Reference Manual

HOW TO fix Windows ICS and UPnP security problems

Introduction

Several vendors are now including UPnP support in their Internet Connection Sharing products. Microsoft introduced UPnP support in September 2000 with the release of Windows ME, and it is also supported in Windows XP, where it is enabled per default.

Windows 98 users are increasingly installing the Windows XP Internet Connection Sharing Client on their machines, and by so doing are opening up their machines to the same ICS security holes as are present on Windows XP systems.

UPnP Problems

From the outset, UPnP has been plagued by controversy. Several serious UPnP security flaws have been known for some time, and details of those problems were published well before Windows XP was released. Some of them are increadibly simple and readily reproduceable, requiring only the use of a Telnet client to wreak havoc on the target system.

Microsoft chose to ignore these problems, stating that XP sets New Standards for Internet Security, even though that very same link lists several critical XP and IE security alerts.

The first Microsoft confirmation of a major problem with UPnP was published on Novenber 1, 2001. Even though the problem caused a system crash, Microsoft rated its severity as low, but they did at least publish a patch for it. Several updates to that patch followed, culminating in the most recent one, first published on December 20, 2001. The problem was finally acknowledged as serious, and Microsoft is now advising all users of the XP Internet Connecting Sharing Client on any supported platform to install the patch as a matter of urgency.

The Problem with Tightly Integrated Software

Software which is too closely integrated with the host OS suffers from the following problem:

The OS can modify the behaviour and settings of any integrated component at any time.

This is demonstrated by the fact that even though the user may have modified XP firewall settings to prevent certain traffic from being accepted from the Internet, the Windows OS may silently override those settings. Microsoft claims that applications cannot modify firewall settings without permission from the user, but the OS itself can, and does, bypass user confirmation dialogs.

Users of third-party software will generally not experience such problems, simply because the OS does not know how to change settings in such software. This mandates that such software use only a minimal subset of available OS functionality.

Conclusions

The following Microsoft software components seem to be most vulnerable to attack:

1. XP Internet Connection Sharing.
2. XP Firewall.
3. Outlook Email Client
4. Internet Explorer

The prudent user is probably well-advised to choose third-party alternatives for those components.
Edit this page