Hostile Code, not the Windows XP Socket Implementation, is the Real Security Threat

Gibson Research Corporation (GRC) recently posted a statement on its web site claiming that the inclusion of a "raw sockets" implementation in Microsoft Windows XP will aid Internet vandals in carrying out distributed denial of service (DDOS) attacks. These claims have been the subject of several press articles, and we've received a number of inquiries from customers about them. The Microsoft Security Response Center has thoroughly investigated the claims, but they are off the mark. The following provides background information on the issue.

At the root of GRC's claims are a set of functions provided in the Windows XP networking services. These new functions referred to collectively as a "raw sockets" implementation will enable programs to manipulate the construction and content of TCP/IP data packets. GRC claims that these functions will increase the incidence of DDOS attacks, wherein a malicious user covertly installs "zombie" software on other people's computers and then directs the zombies to combine forces and flood a target network with data. GRC claims that because a zombie program running on Windows XP could use native operating system functions to disguise the originating point of the data, it will be the operating system of choice for DDOS attacks.

Microsoft agrees that the threat of DDOS attacks is real, and recognizes that zombie software can be written to run on any platform. However, we believe that GRC has missed the real issue here. The presence of operating system-level functions to manipulate data packets is not a critical factor in the number of DDOS attacks. If it were, the explosion in DDOS attacks should have already occurred, as raw sockets implementations are already present in Linux, VMS, Unix, Mac OS X, and even in previous versions of Windows.

Nor is the absence of such functions a significant impediment to such attacks. Most modern operating systems allow new functions including networking functions to be added via installable drivers. An attacker who had the ability to install zombie software on another user's machine could just as easily install a network driver to provide any functions it needed, including functions to disguise the source address of the attack.

The real issue is whether the attacker could run hostile code on another user's computer. Like viruses, Trojan horses and other hostile code, a zombie program can only run if an attacker can install it and run it. Microsoft has embarked on a campaign known as the "war on hostile code", with the goal of preventing any hostile code from running on users' systems. Some of the options available to Windows XP users to protect against hostile code include:

• Internet Connection Firewall in Windows XP, which effectively makes Windows XP users invisible on the Internet.

• The Outlook Email Security Update, which is included in Outlook 2000 Service Pack 2 and Office XP, and prevents email attachments from being launched.

• Software Restriction Policies in Windows XP, which allow a Windows XP system to be configured so that specific classes of code and script cannot run.

• Outlook Express 6 in Windows XP which, like Outlook 2000 Service Pack 2 and Office XP, will include changes that make it significantly more difficult for an attacker to run code via HTML e-mail.

In sum, it doesn't matter what networking functions are available as part of an operating system if an attacker's code never gets the opportunity to run on it. Microsoft is taking steps to ensure that Windows XP is the most secure operating system we have ever delivered.