On mySimon: Skip Fabric Softener with Dryer Balls
BNET Business Network:
BNET
TechRepublic
ZDNet

October 31st, 2006

ComputerWorld offers FATAL 'fix' for minor flaw in Windows XP!

Posted by George Ou @ 3:41 am

Categories: Security

Tags:

ComputerWorld posted a "security" news article about a minor flaw in Windows ICS (Internet Connection Sharing) which doesn't affect the vast majority of users and offered fatal advice as the "fix" for the bug.  After getting the fatal advice from "research engineer" Tyler Reguly of nCircle, Robert McMillan of ComputerWorld posted the fatal advice to a much wider audience than Reguly's blog.

Before I tell you what the problem is, I'm going to run through the "logic" in Reguly's advice and I want you to see if you can spot the problem first.

Problem:
There is a minor denial-of-service flaw in Windows ICS where a specifically crafted DNS packet can cause ICS to shut down.  As a result of ICS shutting down, it takes the Windows XP Firewall with it which puts a user in danger.  So we want something that will prevent the Windows XP Firewall from shutting down.

Reguly's "fix":
1)  Disable Internet Connection Sharing (ICS)
2)  Block UDP port 53 (DNS) …

You don't even need to be a network security guru to see the obvious problem in this "logic".  Look at Mr. Reguly's "fix" and see if you can see the problem.  Just as a hint, look at "fix" #1.  See it?  If you do, great job!  You're now an honorary network security guru for the day.

So to summarize this, we're trying to prevent a bad guy from taking down our Firewall right?  By Mr. Reguly's "logic", the best way to prevent the bad guy from shutting down our Firewall defenses is to shut it down ourselves first!  So we to slash our own throats before the bad guy can do it to us.  I'm amazed that this was allowed to be reported on ComputerWorld where lot's of readers might swallow this fatal advice and worse, other websites might cite this article.

What makes this worse is that this ICS denial-of-service flaw doesn't affect you if you're not using Windows XP as a NAT router used to share an Internet Connection.  Most people wouldn't do that because dedicated hardware router/firewalls cost $15 to $50.  Even if you did use Windows XP as a NAT router, this particular attack can only come form the inside which means only the computers you protecting from the Internet can attack you.  This is not something that can be attacked from the hostile Internet so it would be crazy to disable ICS yourself which disables the XP Firewall because you're afraid and internal PC might attack your XP NAT box.  The bottom line is DON'T DISABLE ICS!

As for ComputerWorld, please do some fact checking before giving this kind of advice.  It also helps to read the Secunia advisory which offers the solution of "Use another way of sharing the Internet connection".  Lastly, PLEASE FIX YOUR ARTICLE!

As for Mr. Reguly, I'm at a loss for words.  More importantly, PLEASE TAKE DOWN YOUR ADVICE!

[UPDATE 7:00 PM:]
Robert McMillan has sent me an update that Tyler Reguly's definition of "disable ICS" doesn't mean disable the ICS service.  What he meant was to disable Internet Sharing which is already the default setting used by more than 99% of Windows XP users.  I'm not going to get in to semantics of which interpretation of "disable ICS" is right or wrong because it's all a matter of how you interpret the words.  What I can say for sure is that the information given by ComputerWorld and nCircle is vague and worthless at best and dangerous if interpreted the wrong way.

Even if we go with Reguly's updated definition of "disable ICS" and block inbound DNS, I have to ask what does this accomplish for the less than 1% of Windows XP users who are using Windows XP as a NAT/Router/Firewall/Gateway.  If we follow Reguly's advice and turn off Internet Sharing, what have we accomplished?  All that does is kill the default gateway for the entire internal network and no one can access the Internet.  So we have to ask ourselves if this DoS (Denial of Service) flaw is really so bad since only the PCs on the internal LAN can pull off this attack on the ICS service.  If a user can't wait for a Microsoft fix and they don't want to live with this relatively minor risk, they can buy a $20 dedicated router and use that as the default gateway.  But if you did get a dedicated router and used it as the new default gateway for all internal PCs, messing with the ICS settings and blocking DNS on the XP machine serving as the old gateway is MOOT.

The bottom line is that the ComputerWorld nCircle advice on the minor ICS Denial of Service flaw is vague, worthless, and possibly dangerous if interpreted the wrong way.

George Ou is Technical Director of ZDNet. See his full profile and disclosure of his industry affiliations.

  • Talkback
  • Most Recent of 153 Talkback(s)
George exposed as a hypocrite.
Bang on! (Read the rest)
Posted by: nizuse Posted on: 11/05/06 You are currently: a Guest | | Terms of Use
OK, so am I correct in deducing that:  Scrat | 10/31/06
It would have to be an internal attack  georgeou | 10/31/06
Well, might as well shoot yourself in the head if...  Scrat | 10/31/06
Unfortunately, ComputerWorld was slashdotted a few hours ago  georgeou | 10/31/06
Does more than that!  Edward Meyers | 10/31/06
The main problem with the Windows Firewall is  Scrat | 10/31/06
Outgoing traffic is important  Edward Meyers | 10/31/06
Windows Firewall is fine, no remote exploits  georgeou | 10/31/06
Funny, My FreeBSD Box does the same...  nucrash | 10/31/06
Uh... Hold the phone..  Wolfie2K3 | 11/01/06
Overly Sensationalized  teeks99stuff@... | 10/31/06
The solution was extremely vague  t_mohajir | 10/31/06
Get it in your head, disabling ICS kills the firewall  georgeou | 10/31/06
Umm... NO!!!  nucrash | 10/31/06
That doesn't disable ICS, that disables sharing  georgeou | 10/31/06
Agreed!  Spikey_Mike | 10/31/06
George check facts?  jragosta | 10/31/06
Who's Brilliant Idea was it to..  nucrash | 10/31/06
This doesn't affect anyone  georgeou | 10/31/06
Don't believe it.  jragosta | 10/31/06
Don't believe George ?  larrybell_2000@... | 11/03/06
OK, fine  jragosta | 11/03/06
So George  zkiwi | 10/31/06
The masses have been enlightened  NonZealot | 10/31/06
Whatever  zkiwi | 10/31/06
Target?!  mustang_z | 11/01/06
Question...  ju1ce | 10/31/06
That explains it  jragosta | 10/31/06
As I said in the blog, BUY A $20 router!  georgeou | 10/31/06
Should I bill Microsoft for that?  zkiwi | 10/31/06
You can always try!!  NonZealot | 10/31/06
Extra NICs?  Wolfie2K3 | 11/01/06
Why would you do that?  NonZealot | 11/01/06
$20 router includes the switch  georgeou | 11/01/06
Difference between hub and switch?  NonZealot | 11/01/06
I've seen gigabit switches for $30  georgeou | 11/01/06
Routers for $20  jragosta | 11/01/06
Simple jragosta  NonZealot | 11/01/06
Hey,...  mustang_z | 11/01/06
Billing Microsoft...  Wolfie2K3 | 11/01/06
the assumption that ICS and winXP firewall are more useful alive than dead  wessonjoe | 10/31/06
Those third party firewalls have had fatal flaws  georgeou | 10/31/06
Show me!  Technocrat@... | 11/01/06
just like the "i can take over your mac remotely" flaw...  nix_hed | 11/02/06
Turn off ICS without shutting down WinFirewall  edwinlie@... | 10/31/06
That does not disable ICS  georgeou | 10/31/06
So...  jragosta | 10/31/06
Hey jragosta, you are an anti-Apple zealot!  NonZealot | 10/31/06
Who cares  jragosta | 10/31/06
Again, I'm not holding you accountable at all!!  NonZealot | 10/31/06
"Ou filters" (TM) at work again  bportlock | 10/31/06
You have a great point  NonZealot | 10/31/06
And yet...  zkiwi | 10/31/06
Haha, I KNEW you would take that as a win for you!!  NonZealot | 10/31/06
Nice!  eb276 | 10/31/06
And yet  zkiwi | 10/31/06
Yeah, so?  NonZealot | 10/31/06
And...  zkiwi | 10/31/06
You seem to have an interesting belief  NonZealot | 10/31/06
Take a holiday  zkiwi | 10/31/06
I'll take that advice with a grain of salt  NonZealot | 10/31/06
Yes! The guy...  mustang_z | 11/01/06
re: and yet...  barstewards | 11/01/06
That disables sharing, it does NOT disable ICS  georgeou | 10/31/06
Don't take things literally  nix_hed | 11/02/06
Fatal Flaw .....  Reverend MacFellow | 10/31/06
I thought you tried to play the casual user?  nucrash | 10/31/06
Ou's ignorance is showing!!!  techboy_z | 10/31/06
NO, you can't turn off ICS without turning off the firewall  georgeou | 10/31/06
It is the default setting  NonZealot | 10/31/06
Please don't confuse the UI with the service  georgeou | 10/31/06
I understand  NonZealot | 10/31/06
The GUI does not disable ICS  georgeou | 10/31/06
Semantics  NonZealot | 10/31/06
Again, that turns off sharing, it doesn't disable ICS  georgeou | 10/31/06
What was the purpose of your article?  NonZealot | 10/31/06
Are you having fun yet?  zkiwi | 10/31/06
zkiwi, compare your posts to George's  NonZealot | 10/31/06
George presents arguments?  jragosta | 10/31/06
It's only the beginning  zkiwi | 10/31/06
I'll make you a bet zkiwi  NonZealot | 10/31/06
Let us agree it's just a different interpretation  georgeou | 10/31/06
So...  zkiwi | 10/31/06
NonZealot...  zkiwi | 10/31/06
Agreed re: different interpretation. However...  NonZealot | 10/31/06
Reasonable response, but there is problems with the DNS recommendation.  georgeou | 10/31/06
It appears to work  NonZealot | 10/31/06
I would need to test it with a physical adapter  georgeou | 11/01/06
Yup  NonZealot | 11/01/06
Yes, thats the catch...  mustang_z | 11/01/06
Nice to know....  bportlock | 10/31/06
?!?  Robert Crocker | 10/31/06
What are you talking about  georgeou | 10/31/06
Local Area Connection Properties  Robert Crocker | 10/31/06
The problem  jragosta | 10/31/06
That's up for interpretation  georgeou | 11/01/06
So I guess Microsoft is wrong as well  nucrash | 10/31/06
That still doesn't mean disable ICS  georgeou | 10/31/06
Pathetic  V-Train | 10/31/06
Just what do you think ICS is?  jragosta | 10/31/06
Turn off != disable?!?  Robert Crocker | 10/31/06
ignorance? no. arrogance? probably.  nix_hed | 11/02/06
This is George trying to pretend he is...  Linux_Fanboy | 11/01/06
This is now moot  Scrat | 11/01/06
Read my update  georgeou | 11/01/06
Thank you for your update  nucrash | 11/01/06
Computerworld responds!  richij | 11/01/06
Still surprises me  NonZealot | 11/01/06
Another day...  zkiwi | 11/01/06
Hey - I'm famous  jragosta | 11/01/06
LOL! Computerworld Response - a must read  ejhonda | 11/01/06
Slanted?  perryroyce@... | 11/01/06
Considering that...  zkiwi | 11/01/06
Not Expected  perryroyce@... | 11/01/06
Well...  zkiwi | 11/01/06
Valid Point  perryroyce@... | 11/01/06
re: Valid Point  barstewards | 11/01/06
Young in what sense?  zkiwi | 11/01/06
Well of course they are going to post the negative...  ju1ce | 11/01/06
Fairness?  perryroyce@... | 11/01/06
Well...  ju1ce | 11/01/06
Read the whole story, the computerworld guy doesn't even know services  georgeou | 11/01/06
Next time  dragosani | 11/01/06
They didn't even know what a Windows Service is  georgeou | 11/01/06
The instructions get even more ridiculous!  NonZealot | 11/01/06
Amazing  jragosta | 11/01/06
Couldn't answer the simple question?  NonZealot | 11/01/06
I Understood that  perryroyce@... | 11/01/06
Why?  jragosta | 11/01/06
I WAS RIGHT!!!  NonZealot | 11/01/06
Huh!? What exactly did George get right?  thelemite | 11/01/06
2 things  NonZealot | 11/01/06
Zero things...  thelemite | 11/01/06
Blocking Internet Connetion sharing is useless  georgeou | 11/01/06
Just another site that agrees with Computer World...  ju1ce | 11/01/06
Fatal Flaw  stan@... | 11/01/06
Everybody still misses the fact...  TCP?IP'ed | 11/01/06
That's not fair  NonZealot | 11/01/06
From what I understand  nucrash | 11/01/06
Losing?  jragosta | 11/01/06
Did you understand what I was complaining about?  georgeou | 11/01/06
I see both sides very clearly.  nucrash | 11/02/06
Now that they have clarified their advice  georgeou | 11/02/06
Congrats to NonZealot  nucrash | 11/03/06
Huh?  jragosta | 11/01/06
FATAL 'ixx' for minor flaw in Windows XP!  d.arbib@... | 11/01/06
Why...  nucrash | 11/02/06
More George hypocrisy  jragosta | 11/02/06
George exposed as a hypocrite.  nizuse | 11/05/06
This is a Minor security issue  jonmck@... | 11/02/06
True, but  jragosta | 11/03/06
Try this,,,  fewiii | 11/03/06
Not entirely  jragosta | 11/03/06

What do you think?

SponsoredWhite Papers, Webcasts, and Downloads

Click Here
advertisement

Recent Entries

Top Rated

    advertisement

    Archives

    ZDNet Blogs

    White Papers, Webcasts, and Downloads

    Enterprise Applications

    • Check out some of the easiest and most powerful ways to boost productivity while saving money on your application infrastructure. See ZDNet's comprehensive Enterprise Application resource center, now!
    • New Online Dashboard
    • Read about top issues IT decision-makers face every day, plus get cost effective solutions to real life IT problems. Oracle Topline