDP packet to port 1900 of the XP/ME machine.
When the XP machine receives this request, it will interpret the URL following the LOCATION header entity. With no sanitizing of the URL it is passed on to the functions in the Windows Internet Services API. The string is broken down and the new session is created.
A malicious attacker could specify a chargen service on a remote machine causing the XP client to connect and get caught in a tight read/malloc loop. Doing this will throw the machine into an unstable state where CPU utilization is at %100 and memory is being allocated to the point that it is totally consumed. This basically makes the remote XP system completely unusable and requires a physical power-off shutdown.
Attackers could also use this exploit to control other XP machines, forcing such machines to perform Unicode attacks, double decode, or random CGI exploiting. Due to the insecure nature of UDP, an attacker can exploit security holes on a web server using UPNP with almost total anonymity.
One of the bigger problems, and why this can become a DDoS attack, is that this SSDP announcement can be sent to broadcast addresses and multicast. It is therefore possible to send one UDP packet causing all XP machines on the target network to be navigated to the URL of choice, performing an attack of choice.
Also since parts of the UPNP service are implemented as UDP (in our opinion, a bad idea), it makes all of these attacks completely untraceable.
Microsoft has released a patch and security bulletin which is located at: http://www.microsoft.com/technet/security/bulletin/MS01-059.asp
To verify that the patch has been installed on your system, do the following:
Windows 98 and 98SE:
Select Start, then Run, then run the QFECheck utility. If the patch is installed, "Windows 98 Q314941 Update" will be listed among the installed patches. To verify the individual files, use the file manifest provided in Knowledge Base article Q314941.
Select Start, then Run, then run the QFECheck utility. If the patch is installed, "Windows Millennium Edition Q314757 Update" will be listed among the installed patches. To verify the individual files, use the file manifest provided in Knowledge Base article Q314757.
Confirm that the following registry key has been created on the machine: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q315000. To verify the individual files, use the date/time and version information provided in the following registry key: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Updates\Windows XP\SP1\Q315000\Filelist.
The Common Vulnerabilities and Exposures (CVE) project has assigned the following two IDs:
The Buffer Overflow: CAN-2001-0876
The Denial of Service: CAN-2001-0877
This is a candidate for inclusion in the CVE list http://cve.mitre.org
) which standardizes names for security problems.
We would strongly suggest denying all UPNP traffic at your internet borders as there is really no need to allow UPNP traffic across the Internet. Also, it would be wise to completely turn off the UPNP services as most users are probably not utilizing them. The less services running on your machine, the safer you will be. The SSDP Discovery Service and Universal Plug and Play Host service should both be set to manual load.
Discovery: Riley Hassell
With extra help from:
Ryan Permeh - for technical advice and exploitation analysis for those difficult reverse engineering situations that Ryan has wet dreams about.
Marc Maiffret - as always with superb technical insight helping to discover and exploit the vulnerabilities in this advisory and once again proving that two heads are better than one.
Neothoth - "The typing machine", for camping out day and night in the eEye lab hammering vulnerabilities in URL handlers. Neo rocks :)
Mr. Patron and his tequila and the Three Wise Men (Jim, Jack and Johnny). Also Abraxas coffeeshop in Amsterdam.
eEye would like to offer thanks to all organizations supporting full disclosure, especially Securityfocus.com and NMRC. Don't let silly politics get in the way of what is right for everyone's security.
Oh yeah, one more thing:
Four score and numerous advisories ago, a security company set off to tell the world about its love of Tequila. However, little did people know, the team was not even legal. Now that the youngins Marc and Riley turned 21 this November we are all officially legal. That means the next time the NSA buys us beer at a SEC conference, they won't be breaking the law.
Copyright (c) 1998-2001 eEye Digital Security
Permission is hereby granted for the redistribution of this alert electronically. It is not to be edited in any way without express consent of eEye. If you wish to reprint the whole or any part of this alert in any other medium excluding electronic medium, please e-mail alert@eEye.com
The information within this paper may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties with regard to this information. In no event shall the author be liable for any damages whatsoever arising out of or in connection with the use or spread of this information. Any use of this information is at the user's own risk.
Please send suggestions, updates, and comments to:
eEye Digital Securityhttp://www.eEye.cominfo@eEye.com
posted on 12/22/2001 7:46:40 AM PST
Former federal agent calls XP a threat to national security
Totally Bogus! Lots of people have Norton utilities installed which includes WipeInfo. Besides, if they outlaw wipe programs, only criminals will be able to wipe their files.
"Norton WipeInfo removes all traces of selected files or folders from your hard drive. It can also wipe the free space on your hard disk, insuring that previously deleted information is not left on your hard disk. You can use the Fast Wipe, which writes all zeros or any other character you choose. Alternately, you can use the Government Wipe, which is a 7-pass procedure that conforms to the method specified in DoD document 5220-22-M, National Industrial Security Program Operating Manual.
"He acknowledges that savvy terrorists can use third-party tools, such as Evidence Eraser by Mad Hornet, to stifle forensics work..."
And Evidence Eliminator (my favorite) ;-)
posted on 12/22/2001 7:59:14 AM PST
Microsoft considers disabling the "plug and play" features unnecessary.
Yeah, and Clinton considered impeachment a distraction from "the people's business".
Turning this sort of gaping security hole on by default is idiotic. It should be turned off, and turned on only by people who 1)need it for some defined purpose and 2)know what the hell they're doing.
posted on 12/22/2001 8:00:34 AM PST
--anyone-you are being asked by microsoft and the us government that BOTH the glitch and the patch for it are "accidental", with the former necessitating the latter. Uh huh, yep, sure..
Mostly I gots a prob with that assumption, I don't think this was 'accidental". I think if folks are smart they'll trash that syetem and reformat, super DOD burn their disks, and start from scratch with something else.
And I won't point to it, but I've seen discussions in certain "enthusiast" newsgroups of another buffer overflow (sorta) exploit that is worse than this one, and there isn't any firewall for it. It's got some dudes who handle electronic wealth digits transfers more than a little sweaty last I looked (admittedly a few months ago).
posted on 12/22/2001 8:00:39 AM PST
I can't wait until .NET comes out. We can have problems like this on our phones, pdas, computers, cars, ......
How come whenever Microsoft has a catastrophe like this - you disappear for several days?
I think he tried to download the list of talking points from the MS web site, but some 133^ haquer d00d got into his system....
posted on 12/22/2001 8:05:03 AM PST
To: Brandybux; webster
"You know, I can recall Gibson talking about this months before XP was released. And he was, it turns out, a voice crying in the wilderness. "
I may be wrong, but I think this XP Security flaw and Gibson's warning of denial of service vulnerabilities are two separate issues. I remember Gibson warning how XP enables denial of service attacks on other computers 6 months ago when he got hacked.
It turned out that just a computer savvy 13 yo, not even a real hacker, got a hold of a program that allow the management and distribution of little hidden robot worm programs (bots) that can email copies of themselves to thousands of people and hide in their computer if the recipients are careless enough to open executables. They don't actually hurt the recipient's computer, but they can take commands from the bots author and then all at once turn on a third party's web site, bombarding it with millions of requests per page per second, effectively shutting it down. A good router in the proper place can generally eventually render these things next to harmless, but it takes work to set it up and it may need to be set up for each attack.
Gibson's warning was that XP fully implemented IP Sockets that enable these little bots to mask their IP address and therefore make blocking their attacks much more difficult. Before, someone simply had to configure the router to reject transmissions from the thousands of IPs from which these bots were running. Now with XP socket support, these bots can each hit a web site with thousand of requests per second pretending to be at a different IP address each time. It's then very hard to differentiate between a real page request and the denial of service attack.
posted on 12/22/2001 8:18:09 AM PST
Windows '95......works for me. Foolproof.
About a month ago I was asking my son what type of computer and operating system he has in work. He is rising in a well known company and I figured he had a super duper setup, since his computer at home is state of the art.
When he told me about his modest work computer with Win 95 I was amazed. He explaind his company regularly upgrades the computers and the Operating Systems. He has seen plenty of new upgrades to other Win systems that are less reliable. He passes on the upgrades in work and just keeps chugging along on an older computer with win 95 .
The reason his home computer is so far advanced over his work computer is they refused to build the older systems with win 95 for his home use.
So now he has at home, a 2 GHZ 512 super duper Ram -XP operating system with a major security leak. - Tom
"I don't understand why folks don't secure their 'puter boxes (of any OS flavor) with a hardware firewall. It is easy and inexpensive while requiring no attention for monitoring software."
Because most people can't even set the timer on their VCR.
I agree firewalls help, but they are not foolproof. If the user runs an emailed executable, it could still take residence and mask its communication as being from a browser that the firewall will have already been set up to allow penetration.
posted on 12/22/2001 8:25:24 AM PST
Microsoft declined to tell U.S. officials how many consumers downloaded and installed its fix during the first 24 hours it was available.
Microsoft also indicated it would not send e-mail reminders to Windows XP customers to remind them of the importance of installing the patch.
What an arrogant bunch of jerks.
posted on 12/22/2001 8:32:57 AM PST
posted on 12/22/2001 8:36:37 AM PST
What email are you talking about? Billy Gates BS stuff? All others are immune from the crap Gates set up.
posted on 12/22/2001 8:59:47 AM PST
"What email are you talking about? Billy Gates BS stuff? All others are immune from the crap Gates set up."
Did you write this during an epileptic seizure?
posted on 12/22/2001 9:56:50 AM PST
The only problems with security issues are with MS stuff ... to include MS email programs.
Bill Gates has done nothing for the internet but to show his lack of a college degree will crack his windows.
posted on 12/22/2001 10:03:22 AM PST
I'm not going to defend MS's lack of concern for security other than to say that if Linux were the dominant consumer OS, worms and viruses would be written in Linux.
posted on 12/22/2001 10:17:15 AM PST
Actually linux *IS* the internet router and server method. APACHE has withstood hackers for years; it is the predomininat method of routing not just because of low cost but because of ease for public use. Keep in mind that preceding the domininance of the public domain of the internet, we created the TCP/IP stack independent of Bill Gates.
posted on 12/22/2001 10:24:59 AM PST
Within the UNIX community, we have few problems about all this hoopla concerning security. It is all built in, if you know a few simple steps to use it. It is available free on the internet, free of charge. Look it up, when you have time.
posted on 12/22/2001 10:29:58 AM PST
Comment #40 Removed by Moderator
"Actually linux *IS* the internet router and server method"
Apparently when I say "dominant consumer OS" you hear "internet router and server methods"
posted on 12/22/2001 11:15:41 AM PST
"Within the UNIX community, we have few problems about all this hoopla concerning security"
I'm sure, but the UNIX community is light years beyond my 83 yo mom who somehow manages to boot up and log into ATT Worldnet once a day. UNIX just is not competitive in that market, and I suspect making it so would introduce vulnerabilities.
posted on 12/22/2001 11:21:13 AM PST
We have fixed this. We have a plethora of flavors about UNIX based upon your capabilities to handle this;scripts have been designed to almost plug&play with linux. It is simple to install and just a mouse click away without spending any money.
Use a search engine and find us. If you can't email me. I will try to help.
posted on 12/22/2001 11:31:23 AM PST
Comment #44 Removed by Moderator
posted on 12/22/2001 6:21:24 PM PST
posted on 12/30/2001 11:17:53 AM PST
Opinions posted on Free Republic are those of the individual
posters and do not necessarily represent the opinion of Free Republic or its
management. All materials posted herein are protected by copyright law and the
exemption for fair use of copyrighted works.
FreeRepublic.com is powered by software copyright 2000-2008 John Robinson