XP, the hole story
I WROTE LAST month about the UPnP (Universal Plug and Play) flaws that allow hackers to gain control of Windows XP systems (see "Plug-and-prey fiasco"). The problem is rated "critical" by Microsoft, which "strongly urges all Windows XP customers to apply the patch immediately." Get thee to Microsoft Security Bulletin MS01-059 at www.microsoft.com/technet/security/bulletin/MS01-059.asp.
Microsoft a month earlier had also posted two different patches for a separate UPnP hole in XP (MS01-054). That threat, rated by Microsoft as "low," is described at www.microsoft.com/technet/security/bulletin/MS01-054.asp.
In a follow-up column, I responded to comments that a working exploit of the 059 hole hadn't yet appeared (see "Can we talk about XP?" Feb. 4). I quoted from security expert Steve Gibson's site, www.grc.com/unpnp/unpnp.htm. It mentioned XPloit.c, an example of "exploits for the previous UPnP vulnerability," and said new cases would quickly appear.
The resulting controversy led Microsoft spokesman Casey McGee, from the public relations group Waggener Edstrom, to contact me. "The exploit code you reference, http://packetstorm.widexs.nl/0112-exploits/XPloit.c, has been thoroughly tested by Microsoft and is not effective," he wrote. "This code was also posted to Bugtraq, where it was quickly discredited as well. ... Would you please consider updating your column so that users are not needlessly panicked by this false exploit code?"
Nothing about XPloit shows up at Bugtraq, but one posting describes two related programs, UPnP_udp.c and Chargen.c, by Gabriel Maggiotti and Fernando Oubiña -- the authors of the earlier XPloit code. The programs, at www.securityfocus.com/archive/1/249238, are said to use UPnP to execute a DoS (denial of service) attack on XP.
I asked eEye Digital Security (www.eEye.com), the first company that notified Microsoft of the 059 hole, whether or not a working attack existed. "There was one exploit released for the UPnP flaw," replied chief hacking officer Marc Maiffret. He cited the Maggiotti/Oubiña posting at Bugtraq, saying, "The code was valid and working."
In response, McGee wrote: "Maiffret is correct that exploit code for the DoS discussed in MS01-054 ... [and] MS01-059 was posted on Bugtraq." The key, he says, is that "nobody has posted exploit code for the DDoS (distributed denial of service) or buffer overrun vulnerabilities discussed in MS01-059," two other threats.
Gibson, who's examined XPloit.c, says it clearly presaged the newer code. From my part, the efficacy of any one example is irrelevant. And if you think Windows XP's troubled design won't be prey to other attacks -- well, as Britney says, "I'm not that innocent!"
Send tips to firstname.lastname@example.org. He regrets that he cannot answer individual questions. Go to www.iwsubscribe.com/newsletters to get his Window Manager column and E-Business Secrets e-zine free via e-mail.