"It suffers from being very complicated," Steven
Gibson says, trying to explain why he thinks a little-known
feature of some operating systems could spell doom for businesses
on the Internet. Gibson runs Gibson Research, a highly regarded
Laguna Hills, California, security research firm. The feature
is something called "raw sockets," and it's in Windows
XP, the newest version of Microsoft's Windows operating system.
Internet businesses could find their access to the world buried
in a flood of nonsense traffic that could exclude nearly everything
Microsoft has yet to find a security hole it doesn't like,
and Windows XP is no exception. In this case, the raw sockets
feature can allow creators of denial of service (DoS) attacks
untold levels of new power in their quest to bring the Internet
to its knees. This is because the raw sockets feature makes
it easy to command any computer running Windows XP to unleash
a flood of packets that will more efficiently tie up the switches
and routers upon which the Internet depends.
Though the Internet is full of operating systems that support
raw sockets, including all versions of Unix and Linux, Windows
is the only operating system that makes them available to any
user with any level of access. Unix and Linux require special
rights to allow this feature to be accessed, so it's less of
a problem (although this feature is regularly exploited with
those operating systems, as well).
Now that it's common for users to have their computers attached
to the Internet at all times, it's also easy for DoS attack
software creators to infiltrate computers and implant the software
that will effect the attack. That means that if your employees
are online all the time, which is the case in most companies,
your corporate network could be used as the point of origin
for an attack against a site on the Internet.
Microsoft has devoted a page on its Web site devoted to the
issue of what it calls hostile
code, and suggests that the problem lies there--not with
Microsoft's implementation of raw sockets.
Additionally, the company points out that raw sockets are necessary
for some Windows features to work properly. "There are
user-level functions that use raw sockets," says Scott
Culp, manager of Microsoft's Security Response Team. He says
that the fact that it may be slightly easier for "hostile"
code to take over a computer with raw sockets is more than offset
by the need for popular features such as Microsoft's Internet
Connection Sharing and the company's IPSec implementation. Culp
also notes that many of the activities Gibson singles out as
reason to avoid raw sockets can also be accomplished without
them. For example, Culp says that IP spoofing can be done with
little more than a device driver.
So why should you care about this potential security hole?
Because it could be your computers and network that are being
used, it's also your company that's responsible if you bring
down the Web presence of another company or a government agency.
It's you who will be explaining to the authorities why you allowed
this, and then explaining to your boss, and maybe to the board--if
you last that long.
But what Microsoft ignores is the fact that all previous Windows
versions kept anyone from using that feature of TCP/IP except
for administrators. Instead, Microsoft suggests that it's hopeless
to try to protect security in the face of such hostile code.
The company doesn't address the idea that the raw socket issue
in Windows XP makes it even easier for this hostile code to
wreak havoc on the Internet--easier than it would be if Microsoft
was using the previous implementation (the one all other operating
systems continue to use).
You can't do much about Windows and its security holes until
Microsoft takes the problem seriously, so it's up to you to
take other steps. For example, make sure you have a tested firewall.
Purveyors of DoS attacks can't load your network up with attack
software if they can't get in.
While you're at it, make sure your firewall also keeps applications
from accessing the Internet without permission. That's how DoS
works, after all. And, of course, think twice about upgrading
anything to Windows XP until you have all the protections in
place and tested. Not only will this keep you from unknowingly
assuming the liability for hosting a DoS attack, it will also
help keep those nasty viruses aimed at Microsoft's other security
hole--Outlook--from causing your company any more trouble than
it already does.
But first, you have to take responsibility for your network,
and for the software that runs on it. Start by protecting what
you have, and then don't let anything--including the marketing
machine from Redmond--convince you otherwise.
Wayne Rash runs a product testing lab near Washington, DC.
He's been involved with secure networking for 20 years and is
the author of four books on networking topics.