Microsoft 'frightened' by police XP hack

Microsoft has described the ease with which two officers from the UK's Serious Organised Crime Agency managed to hack into Windows XP as both "enlightening and frightening".

At a Get Safe Online event on Monday aimed at heightening security awareness among small businesses, officers connected a machine running Windows XP Service Pack 1 (SP1) to an unsecured wireless network. The machine was running no antivirus, firewall, or anti-spyware, and contained a sample target file of passwords to be stolen.

The Serious Organised Crime Agency (SOCA) officers, who are e-crime specialists, wished to remain anonymous. A SOCA spokesperson explained that to make covert operations easier "all SOCA officers below a certain level are anonymous, as it is not helpful to have our identities known".

One of the officers, "Mick", remained behind a screen while connecting to the unsecured wireless network and carrying out the hack into the unpatched computer of fellow officer "Andy".

"It's easy to connect to an unsecured wireless network," said Mick. "You could equate Andy with being in his bedroom, while I'm scanning for networks outside in my car. If I ordered or viewed illegal materials, it would come back to Andy."

Mick used a common, open-source exploit-finding tool he had downloaded from the internet. SOCA asked ZDNet.co.uk not to divulge the name of the tool.

"You can download attack tools from the internet, and even script kiddies can use this one," said Mick.

Mick found the IP address of his own computer by using the XP Wireless Network Connection Status dialogue box. He deduced the IP address of Andy's computer by typing different numerically adjacent addresses in that IP range into the attack tool, then scanning the addresses to see if they belonged to a vulnerable machine.

Using a different attack tool, he produced a security report detailing the vulnerabilities found on the system. Mick decided to exploit one of them, CVE-2003-0533. This is a stack-based buffer overflow vulnerability in active directory functions which affects Microsoft Windows NT 4.0 SP6, 2000 SP2 to SP4, XP SP1, Server 2003, and NetMeeting, as well as Windows 98 and Windows Me.

Using the attack tool, Mick built a piece of malware in MS-DOS, giving it a payload which would exploit the flaw within a couple of minutes. SOCA requested ZDNet.co.uk give no more details than this about how the exploit was constructed. Getting onto the unsecured wireless network, pinging possible IP addresses of other computers on the network, finding Andy's unpatched computer, scanning open ports for vulnerabilities, using the attack tool to build an exploit, and using the malware to get into the XP command shell took six minutes.

"If you were in [a cafe with Wi-Fi access], your coffee wouldn't even have cooled down yet," said Sharon Lemon, deputy director of SOCA's e-crime unit.

Mick then went into the My Documents folder and, using a trivial transfer protocol, transferred the document containing passwords to his own computer. The whole process took 11 minutes.

A SOCA spokesperson said that the demonstration was "purely to point out that, if a system hasn't had patches, it's a relatively simple matter to hack into it". While SOCA stopped short of recommending small businesses move to Vista in order to ensure security, a spokesperson for the organisation said that applying SP2 to XP, with all the patches applied, and running a secured wireless network is "a perfectly sensible way to do it".

Nick McGrath, head of platform strategy for Microsoft UK, said that the demonstration had been "frightening".

"In the demonstration we saw, it was both enlightening and frightening to witness the seeming ease of the attack on the [Windows] computer," said McGrath. "But the computer was new, not updated, and not patched."

McGrath said that having anti-spyware installed was not as important as having that software updated. McGrath denied that Microsoft's anti-piracy tool, Windows Genuine Advantage (WGA), which prevents non-critical updates from being downloaded from Windows Update without WGA validation, was a security issue.

"We provide critical [updates] out to the customer," McGrath told ZDNet.co.uk. "We're absolutely determined to treat security as a baseline. For live threats, we will provide updates to genuine customers who have purchased a legal copy of Windows. We need to make sure they are genuine customers, [given] genuine support."

Windows Genuine Advantage for Vista is more stringent than for Windows XP. In addition to frequent notification through pop-up dialogue boxes, and the disabling of non-critical updates, WGA on Vista also disables Windows Aero, Defender, and ReadyBoost. The user is then given a period to validate Vista, after which a good part of the operating system is disabled, and Windows reverts to "reduced functionality mode".

McGrath added that Microsoft works closely with original equipment manufacturers to encourage the pre-loading of antivirus and anti-spyware, on a 30-day trial basis. McGrath also said that SP2 for XP had a firewall, and that Vista was not as "accessible to the average hacker" due to "operating system components".