WinXP security row: Expert hits back

The US software giant released a statement last week in which it said Steve Gibson, president of Gibson Research Group, was incorrect to claim that the implementation of "raw sockets" in its Windows XP operating system was a serious mistake. According to Microsoft, it will not be possible for a hacker to run malicious software such as Trojan horses on a machine running Windows XP, thanks to the company's "war on hostile code". This means, according to Microsoft, that an XP machine could not take part in a DoS attack.

Microsoft also defended its implementation of raw sockets--which can be manipulated to "spoof" a computer's IP address, allowing an undefeatable DoS attack--by denying that raw sockets are a critical factor in DoS attacks. "If it were, the explosion in DoS attacks should have already occurred, as raw sockets implementations are already present in Linux, VMS, Unix, Mac OS X and even in previous versions of Windows," said Microsoft.

Responding to Microsoft's denial, Gibson, who in 30 years of programming has written many security programs, has now accused Microsoft of lying when it claims that "previous versions of Windows" also supported raw sockets. According to Gibson, Windows 98 and 95 did not, which is why many Trojan horses will not run on Windows machines.

Unlike Windows 2000, where Gibson claims raw sockets were first fully implemented, Windows XP--which ships on October 25 this year--will be run by home PC users who will be less inclined and/or able to maintain the security of their system and keep up with software patches.

"The release of Windows XP, as currently planned, into the mass consumer market represents a crucial mistake and, given that Microsoft is fully aware of this, a shocking example of corporate hubris," Gibson wrote on Monday.

Hackers carry out DoS attacks by installing what is commonly known as "zombie software" on the computers of many unsuspecting users. This software can then be instructed to send masses of data requests to a server of the hacker's choice. These data requests flood the target, making it impossible for genuine Internet traffic to travel between it. The only way that technical staff can repel a DoS attack is by identifying the computers that are sending the rogue data requests and tell their system to ignore all traffic from such computers.

Gibson is also unconvinced by Microsoft's assurance that "raw sockets are not a critical factor in DoS attacks", because "if they were, the explosion of DoS attacks would already have occurred". He points out that, with 4,000 being reported a week, such an explosion is already underway--something Gibson attributes to the number of relatively inexperienced home users running Linux and Unix machines, which allow the host IP address of a data packet to be spoofed.

Gibson predicts there will soon be tens of millions of PCs running Windows XP. Insisting that "it is absolutely impossible to create a secure, consumer, personal computer", he warns that however hard Microsoft tries to make it impossible for hostile code to run on an XP machine, it will fail. This is why Gibson believes that raw socket implementation is such a bad idea.

"The idea that every consumer machine will have such dangerous capabilities that are not needed at all for Internet connectivity strikes me as being so unnecessarily dangerous and ultimately dumb, dumb, dumb," Gibson warns.