Serious XP flaw: What to do now

Everyone knows how dangerous buffer overflows can be and how to prevent them, yet they keep turning up, like ants at a picnic.
Written by David Raikow, Contributor

People very rarely make genuinely new mistakes--it's much easier just to keep making the same old ones over and over again. Case in point: the buffer overflow. A relatively common flaw that arises from sloppy code-writing practices, the buffer overflow has been a primary source of serious security vulnerabilities for as long as people have recognized the concept of computer security. Everyone knows how dangerous buffer overflows can be and how to prevent them, yet they keep turning up, like ants at a picnic.

"I'm still amazed that we allow [buffer overflows] to occur," announced Microsoft security chief Howard Schmidt last week, according to the Associated Press. This week, Microsoft announced that it had allowed an extraordinarily dangerous buffer overflow to creep into its brand-new Windows XP operating system, which the company claims to be the most secure version of Windows ever created.

The newly discovered vulnerability, which stems from a flaw in the "Universal Plug and Play" (UPnP) service included in Windows XP and ME, is just about as serious as they come. According to an advisory issued by eEye Digital Security, the firm that discovered the flaw, an attacker could gain complete control of an entire network of vulnerable machines with a single anonymous UDP session. An attacker would then have full access to any data or applications stored on compromised machines as well as the capacity to record keystrokes, install new files or applications, and monitor passing network traffic. Moreover, even a single compromised machine could serve as a stepping stone, allowing attackers to completely bypass many network security tools to further infiltrate the target network.

Given the severe risk posed by the UPnP flaw, it is up to system administrators to respond, quickly and decisively. The appropriate short-term response in the enterprise environment is straightforward, though not necessarily easy:

1. Immediately check every perimeter firewall to be certain that they are blocking UPnP traffic (UDP ports 1900 and 5000); there is no reason to allow UPnP traffic from the internet.

2. Unless there is absolutely no other option, block UPnP traffic at your wireless access points.

3. Determine whether UPnP is absolutely necessary on your network; if not, shut it down... on every single machine. Take particular care to disable UPnP on remote machines, laptops, and boxes with wireless connections.

4. Download Microsoft's UPnP patch and apply it to every XP and ME machine in your possession. Do so even if you've shut off UPnP; you never know when it might be turned on again, accidentally or otherwise.

5. Determine if Internet Connection Sharing client has been installed on any Windows 98 or 98SE machines. If so, apply the patch; if not, take steps to be certain it isn't installed in the future without your knowledge.

6. Configure any intrusion detection software to watch for suspicious UPnP traffic. This hole is likely to become the basis for a wide variety of attacks in the future, so keep an eye out.

The bottom line is that, in this case, Microsoft dropped the ball--a fact that Redmond readily admits. "We're doing everything possible to minimize the number of implementation errors that can lead to problems like this, and with XP, we've done a better job than we've ever done before," said Scott Culp, director of Microsoft's Security Response Team. "In the end, though, we're human, so that number is never going to be zero."

Editorial standards