ComputerWorld posted a "security" news article about a minor flaw in Windows ICS (Internet Connection Sharing) which doesn't affect the vast majority of users and offered fatal advice as the "fix" for the bug. After getting the fatal advice from "research engineer" Tyler Reguly of nCircle, Robert McMillan of ComputerWorld posted the fatal advice to a much wider audience than Reguly's blog.
Before I tell you what the problem is, I'm going to run through the "logic" in Reguly's advice and I want you to see if you can spot the problem first.
There is a minor denial-of-service flaw in Windows ICS where a specifically crafted DNS packet can cause ICS to shut down. As a result of ICS shutting down, it takes the Windows XP Firewall with it which puts a user in danger. So we want something that will prevent the Windows XP Firewall from shutting down.
1) Disable Internet Connection Sharing (ICS)
2) Block UDP port 53 (DNS) ...
You don't even need to be a network security guru to see the obvious problem in this "logic". Look at Mr. Reguly's "fix" and see if you can see the problem. Just as a hint, look at "fix" #1. See it? If you do, great job! You're now an honorary network security guru for the day.
So to summarize this, we're trying to prevent a bad guy from taking down our Firewall right? By Mr. Reguly's "logic", the best way to prevent the bad guy from shutting down our Firewall defenses is to shut it down ourselves first! So we to slash our own throats before the bad guy can do it to us. I'm amazed that this was allowed to be reported on ComputerWorld where lot's of readers might swallow this fatal advice and worse, other websites might cite this article.
What makes this worse is that this ICS denial-of-service flaw doesn't affect you if you're not using Windows XP as a NAT router used to share an Internet Connection. Most people wouldn't do that because dedicated hardware router/firewalls cost $15 to $50. Even if you did use Windows XP as a NAT router, this particular attack can only come form the inside which means only the computers you protecting from the Internet can attack you. This is not something that can be attacked from the hostile Internet so it would be crazy to disable ICS yourself which disables the XP Firewall because you're afraid and internal PC might attack your XP NAT box. The bottom line is DON'T DISABLE ICS!
As for ComputerWorld, please do some fact checking before giving this kind of advice. It also helps to read the Secunia advisory which offers the solution of "Use another way of sharing the Internet connection". Lastly, PLEASE FIX YOUR ARTICLE!
As for Mr. Reguly, I'm at a loss for words. More importantly, PLEASE TAKE DOWN YOUR ADVICE!
[UPDATE 7:00 PM:]
Robert McMillan has sent me an update that Tyler Reguly's definition of "disable ICS" doesn't mean disable the ICS service. What he meant was to disable Internet Sharing which is already the default setting used by more than 99% of Windows XP users. I'm not going to get in to semantics of which interpretation of "disable ICS" is right or wrong because it's all a matter of how you interpret the words. What I can say for sure is that the information given by ComputerWorld and nCircle is vague and worthless at best and dangerous if interpreted the wrong way.
Even if we go with Reguly's updated definition of "disable ICS" and block inbound DNS, I have to ask what does this accomplish for the less than 1% of Windows XP users who are using Windows XP as a NAT/Router/Firewall/Gateway. If we follow Reguly's advice and turn off Internet Sharing, what have we accomplished? All that does is kill the default gateway for the entire internal network and no one can access the Internet. So we have to ask ourselves if this DoS (Denial of Service) flaw is really so bad since only the PCs on the internal LAN can pull off this attack on the ICS service. If a user can't wait for a Microsoft fix and they don't want to live with this relatively minor risk, they can buy a $20 dedicated router and use that as the default gateway. But if you did get a dedicated router and used it as the new default gateway for all internal PCs, messing with the ICS settings and blocking DNS on the XP machine serving as the old gateway is MOOT.
The bottom line is that the ComputerWorld nCircle advice on the minor ICS Denial of Service flaw is vague, worthless, and possibly dangerous if interpreted the wrong way.