Vulnerability research is not the No. 1 action item for eEye Digital Security, a California firm that specializes...
in Windows security products.
"It's one of the few fun things our researchers get to do," said Chief Hacking Officer and co-founder, Marc Maiffret.
Yet, in the past six months, eEye's engineers have discovered some of the biggest holes in Microsoft software, including the Internet Information Services (IIS) Web server software flaw exploited by Code Red.
Its latest find was released Thursday: three significant security holes in Microsoft's Windows XP operating system that could allow an attacker remote system-level access that would allow them to launch denial-of-service attacks, view or delete files.
"When we got XP, we started updating our security software products so that they were configured correctly with it," Maiffret said. "One of our researchers started playing around with the Universal Plug-and-Play (UPnP) feature and we started seeing weird things happening. That's when we contacted Microsoft."
UPnP, according to a Microsoft security bulletin released Thursday, is a peer-to-peer protocol that allows computers to discover and use network-based devices, like printers, scanners and other computers. It is installed by default in XP and Windows ME. Windows 98 machines can also use the feature if it is installed via the Internet Connection Sharing client that ships with Windows XP.
The vulnerabilities discovered by eEye, almost upon its release in October, include a buffer overflow in UPnP's Simple Service Discovery Protocol (SSDP), specifically in the code that handles UPnP Notify directives. An attacker could send a malicious Notify directive to a vulnerable machine allowing the attacker to run any code.
There are also denial-of-service and distributed denial-of-service risks that exist in SSDP, according to separate alerts from Microsoft, CERT and Internet Security Systems (ISS). An attacker could exploit the flaw to consume memory and processor time, causing a performance downgrade on the vulnerable machine. An attacker could also vary his attack to cause similar degradations on a third party.
"When we found the first denial-of-service vulnerability, we contacted Microsoft. Then a few weeks later we found the distributed denial-of-service risk," Maiffret said. "Then we found the buffer overflow."
Maiffret is a full disclosure proponent, but his firm follows the accepted protocol when it comes to reporting vulnerabilities.
"In this case, we did what we always do. We contact the vendor with our findings and work with them as long as we believe is reasonable," Maiffret said. "We work with them as long as they need to get a patch out."
Microsoft security has been a sore spot in the industry this year, to say the least. IIS, especially, was the breeding ground for Code Red, Code Red II and Nimda this summer. Recently, Microsoft absorbed more heat when it announced an initiative to create a standard reporting protocol, one that asked companies reporting vulnerabilities to hold onto the details for 30 days. The initiative touched off claims from the industry that Microsoft was merely trying to protect its image through the requirement of a month-long window.
"A lot of vendors don't know how to react and try to shove things under the carpet or downplay it," Maiffret said. He added that Microsoft's cooperation had not been a problem for his company, though some warrant disclosure of some or all of a flaw's details in order to spur along a fix.
"A company like Microsoft is going to work on fixing a vulnerability," he said.
Maiffret said no one has exploited the XP vulnerabilities as of yet, but attackers could have the exploit code within a few weeks.
Microsoft has a patch for the vulnerability and urges XP users to download it. CERT, meanwhile, said users can shut down ports 1900 and 5000 on the network border to reduce exposure until a patch is applied. CERT cautions that this does not protect against internal attacks. Microsoft further cautions that Microsoft Internet Connection Firewall, which runs by default on XP, does not protect against this kind of attack because an attacker could use a broadcast or multicast address to reach the UPnP service.