"When Windows XP is released, soon all hell will follow. New zombies and nanobots are waiting to exploit vulnerabilities. Be warned . . . " When an Australian hacker identified only as "Z" sent this e-mail message to Computerworld on Aug. 7, he was referring to a controversial paper claiming that hackers will exploit weaknesses in Microsoft Corp.'s new Windows XP operating system to turn PCs into an unwitting army of denial-of-service (DOS) attack zombies.
But closer inspection suggests otherwise, according to users and analysts. So far, those zombie bots in Z's rant are nowhere to be found.
Despite several potential vulnerabilities raised in the past few months by security analysts and privacy advocates, beta testers have been unable to find any serious security threats in Windows XP. To the contrary, "with Windows XP, Microsoft has at least fixed the sins of their past, which is more than I can say for other operating systems," says John Pescatore, senior security analyst at Gartner Inc. in Stamford, Conn.
Not only do analysts and beta testers generally praise Microsoft for repairing past security mistakes that riddled Windows 9x and NT machines, but they also feel that XP's new embedded security features, particularly the ability to set privileges and an embedded firewall, will go far in protecting novice users from themselves and one another. And, in the case of XP Professional, these same security features can be centrally configured to follow corporate security policies by groups and locations.
However, some IT professionals aren't convinced that Microsoft has committed to a more secure operating system. They cite possible vulnerabilities with raw sockets and the Remote Assistance feature, and privacy concerns over built-in support for the Passport personal information management service.
The Raw Deal
Last summer, Steve Gibson, president of Gibson Research Corp., a security and privacy software and Web publisher in Laguna Hills, Calif., published a paper accusing Microsoft of opening a new "back door" into Windows by building raw sockets support into XP.
"Raw sockets means raw access to the Internet. And the problem of malicious agents getting into people's computers and launching DOS attacks with spoofed packets goes up dramatically with use of raw sockets," he says.
Because they skirt traditional TCP/IP protocols, hackers can use raw sockets to generate TCP packets, and it's impossible for receiving networks to determine if those packets are legitimate. There's no way to block them, Gibson explains, because that would mean blocking all TCP packets. That would effectively drop all inbound traffic.
Raw sockets are nothing new. Various flavors of Unix and Linux run raw sockets, as does Windows 2000. "But all operating systems that offer raw sockets deliberately protect the access to those raw sockets by requiring the highest system privileges possible," Gibson says.
Windows XP, however, installs with full administrative permissions turned on, meaning that novice users have access to kernel-level privileges, Gibson says.
True, says Mark Croft, lead product manager at Microsoft's Windows division. XP ships with full administrative privileges for application compatibility reasons. However, Croft and others say it would be hard to launch a DOS attack from an XP machine because the attacker is unlikely to get a malicious program onto the machine in the first place.
That's because XP ships with the embedded firewall, called Internet Connection Firewall, set at the highest security setting to deny executables. And the firewall hides the IP address of the machine. In addition, once XP is installed, users can drop administrative privileges by selecting the "limited account" feature in the Control Panel.
"The big problem with home users running high-bandwidth connections is that everyone can access the hard drive. But [the] WinXP firewall is designed to block people from accessing services running on the machine," says H.D. Moore, senior vulnerability research analyst at Digital Defense Inc., a security consultancy in San Antonio. "The firewall default setting is 'restrict everything,' which is impressive since users don't know that they should filter executables."
Moore is also impressed by XP's elimination of default administrative passwords that wreaked havoc on Windows 9x and NT machines. If implemented correctly, XP's embedded features and password improvements will block the most common ways malicious code gains the control it needs to turn machines into zombies.
XP's firewall is in no way designed as an enterprise tool. It's designed for home users with broadband connections who aren't aware of the need for a firewall, according to Microsoft. It also lacks outbound filtering capability, so if DOS zombie code does somehow get loaded onto an XP machine, an outbound DOS attack couldn't be stopped, says Ken Dunham, a computer consultant in Nampa, Idaho.
"Windows XP will lower the risk of infection against malware but fails miserably once malware penetrates a system," he says. "Trojans that manage to get past XP's new firewall will likely have a heyday exploiting outbound communications."
For additional protection, users should look for outbound filtering firewalls from vendors like Zone Labs Inc. and Symantec Corp., both of which offer home and professional versions.
IT managers also voice concern about the system's new Remote Assistance feature, in which a user can invite a guest to log on to the machine for remote troubleshooting. The feature uses the same code as Microsoft's terminal server, for which there are 251 vulnerability and patch postings on the CERT Coordination Center Web site.
"[Remote Assistance] would send chills down the spine of anybody interested in computer security," says Byron York, a computer security professional at a health insurance company in Michigan.
But there are several checks in Remote Assistance to protect users from themselves, according to Croft. It's the user who must first launch the Remote Assistance program by sending a trouble ticket (the user's encrypted IP address) via e-mail or instant message to the remote assistant. Tickets expire in 24 hours by default (Croft recommends shortening the expiration to an hour or less.). The assistant must then request permission to remotely control the user's machine. The user can accept or decline the request and can terminate the session at any time.
"The user would have to be double dumb to get in trouble with remote assistance," Croft claims.
Microsoft has also recently responded to privacy concerns over its Passport information service. Now, the only feature in XP requiring the use of Passport is the instant messaging program, and it collects only an e-mail address and pass phrase, Croft says.
No one can predict what new types of exploits might crop up in the months and years after XP ships. But for now, Microsoft seems committed to a more secure cyberspace, say users and analysts. Nonetheless, Gartner's Pescatore questions whether Microsoft will remain committed down the line or dump the security focus the next time a newer, sexier technology arises.
"I'm giving Microsoft a 50% chance that they're just as interested in better processing as they are in marketing," he says. "But it all hinges on whether or not they can change the Microsoft culture of putting all the power into the hands of the user."
- Senate hearings on XP delayed, but not abandoned, Oct. 22, 2001
- Activation, anyone?, Oct. 15, 2001
- Corporate users cool to Windows XP, Oct. 8, 2001