About | Buy Stuff | News | Products | Rants | Search | Security
Home » Resources » Rants

They Ain't Got It

Week of September 26, 2004

I got it! I got it! I got it! I ain't got it!
  - Ron Carey, High Anxiety

There's a famous and recurring scene in the Mel Brooks movie High Anxiety where Brophy the driver, played by Ron Carey, tries to lift an oversized suitcase. He's got it, he's got it, he's got it - he ain't got it, and it drops to the ground. It's hilarious. Brophy doesn't want to give up, but in the end is forced to admit gravity gets him down.

Many people look at the Microsoft Service Pack 2 for Windows XP and heave a sigh of relief - Microsoft finally 'got it'. And certainly even the Microsoft haters would be glad if it were so. And things have been rather quiet on the net of late, haven't they? Have Microsoft in fact, after all these years, finally got it?

Many things speak against such an optimistic view.

As stated many times before on these pages, if Windows ever gets as secure as Unix, it will be because Windows has become Unix. The security model and paradigm used in that latter platform are unbeatable; they address the issues correctly, in the only way they can be addressed. Whilst Microsoft have a nasty reputation of not addressing security issues at all, or sweeping them under the table and pretending they're not there.

Two years and a few months ago Bill Gates made a famous speech and summoned up a new program in Redmond called Trustworthy Computing. Although this was quickly - and according to plan - spun off into an attempt to corner digital rights management, it also meant that Microsofties were finally going to learn how to really 'program'. And the end result of that Sisyphean effort was to be Windows XP Service Pack 2 - with, as Steve Ballmer proclaimed it must be called, 'Advanced Security Technologies'.

We know by now we cannot trust Bill Gates - that he in a word lies all the time. We also know by now that Steve Ballmer is if possible an even bigger liar. But we waited, we bided our time, we looked for the exploits to begin. So far things have been eerily quiet.

Windows XP Service Pack 2 has only rolled out to 3% of all Windows computers. If there's to be an epidemic, they won't be part of it - not yet: they represent too narrow a target.

The worms, trojans, keystroke loggers and zombie generals continue to proliferate as well - it's just that the media aren't writing as much about it. They have more fun regurgitating yesterday's news about Service Pack 2 instead.

But one brave writer - one out of all the so-called experts online - has taken SP2 to task, and published a rather alarming report. Not that the media pick up on this of course - but it's still there, all the same.

In an article published 2 September 2004, SuSE immigrant Thomas C Greene took a step back and investigated his old platform of choice. Thomas has long been interested in the security aspects of Internet use, warning people about the grave dangers long before most people had any general interest in such matters.

The Register and Radsoft conducted an experiment in 'tying down' Windows a few years back - the results were not encouraging, and Thomas moved his entire family to SuSE, whilst the principals of Radsoft moved to OS X.

Now Thomas is back - for a day - performing a very thankless task. And he does it admirably.

What Thomas has worked from is a generic security model, equipped with detailed knowledge of how 'Internet' computers work and should work, and sized up Windows XP with the service pack alongside this.

It's not a pretty sight.

The 'evaluation' was done on a 'clean' test machine with a 'clean' install of XP, with no configuration changes, and with no third party drivers or software. The NTFS file system was chosen, as were all its 'factory defaults'.

Then the system was patched with each and every security update leading up to but not including Service Pack 2.

And although there are certain improvements, the overall impression is that Windows users are being given a 'placebo' - a dangerous gambit in these insecure times.

'SP2 did little to improve our system's practical security, leaving too many services and networking components enabled, bungling permissions, leaving IE and OE vulnerable to malicious scripts, and installing a packet filter that lacks a capacity for egress filtering.

'The Security Center does little beyond warning users that the firewall is disabled, that automatic updating is disabled, or that antivirus software has not been installed. It may look impressive, but the SP2 package fails to provide several of the most important basic modifications required to run Windows safely on a net-connected machine.'

A secure computer should be invisible. Not only should it refuse connection attempts, it should make things look like it isn't even there. The normal 'MO' for getting rid of bogus 'connects' is to send back a 'reset'; this is however dangerous in today's world. A secure computer should send back nothing at all.

Thus 'open ports' - nodes on a computer that will respond, even with so little as a 'service not available' message, are a total no-no. The rest of the world got it, but it looks as if Microsoft still ain't got it.

Here is a list of the open ports on a Windows XP machine after it has been configured and patched with Service Pack 2:

  • Port 135: DCE endpoint resolution. Open.
  • Port 137: NetBIOS name service. Open.
  • Port 138: NetBIOS datagram service. Open.
  • Port 139: NetBIOS Session. Open.
  • Port 445: Microsoft-ds Server Message Block (SMB). Open.

What's worse, most of these ports uniquely identify the target as a 'Microsoft' machine: finding these ports available at all - even if traffic is refused - tells the hackers - or the worms, trojans, zombie masters - all they need to know. They've just 'footprinted' you, the bread is burning.

The next part of the Register's 'evaluation' looked at the system's services. Services can be a wonderful way for malfeasant software to 'hijack' a computer. If certain services are unstable or insecure and mostly never in use, they should not be available, ever. But XP comes with most of the road mines ready to explode.

There are two ways of getting an XP service to run: either they're set to start at boot or login (here called 'automatic') or they will start when invoked by a program that needs them, such as when the Telnet program invokes the Telnet service. These latter services have a so-called 'manual' startup.

Of course services can also be disabled if they're not used and pose a security risk - which is the whole point: the following services should be disabled but are not - 'Microsoft ain't got it'.

  • Distributed COM (DCOM): 'automatic' startup.
  • DCOM Server Process Launcher: 'automatic' startup.
  • DHCP Client: 'automatic' startup.
  • DNS Client: 'automatic' startup.
  • NetMeeting: 'manual' startup.
  • Remote Access Connection Manager: 'manual' startup.
  • Remote Desktop Help Session Manager: 'manual' startup.
  • Remote Procedure Call: 'automatic' startup.
  • Remote Registry: 'automatic' startup.
  • Secondary Logon: 'automatic' startup.
  • SSDP Discovery Service: 'manual' startup.
  • TCP/IP NetBIOS Helper: 'automatic' startup.
  • Telnet: 'manual' startup.
  • Universal Plug and Play Device Host: 'manual' startup.
  • WebClient: 'automatic' startup.

In their never-ending zeal to drown you in unnecessary - and dangerous - gadgets, Microsoft have also left a plethora of hara-kiri networking components alive and kicking. Security gurus who do get it shake their heads at this one, as the only component needed for the Internet is TCP/IP.

But Microsoft most definitely ain't got it, and leave the following wide open:

  • Client for Microsoft Networks. Installed.
  • File and Print Sharing. Installed.
  • QoS Packet Scheduler. Installed.
  • NetBIOS over TCP/IP. Installed.
  • Remote Assistance. Installed.
  • Remote Registry. Installed.

The File and Print Sharing component was found only in the past few days to provide a gaping hole in the service pack's security. Remote Assistance and Remote Registry are just downright dumb and there are no two ways about it. The former allows remote users to take over your machine; the latter allows remote users to edit your Registry - yes yours, and yes, from across the Internet.

The situation quickly compounds itself when it's discovered that even the minimal 'Windows Firewall' is deliberately put out of commission when a remote user attempts to take control of your computer [sic], whilst not being able to monitor - and stop - outgoing traffic can in no way be seen as a 'plus' for that 'half-baked' product.

Or see how this scenario plays: assume you did get a trojan on your machine, and assume further that said trojan installed a keystroke logger, and assume now that said keystroke logger did in fact get your credit card number, your bank account URL and account number, as well as your online password, and that the trojan now wants to send this juicy information back to its creator...

Do you really want that information to leak out?

With the 'placebo security' of 'Windows Firewall' you can't stop it.

Perhaps the greatest crime of all - the most tangible sign that 'Microsoft still ain't got it' - is their insistence on setting up your computer as a single user machine - à la the old 'personal computer' paradigm.

But wait, you say, I'm the only user on this jalopy!

And you very well might be, but it's not a question of how many people have physical access to the computer, but of what rights the very same user - you - has at any one given time.

Windows is set up so that whoever sits at the keyboard is the boss - the superuser, the administrator, the root. It's like having a loaded gun in your lap at all times, or driving without a seat belt: it's not 'secure'.

For what happens when you sit there as root is this: the trojans that get onto your system attach themselves to you and run in your security context - with the ability to change or destroy anything on your machine.

If you weren't such a honcho all the time, malware could do far less damage.

This is the way all 'smart' and 'secure' systems work, but once again it's obvious: 'Microsoft ain't got it'.

[The issues are far deeper of course: Windows is a hodgepodge, not an operating system, and without a cohesive design it's never going to be truly secure; but there are things Microsoft could do to improve matters - it's just that they evidently still do not understand.]

The popup blocking Internet Explorer for Service Pack 2 is still wide open as always - in fact nothing of significance has really changed.

The anathema of the Internet and of basically no cross platform merit, ActiveX controls - the descendants of the impossible OLE2 controls - are basically left on - and to turn your computer into a turkey.

  • 'Safe' ActiveX run and script functions: enabled.
  • Downloading ActiveX controls without user alert: enabled.
  • Binary and script ActiveX functions: enabled.

And the rest of the traditional holes in Internet Explorer remain after the installation of Windows XP Service Pack 2 - meaning that as IE is your basic door onto the Internet, the 'interlopers' are still going to have a 'red carpet welcome':

  • Access data sources across trusted domains: enabled.
  • Meta Refresh: enabled.
  • Scripting of browser controls for trusted sites: enabled.
  • Script initiated windows without coordinate constraints for trusted sites: enabled.
  • Clipboard (drag-drop, copy-paste): enabled.
  • Installation of desktop items without user alert for trusted sites: enabled.
  • Launching programs and files in an IFRAME for trusted sites: enabled.
  • Navigate sub-frames across domains: enabled.
  • Popup blocker for trusted sites: disabled.
  • Navigation from insecure to secure zones: enabled.
  • JavaScript: enabled.
  • Paste operations via script: enabled.
  • Scripting of Java applets: enabled.
  • Control of security certificate revocations: disabled.
  • Do not save encrypted pages: disabled.
  • Empty Temporary Internet Files on exit: disabled.
  • Profile Assistant: enabled.

Outlook Express remains obdurate as well: HTML email is still default on send and cannot be turned off on receive; 'automatically log on to Windows Messenger' is still default; 'notify for each read receipt' is still default; and so on.

Microsoft could have just spent more time 'configuring' their system instead of trying to reprogram it: these settings are things no ordinary user will ever be able to get near to. Unnecessary services should have been disabled. Multiuser computing should have been enforced. More secure access systems and file permissions should have been used. A packet filter capable of stopping egress 'leaks' should have been added. And as the Register point out, the roster of missing security tools such as PGP, SSH, disk wiping et al is immense.

The Register sum it up thusly:

'The idea behind SP2 was to apply the kind of security know-how that users aren't expected to have via a major system update so that people can venture onto the Internet without worry.

'Unfortunately Windows remains a quite dangerous system to connect to the Internet, and users are still very much on their own in terms of security solutions.'

About | Buy | News | Products | Rants | Search | Security
Copyright © Radsoft. All rights reserved.