Have you heard the latest about Microsoft’s Windows XP? Get this: It has a few security issues. Fairly serious ones in fact. Now, once you’ve recovered from the shock, the next logical step might be to find a fix on the MS site, install it, and relax knowing that all is again right with the world.
Problem is, there is no such patch, and there will never be; because as Microsoft won’t outright tell you, if you’re a big enough idiot to allow this particular security breach to occur, you pretty much had it coming.
Here’s how it works, as countless technology writers have dutifully described in newspapers, magazines, and online publications. Grab any copy of the Windows 2000 installation disk — it probably doesn’t even have to be an original — and use it to boot up the password-protected XP machine. Then run Recovery Console, a registry troubleshooting program that will allow you to override the password, giving you full access to your unknowing target’s files. Now you may delete their financial records, replace it with gigabytes of foot-fetish porn, alter the difficulty level of Minesweeper, and upload a screensaver featuring a horrific, mocking clown.
Did I mention that for all this to work, you’d need full access to the XP-infected console anyway? This is, therefore, an example of what security experts call a “physical hack.” If the user allows access to a computer without some sort of physical barrier (say, a locked office door or a really big cubicle partition), then it’s akin to leaving your new Porsche in the middle of the Bronx with the keys in the ignition.
These same experts (essentially professional hackers paid to find flaws in other peoples’ products and for whom discovering a new hole in cyberspace is as laudable as an astronomer’s discovery of a new star) say there are actually several known tricks to get around XP’s login password. For instance, you could use a special Linux boot-floppy to the same effect. Or if you have access to the original XP installation disk, you can simply reload it over the old system and wreak havoc — a “glitch” that’s arguably intended as an essential password- and file-recovery tool for administrators. Besides, it would be a lot quicker and more effective to just crack open the console with a trusty screwdriver, pocket the hard drive, and walk away whistling Madonna’s “Ray of Light,” the XP theme song.
As one Microsoft spokesperson put it, these vulnerabilities are most likely to be exploited by disgruntled employees, although I would argue that 12-year-olds will probably be the most habitual enthusiasts, on their parents’ computers. And so, Microsoft assumes no responsibility. After all, this breach can be prevented by simple administrative tweaks, such as changing the BIOS settings to prevent a CD or floppy boot.
“The best way, in Microsoft’s opinion, is using the encrypted file system that’s built into XP,” says Windows product manager Elliot Katz. “If you have the encrypted file system turned on, and a person doesn’t know your user ID and password, they can’t get access to that information. And that includes when someone takes the hard drive physically out of the machine and puts it into another.”
Still, this latest discovery must be something of an embarrassment to Bill “Richest Man Alive” Gates & Co., who once billed XP, without any irony, as the most secure version of Windows, ever. By its debut on Oct. 25, 2001, Microsoft had already released several megabytes’ worth of patches, corrections and compatibility updates. To their credit, the process of plugging all those security holes became practically effortless with the Web-based Microsoft Personal Security Advisor. This application was launched two months before XP came out, after Code Red and SirCam broke loose and infected even Microsoft’s own systems.
Not long after Sept. 11, people got thinking about security issues of a different scale, the nasty Nimda worm started raising hell, exploiting a known vulnerability in Internet Explorer that allows it to run malicious code just for opening or previewing an e-mail in Outlook. Finally an e-mail virus was on the loose that didn’t rely on the gullibility and/or desperation of users thinking an anonymous admirer sent them a file called “truelove.exe.” Then, in December, a critical hole in Windows’ Universal Plug and Play service was discovered, prompting business analysts to recommend putting off installation of XP for a few months.
Like Swiss cheese, another product distinguished by its holes, XP would supposedly improve with age provided it remained packaged. The FBI’s National Infrastructure Protection Center even issued a warning to XP users, urging them to disable the faulty feature.
Not a moment too soon, Gates himself issued a memo to his 47,000 employees in mid-January 2002, calling for an increased focus on security and privacy concerns rather than adding new jazzy features — the so-called “code bloat” that makes MS products an easy target for miscreants. He named it the “Trustworthy Computing Initiative,” and its value has been under debate ever since. One year later, for instance, the “SQL Slammer” worm crashed servers around the world, including Microsoft’s own. Though an existing patch might have prevented it, many users are sick of constantly repairing a product that should have been relatively intact from the start.
Experts in the security business, however, will point out that no new software is without its bugs, from Mozilla to Mac OS X to Opera to the supposedly infallible Linux.
“In my opinion, there are no more flaws in MS software than any other equivalent alternative,” says Russ Cooper, “surgeon general” of TruSecure Corporation and editor of NTBugtraq. “Microsoft has become extremely responsive to security issues and has an excellent track record for swiftly responding to them.”
Given Microsoft’s range of products and roughly 300 million customers, it’s no surprise that problems seem to pop up so frequently.
