The problem is rated “critical” by Microsoft, which “strongly urges all Windows XP customers to apply the patch immediately”. Get thee to Microsoft Security Bulletin MS01-059.
Microsoft a month earlier had also posted two different patches for a separate UPnP hole in XP (MS01-054). That threat was rated by Microsoft as “low”.
I responded to comments that a working exploit of the 059 hole hadn’t yet appeared and quoted from security expert Steve Gibson’s site. It mentioned XPloit.c, an example of “exploits for the previous UPnP vulnerability”, and said new cases would quickly appear.
The resulting controversy led Microsoft spokesman Casey McGee, from the public relations group Waggener Edstrom, to contact me.
“The exploit code you reference, http:/packetstorm.widexs.nl/0112-exploits/XPloit.c, has been thoroughly tested by Microsoft and is not effective,” he wrote. “This code was also posted to Bugtraq, where it was quickly discredited as well ... Would you please consider updating your column so that users are not needlessly panicked by this false exploit code?”
Nothing about XPloit shows up at Bugtraq, but one posting describes two related programs, UPnP_udp.c and Chargen.c, by Gabriel Maggiotti and Fernando Oubiña — the authors of the earlier XPloit code. The programs are said to use UPnP to execute a DoS (denial of service) attack on XP.
I asked eEye Digital Security, the first company that notified Microsoft of the 059 hole, whether or not a working attack existed. “There was one exploit released for the UPnP flaw,” replied chief hacking officer Marc Maiffret. He cited the Maggiotti/Oubiña posting at Bugtraq, saying, “The code was valid and working.”
McGee replied: “Maiffret is correct that exploit code for the DoS discussed in MS01-054 ... [and] MS01-059 was posted on Bugtraq.” The key, he says, is that “nobody has posted exploit code for the DDoS (distributed denial of service) or buffer overrun vulnerabilities discussed in MS01-059”, two other threats.
Gibson, who’s examined XPloit.c, says it clearly presaged the newer code. For my part, the efficacy of any one example is irrelevant. And if you think Windows XP’s troubled design won’t be prey to other attacks — well, as Britney says, “I’m not that innocent!”
Send tips to firstname.lastname@example.org.