Blaster/LoveSan Worm and Windows XP
Luckily, we had a few weeks' warning about the MS RPC vulnerability. I had patched my personal computers weeks ago, and deployed the patch to my servers at work just this last Sunday. Coincidentally, the first widespread worm exploiting the vulnerability started making its way around the Internet on Monday. I think we're lucky we had as much time as we did to plan our patching actions. As the complexity of Microsoft's operating systems continues to rise, so do the number of potential security vulnerabilities. It's too bad that home users are being sold an operating system, Windows XP Home Edition, that's more complex than many of them need.
Don't get me wrong - I think WinXP is a very useful operating system. I use it work because I have to, but I use it at home because it works with the software and games my wife and I want to run. However, we're relatively knowledgable when it comes to using computers; I think many of the people buying computers today don't require all the features present by default in WinXP. It's certainly helpful for software compatibility purposes to base multiple products on the same underlying operating system. Microsoft has done this for four product generations now: Windows NT v3.x, Windows NT v4.0, Windows 2000, and currently Windows XP/Windows 2003. The current generation of MS OS's is the first one that features a home OS (WinXP) based on the underpinnings of business OS's (the NT kernel). While this synergy makes for smooth interoperability, it puts undesired features into some products. For example, DirectX, a set of libraries intended for multimedia and gaming applications, is present on the server versions of NT 4.0, Windows 2000 Server, and Windows Server 2003 products not because they're required there, but because it's more convenient for Microsoft and ISVs to not have to worry about large differences in the APIs of a particular generation's products. In the case of DirectX, there's no configurable option to remove it from the operating system. This homogenaity is best illustrated by the fact that the Service Packs and Hotfixes that Microsoft issues for its OS's are the same for all products in a particular generation.
It's this philosophy that causes features like the one exploited by the RPC vulnerability to be installed and active on a home user's operating system for no other purpose than to say "it's there." Most home users wouldn't require RPC (remote procedure call) features since they have no other computers networked at home, and wouldn't want anyone on the Internet to use RPC to run anything on their computer. To MS's credit, the Internet Connection Firewall feature included with WinXP is an option presented to the user when setting up a new network connection. In its default configuration, it blocks RPC (and all other incoming) communications. However, while it's configurable, I don't think many non-technical users understand how to do so. I'm thinking that when a user has trouble communicating with someone or something over the Internet, they are more likely to turn off the ICF rather than try to configure it. And once it's been turned off, it might not get turned back on. It makes more sense to me to have RPC services and other questionable features turned off by default on WinXP Home Edition, or to not include the services in the OS unless the user selects to install them. I think having to install and enable features you know you need is better than having a lot of features already installed that you don't. I'm guessing MS thinks that home users would get frustrated by the learning curve that might present.
Hopefully Microsoft will learn from these exploits that it will better serve its home users by differentiating its products intended for home use more than it has done with Windows XP. With great power comes great responsibility, right? This should apply to power derived from a monopoly, too.
Comments
Posted by: Scotbuff | August 13, 2003 12:49 PM
Posted by: aharden | August 14, 2003 9:49 AM