Again.
CRYPTO-GRAM January 15, 2002 by Bruce Schneier Founder and CTO Counterpane Internet Security, Inc. schneier@counterpane.com A free monthly newsletter providing summaries, analyses, insights, and commentaries on computer security and cryptography. Back issues are available at . To subscribe, visit or send a blank message to crypto-gram-subscribe@chaparraltree.com. Copyright © 2002 by Counterpane Internet Security, Inc. ** *** ***** ******* *********** ************* In this issue: Windows UPnP Vulnerability Crypto-Gram Reprints News Counterpane News Password Safe 2.0 The Doghouse: AGS Encryptions Comments from Readers ** *** ***** ******* *********** ************* Windows UPnP VulnerabilityThe big news of late December was a security flaw in Microsoft’s Universal Plug and Play system, a feature in a variety of Windows flavors. On the one hand, this is a big deal: the vulnerability can allow anyone to take over a target computer. On the other hand, this is just one of many similar vulnerabilities in all sorts of software—Microsoft and non-Microsoft—and one for which there is no rapidly spreading exploit. There are several lessons from all of this.
One, the amount of press coverage is not indicative of the level of severity, and the press is the only way to get the news out to the public. This thing got Nimda-like press, but there was no exploit. While it is a critical patch to install, it’s not severe enough to trigger the “wake up, drive to work, and install this patch now!” reflex. Unfortunately, the public will have patience for only so many of these stories before their eyes glaze over. The rate of patch installation is decreasing, as people simply stop paying attention.
Two, Microsoft still sacrifices accuracy for public relations value. Here’s a quote from Scott Culp, manager of Microsoft’s security response center: “This is the first network-based, remote compromise that I’m aware of for Windows desktop systems.” I was all set to write a longish rant, calling the statement a lie and listing other network-based remote Windows compromises—Back Orifice, Nimda, etc., etc., etc.—but Richard Forno beat me to it. Read his excellent commentary on Microsoft and security.
To combat this, open and public discussion is important. In the first days of the vulnerability, there was a lot of debate in the press: which systems were vulnerable by default, how best to fix the problem, etc. Even the FBI got into the act, albeit with wrong information they later adjusted. The importance here is a multitude of voices and a multitude of views, something that secrecy won’t provide. As Greg Guerin commented, when there’s a fire in a theater, you want as many audience members as possible to shout “Fire!” rather than sitting around waiting for the theater manager to say it. The theater manager is going to put his own spin on the news, and it’s not likely to be an unbiased one.
Three, bug secrecy hurts us all. According to reports, eEye Digital Security told Microsoft about this vulnerability nearly two months before Microsoft released its patch. What’s with the two-month delay? It’s a simple buffer overflow, and should be patched within days. Delays just increase the likelihood that someone will exploit the vulnerability. (To think, some time ago I criticized eEye for not waiting long enough before releasing a vulnerability. Shows how hard it is to get the balance right.)
Four, Microsoft still pays lip service to security. This vulnerability is a buffer overflow, the easy-to-use low-hanging-fruit automatic-tools-to-fix kind of security vulnerability. It’s not new or subtle; buffer overflows have been causing serious security problems for decades. It’s an obvious, stupid-ass programming mistake that ANY reasonably implemented security program should have caught. Remember Microsoft’s big PR fuss about their Secure Windows Initiative? If it can’t catch this simple stuff, how can it secure software against the complex attacks and vulnerabilities? This is a software quality problem, pure and simple. And the real solution is better software design, implementation, and quality procedures, not more patches and alerts and press releases. And five, complexity equals insecurity. UPnP is a complex set of protocols to support ad hoc peer-to-peer networking. Even though no one uses it, it’s installed in a bunch of Microsoft OSs. Even though no one needs it turned on, sometimes it’s turned on by default. This kind of “feature feature feature” mentality, without regard to security, means this kind of thing is going to happen again and again. Until software companies are held liable for the code they produce, they will continue to pack their software with needless features and neglect to consider their associated security ramifications.
This vulnerability also illustrates why Microsoft is so keen on bug secrecy. The industry analysts at Gartner issued a warning, urging companies to delay upgrading to Windows XP for “three to six months,” lest more of these kind of vulnerabilities surface. If Microsoft had learned of this vulnerability in secret, and fixed it in secret, Gartner would not make any such statements. No one would be the wiser. (But, of course, if Microsoft learned of this vulnerability in secret, what impetus would they have to fix it quickly? Wouldn’t it be easier on everyone if they just rolled it into the next product update?)
Honestly, security experts don’t pick on Microsoft because we have some fundamental dislike for the company. Indeed, Microsoft’s poor products are one of the reasons we’re in business. We pick on them because they’ve done more to harm Internet security than anyone else, because they repeatedly lie to the public about their products’ security, and because they do everything they can to convince people that the problems lie anywhere but inside Microsoft. Microsoft treats security vulnerabilities as public relations problems. Until that changes, expect more of this kind of nonsense from Microsoft and its products. (Note to Gartner: The vulnerabilities will come, a couple of them a week, for years and years...until people stop looking for them. Waiting six months isn’t going to make this OS safer.)
Nothing see here, move along.