Windows XP/UPnP Vulnerability Exposed

In late December, eEye Digital Security reported the first major Windows XP security vulnerability, but the sensational news reports describing the event puzzled me. The questionable reports originated with the Associated Press (AP), which denounced Microsoft for reportedly knowing about the vulnerability for 5 weeks and not providing a fix for its customers. Microsoft, the reports said, was more interested in holiday XP sales than in the security and safety of its customers.

The problem concerns an as-yet little used XP system component called Universal Plug and Play (UPnP) that lets network devices announce themselves to UPnP-enabled systems running XP and Windows Me and provide a URL for automatic configuration information. Even Microsoft describes the flaw as "unprecedented" and "serious," and the company is providing a wide range of fixes through the normal support channels, such as Auto Update, Windows Update, and the Microsoft Web site.

I don't want to downplay the seriousness of this vulnerability, but the press coverage of this event was even more unprecedented and serious than the flaw. Rather than acknowledge that Microsoft's Auto Update technology automatically protected most XP users from this vulnerability, news reports centered on the company's supposed lateness in delivering the fix, and the fact that Microsoft's claims about XP being its "most secure OS ever" were now laughable. According to various reports, even the FBI issued a statement decrying XP's security. Something just didn't seem right, so I started asking questions to discover what really happened.

Two truths emerged. First, Microsoft still doesn't secure its products well enough. Second, the company reacted quite quickly in this case and did the right thing for its customers—a fact the press almost (ahem) universally reported wrong.

My first discussion was with Windows & .NET Magazine's security expert Mark Joseph Edwards, who told me that eEye staff, who discovered the bug, are some of the most proficient at uncovering security vulnerabilities. Edwards believes that Microsoft should hire or contract workers at eEye and similar organizations because Microsoft clearly isn't doing a good job of policing its code for security problems.

"This type of thing has happened repeatedly throughout the years," Edwards told me, "and now we have a serious vulnerability that probably affects half of all Windows users. [The problem] is serious because it also affects less tech-savvy consumers. Microsoft needs to do something about its internal processes. The company should be tearing apart those services now, looking for flaws."

Security expert Steve Gibson described the flaw for me. The vulnerability has three separate exploits: a remote buffer overflow flaw, which can load remote code into an XP system; and Denial of Service (DoS) and Distributed Denial of Service (DDoS) flaws, which can let intruders use zombie XP systems to flood Internet servers with bogus requests. "What's scary is that the DoS and DDoS exploits are not a coding error or a mistake," Gibson told me. "Instead, Microsoft deliberately intended for UPnP to work that way: A device can notify Windows where to get detailed specs for how [the device] works and interoperates using a URL. But that URL can be anywhere on the Internet and XP just executes it."

Microsoft's fix adds administrative oversight to UPnP so that the service pulls URLs from only the local network subnet and not from a remote server. But you can still turn on the old behavior, so Gibson believes that the UPnP service still poses a threat. He's written a tiny application that will shut down the UPnP subsystem in XP and other Windows versions (see URL below). Gibson also concurs with Edwards that Microsoft hasn't learned from past problems. "Microsoft is fighting the truth that security comes at a cost," Gibson said. "The company wants everything to be automatic."

Scott Culp, who manages the Microsoft Security Response Center, provided a crucial timeline for the vulnerability, which shed light on the willingness of the press to take the AP's original speculative report as gospel. "There are some wild conspiracy theories going around regarding handling of this patch," Culp told me. "But we were not sitting on this patch. In fact, we moved heaven and earth to get this patch out as quickly as possible."

The UPnP drama unfolded on October 26, when eEye first reported the DoS exploit to Microsoft. Culp says that the company responded through email within a minute and duplicated the problem within 24 hours. The DoS fix was easy to implement, although it required some hefty architectural changes and testing. On November 7, Microsoft completed a preliminary fix. After testing the fix for a week, eEye reported that a buffer overflow exploit also existed. Microsoft completed the fixes for this exploit and for the DDoS exploit on December 6 and provided them to eEye for testing.

"We spent the next 2 weeks on localizations," Culp said. "People don't realize how much testing needs to go into a patch like this. There are three versions of the patch, each for four different OSes. All of them needed to be localized into more than 20 languages and every version had to be heavily tested. We knew that we were going to go out to every XP machine in the world and ask them to update, and that's tens of millions of machines, all with different configurations, and it has to work right on every single one of them. So we produced more than 300 versions of the patch in less than 2 weeks. That's quite an accomplishment. But our team literally worked around the clock, 24 hours a day, for the final week before it shipped, so that people getting XP on Christmas would be able to get updated immediately."

The other newsworthy aspect of the UPnP vulnerability, that the FBI had reportedly slammed XP security and recommended that XP users disable UPnP, isn't quite true. In the wake of the September 11 disaster, the FBI had set up a department called the National Infrastructure Protection Center (NIPC) to provide computer security information to consumers. The NIPC reported on the UPnP flaw, but the organization later recanted its advice to turn off UPnP because the Microsoft-supplied patch fixes the problem. I had talked to Culp before the NIPC reversed its recommendation, and he told me then that the advice was bogus because "the patch restores operations and secures the system."

Culp summed up this story nicely. "It's definitely an engineering error," he told me, "but that's all. It doesn't reflect a larger problem with XP, which is a very good product. But it was made by human beings, and we're always realistic even as we're improving quality. It's not perfect, but the response process works, and you can see that in action [when you examine these events]."

Resources
Steve Gibson's UnPlug n' Pray utility
Microsoft Security Bulletin MS01-054