Battle rages over Windows XP security

A security expert calls raw sockets used in Windows XP "a seriously dumb idea" that will make it vulnerable to DoS attacks. But Microsoft says it's secure.

A security expert calls raw sockets used in Windows XP "a seriously dumb idea" that will make it vulnerable to DoS attacks. But Microsoft says it's secure.

A row has broken out between a top security expert and Microsoft over whether Windows XP contains a feature that threatens the security of the Internet by making denial of service attacks easier.

Steve Gibson, president of Gibson Research Group, is convinced that Microsoft is making a serious mistake by fully implementing support for what are known as "raw sockets" in its Windows XP operating system, due for release on 25 October. Gibson believes this implementation will make it much easier for malevolent computer users to carry out distributed denial of service attacks (DoS). He is urging Microsoft to remove the feature, which he slams as another "SERIOUSLY DUMB IDEA in the works from Microsoft".


In response, the software giant has accused Gibson of being "off the mark" with his concerns, and denied that raw socket implementation is a security threat.

Hackers carry out DoS attacks by installing code, known as zombie software or Bots, on another user's computer without their permission or knowledge. When run, this zombie code sends data requests across the Internet to a target network selected by the hacker. If the hacker manages to take control of a large number of computers then it is possible to flood the target network with requests, stopping any other Internet traffic reaching the site. Denial of service attacks have been used to bring down many big Web sites, including, Yahoo! and even one of Microsoft's own sites.

A system administrator can try to repel a DDoS attack by identifying the IP address of the computers involved in the attack and block all data requests from those addresses. However, raw socket implementation will allow a computer running Windows XP to generate a "spoof" IP address, meaning there is no way for the target of a DDoS attack to identify the genuine IP address of the machines attacking it.

Raw socket support is also implemented in Windows 2000, Microsoft's latest operating system for business users. Gibson believes the great threat with XP is that it will eventually be installed on PCs of millions of home users, many of whom will be unable to make their systems secure from hackers attempting to install zombie code.

Gibson told Microsoft executives of his concerns, warning them of what he describes as an "impending threat to the operation and security of the global Internet."

War on hostile code
In a response posted on its TechNet site on Wednesday, Microsoft denied that raw socket implementation in XP was a serious blunder. It insists that the key to improved security is to prevent any hostile code running on a user's computer in the first place. "Microsoft has embarked on a campaign known as the "war on hostile code", with the goal of preventing any hostile code from running on users' systems," the company insists. Windows XP options that will protect users from hostile code include, according to Microsoft, "Internet Connection Firewall" that will make an XP users "effectively invisible" on the Web, and measure to prevent applications being launched in Outlook.

Having received similar reassurances from Microsoft, Gibson is not giving up. Labelling Microsoft as "seriously nuts", he intends to continue drawing attention to the raw socket implementation. Gibson plans to issue a point-by-point response to Microsoft's claims imminently.

Gibson, who has been programming for over thirty years, was himself the victim of several DDoS attacks last month -- organised by a teenage hacker. Gibson managed to track down the individual, and is certain that all the zombie code used in the attacks was obtained off the Internet and not written by the attacker. It is the ease by which this dangerous software can be found that concerns many security experts.