Windows XP Safe and Secure?

Microsoft has come under fire lately because of their habit of
releasing software which has serious flaws, most especially
problems with security. Unfortunately the criticism is justified
and verges on the criminal: flaws (implementation bugs as well as
just plain silly design decisions) have resulted in literally
tens of billions of dollars in damage and losses worldwide.

Don't believe me? Think of all of the viruses that have
devastated not hundreds, not thousands, not even millions, but
tens of millions of systems. All of these viruses are allowed to
"breed" (spread) because of one of the silliest, misguided,
downright stupidest decisions ever made by a major corporation.
This was the addition of email scripting - without that
incredibly powerful and almost totally unused (and many would
argue not necessary) feature viruses could not spread in a matter
of days or even hours. Since when does anyone need to script
their email program anyway? I've never heard of a single person
or corporation using this feature legitimately.

On top of this kind of issue (and there are several others),
Microsoft's products tend to have blatant bugs - problems in
programs which should have been caught by adequate design,
testing and quality assurance. The most famous of these is
probably the series of bugs that led to Nimda and Code Red.
Again, millions of systems were damaged and countless millions of
man hours were wasted in efforts to eradicate these issues.

The firestorm that landed on Microsoft as a direct result of
these and other problems and issues was fantastic to behold.
Naturally Microsoft responded, trying desperately to reduce the
impact on their business. They claimed the problems were with
administrators who did not apply patches, with people reporting
problems too early (thus giving hackers information before fixes
were complete) and any number of other problems. It seemed that
everyone except for Microsoft was doing the wrong thing - of
course, the mighty Microsoft could do no wrong.

In spite of what the left side of their face was saying,
Microsoft did introduce some changes. They announced a new
security service to help keep systems locked down and system
administrators happy. Automatic security patch downloads were
added to Windows XP and, I'm sure, dozens of other changes
happened.

With the release of Windows XP, Microsoft was adamant that they
had tested it from top to bottom. The software giant even
claimed it had written a special program to check for the
nastiest kind of software problem - buffer overflows. You see, a
buffer overflow is one of the most common ways for a hacker to
break the security of a system. It does this by writing some code
beyond the end of where it is supposed to write it. The code is
then executed in privileged mode to give the hacker entrance to
the system.

Well, a short time ago Microsoft released a patch to Windows XP
to fix exactly this problem. It seems there is a buffer overflow
problem in the UPnP service. What the heck is UPnP, you ask?
That's a good question.

UPnP is a special plug-and-play service. What is plug-and-play?
Well, when you install a new device on Windows XP it
automatically detects it and configures it for you. Plug-and-play
is a very nice feature, and it works very well in Windows XP.

On the other hand, UPnP is a special kind of plug-and-play. This
looks for printers and other devices added on the network (wired
and wireless). It's actually a pretty cool idea. Now, when
someone adds a printer to the network you must configure it on
each and every workstation. With UPnP the configuration is
totally automatic.

However, UPnP is very, very new and there is almost no real
support for it with any devices. So UPnP is more or less not
used, and it is certainly not needed by home computer users. By
shipping Windows XP with the product Microsoft was solving the
classic "which came first, the chicken or the egg" problem. They
had to send out support for these devices in order to convince
vendors to start providing them.

But Microsoft made one big mistake - when you install Windows XP,
this unused service is turned on! What that means is everyone
who has ever installed Windows XP is running this service.

And the service has a bug - a huge bug, the kind of bug that if
it hit your windshield would smash the car and cause it to
explode in flames, killing all of the passengers and the driver.

The problem is very bad, and Microsoft has released a patch to
fix it. But the story gets even more interesting.

The National Infrastructure Protection Center released an
advisory stating that everyone who is not using this service
should disable it. This is an incredible statement from this
agency. What they are implying is the UPnP service problem
directly puts the United States computer infrastructure at risk
(that's what this agency protects)! That's a big thing for them
to be saying.

What are they afraid of? That hackers and perhaps hostile
governments can use the bug to their advantage. You see, special
programs called Zombies can be installed on Windows XP machines
with this problem, and Zombies can be used to launch distributed
denial of service attacks on computers throughout the world.

In fact, I'll bet you heard about the denial of service attack
performed by the Code Red worm recently against the Whitehouse
(the attack failed, if you remember). That's exactly what this
agency is afraid of and what they are trying to prevent.

So the next time you are thinking about giving all of your credit
card data to a site which uses Microsoft Passport, think about
this article. Do you want to trust all of your confidential data
to a company which cannot keep it secure? Just think about it,
read some more, and make the rational decision.

For more information, check out the following articles.

Microsoft Security Bulletin MS01-059
http://www.microsoft.com echnet reeview/default.asp?url=
echnet/security/bulletin/MS01-059.asp

eEye Digital Security
http://www.eeye.com/html/Research/Advisories/AD20011220.html

NIPC ADVISORY 01-030.2 Universal Plug and Play Vulnerabilities
http://www.nipc.gov/warnings/advisories/2001/01-030-2.htm