It’s been a bang-up year already for Microsoft. Hot on the heels of its WMF disaster, Redmond announced that other vulnerabilities existed in Outlook and Exchange. (The company is working on those.) Then another spat erupted about a supposed wireless flaw in Microsoft’s Windows 2000 and Windows XP OSes. This one’s been going on for a week now, and I’m a mite ticked, not only because it’s not actually a flaw, but also because the flap about it seems to be masking a real flaw: the one in Microsoft’s software release schedule. The company just announced its delay of the Service Pack 3 release until 2007, as much as a year later than expected.
Backing up for a moment: The wireless "flaw" was discovered by someone attending the ding-a-ling-named ShmooCon, a hacker’s convention. At the convention, Unnamed Participant A (I wanted to use a different moniker that was rejected by the kind-hearted editors at InfoWorld) gave his laptop wireless connection the name HackMe and watched as Unnamed Participant B’s computer automatically grabbed the connection, received a compatible IP address, and used this as a bridge to access A's "vulnerable" laptop.
This was recorded as a flaw in Microsoft’s Wi-Fi networking client. B gave accounts of how he used this "attack" to gain access to victims’ PCs on transatlantic flights, and then uttered some nonsense about that not being a crime because he was in international airspace when he did it.
For the record: All Wi-Fi clients behave this way in part. It’s called a peer-to-peer wireless connection, and the address part is due to link-local addressing, which is a standard under TCP/IP, not Windows, and is thusly found across all the popular operating systems, including Linux and Mac OS X. That said, many laptop clients, such as the IBM ThinkPad T42p I’m using right now, have had their Microsoft Wi-Fi client supplanted by something else from the laptop manufacturer; so Wi-Fi client behavior is actually quite diverse even across Windows PCs.
So not only isn't it a Microsoft "flaw," but Windows also protects you from such local attacks as long as you’re using Windows XP with Service Pack 2. See, SP2 has a firewall built in, and that pretty much snuffs this attack in its tracks no matter which Wi-Fi client you’re using. A, in fact, admits he had to shut his desktop firewall down in order to allow the attack to work. Anyone here shut down their firewall when they’re connecting at Starbucks? Anyone? Bueller? Bueller?
Windows 2000 also isn’t natively affected. If you’re on Windows 2000, you don’t have a native OS firewall, but then you don’t have a native OS Wi-Fi client, either, so I’m not too bothered. If you configure third-party Wi-Fi software and hardware, then go connect at public sites without a personal firewall in this day and age, you can’t blame Microsoft for your troubles. As to B’s legal assessment, I’m pretty sure that’s a crock, too.
So it’s a media-inspired flap that’s looking to make a mountain out of thin air. Meanwhile, Microsoft goes and quietly does something that actually does tick me off: The company has delayed Windows XP Service Pack 3 from 2006 all the way to the second half of 2007!
Yeah, that’s right, Microsoft: Wait until someone makes a big deal out of a wireless flap against which you can defend yourself, then try and sneak a release schedule snafu by us while we’re distracted. This right after the world just got done quaking in its boots about the metafile flaw.
I understand that Black Tuesdays are Microsoft’s way of making security fixes a little more manageable, but that doesn’t mean they're any less numerous. In fact, it's just the opposite. Further, in many instances, like the WMF fix, they've remained just as critical. For those of us building and rebuilding desktops from scratch on a regular basis, the security roll-up features presented by every service pack mean consolidation points on our desktop image maps. See, we need them.
If you’re making me keep track of testing and retesting new Black Tuesday releases for an extra year, you are definitely not doing me any favors -- especially if you’re also attempting to hawk a new OS version this year that I’m also supposed to test against. Make managing XP easy and automatic for me and I’m much more inclined to look at a Vista upgrade as an iterative process. Make me work extra hard for every fully functioning XP desktop and I’m obviously going to be less interested in losing all that work to another OS migration.
I think they call that common sense.