August 18, 2005 2:38 PM PDT

Vista feature exposes beta machines

Windows Vista beta testers have stumbled upon a networking feature in the operating system that could pose a security risk to them--but they say they're not worried.

After installing the first beta release of the upcoming Windows client, some testers noticed suspicious network traffic to their machines. Concerned about a possible attack, these people last week contacted the SANS Internet Storm Center.

"There was very curious traffic that did not match anything that they had seen before," said George Bakos, a security expert at the Institute for Security Technology Studies at Dartmouth College who is associated with SANS. "The concern was that this may be some new type of attack, or somebody scanning for a vulnerability we were unaware of."

"The concern was that this may be some new type of attack, or somebody scanning for a vulnerability we were unaware of."
--George Bakos, security expert

The traffic was coming from computers on the Internet that, as far as the testers knew, were not supposed to be communicating with the beta machines. "It was anomalous to everything they were aware was going on," Bakos said.

After investigating the traffic for SANS, Bakos found the culprit: a peer-to-peer networking feature that is turned on by default in Vista Beta 1, released last month. The feature uses a new version of Microsoft's peer name resolution protocol (PNRP) and connects to other beta machines as soon as an Internet connection is available, he said.

That default turn-on could expose the testers' machines to some security risks, Bakos said.

It does go against Microsoft's "secure by design, secure by default and secure in deployment" principle, which the company adopted as part of its broader security initiatives. The principle calls for delivering products in locked-down mode, with features turned off.

The peer-to-peer feature is meant to enable connections between Windows computers without the need for a central server, so that they form a "peer-to-peer cloud." Multiplayer gaming is one application that Microsoft has in mind for the technology, the company has said. Third-party application makers can also take advantage of it through the use of a software development kit.

Opening in the OS
Turning the feature on by default is risky in a range of ways, Bakos said. The system opens a connection to the Internet using a protocol that has not yet been vetted for security issues. Also, the peer-to-peer service functions as a directory of connected computers and could aid attackers in finding targets.

"I recommend people be aware that (the peer-to-peer service) is there and decide if they are willing to accept the additional security risks associated with unnecessary services and protocols being used," Bakos said. "A query against the (service) may very well disclose a sizable list of Windows Vista beta users."

Also, someone concerned about privacy might be worried about having an additional identifying value associated with their machines, Bakos said. The peer-to-peer service tags the PC with a new identifier.

Microsoft does not intend to enable the peer-to-peer service by default in the final version of Windows Vista, due out late next year, said Greg Sullivan, a product manager for Windows. That means the only machines likely to be exposed by the problem are those belonging to tech-savvy beta testers, who are more able to deal with it.

"Bugs in Beta 1, well that can be expected," said Marco Drioel, a Windows Vista tester in the Netherlands. "Just disable PNRP if you think it is a threat."

Related audio
CNET News.com podcast
Reporter Ina Fried talks about
Vista's quest for speed.

Vista, previously known by its Longhorn code name, is the long-awaited successor to Windows XP. The three design goals for the operating system are better security, new ways to organize information, and seamless connectivity to external devices. Key features include a new searching mechanism, new laptop features, parental controls and better home networking.

Two other Vista beta testers said they aren't worried, though they would have liked it if Microsoft had told them about the enabled peer-to-peer feature ahead of time--which it didn't do, they said.

"If you change the default, you need to let us know about it," said Thomas Smith, a Windows Vista beta tester in Houston. Steven Bink, a tester in Amsterdam, agreed. "Notification would not have been a luxury," he said. "But testers in danger? This is a beta, you should only run it in test environments."

Bakos agreed, noting that Vista is only in beta release, and testers shouldn't expect it to be perfect. "If you are a member of a beta program, the onus is upon you to run that system in a test environment and watch it like a hawk, because there are going to be things different from what you are accustomed to," he said.

Microsoft's Sullivan said that the software giant could have been more upfront about the service being enabled, but stressed that beta releases are precisely for trying out new features.

"We do things differently in betas in order to gather information that will help us make the product better," Sullivan said. "The fact that we have a service that is turned on by default allows us to properly test it and helps make it much better."

Microsoft has conducted internal security reviews of PNRP. An earlier version of PNRP is also available in Windows XP Service Pack 1, but is not turned on by default. The company is currently in discussions with external security experts for a third-party analysis of the protocol, a Microsoft representative said.

Even before its release, the security of Vista is being scrutinized. Earlier this month, the release of sample viruses for a new command shell that was originally planned to be in Vista resulted in reports that the first viruses for the operating system had been found. However, the command shell, called Monad, won't be in Vista.

19 comments

Join the conversation!
Add your comment
great feature
but I wish they would make it work at the LAN level first.
Posted by (58 comments )
Reply Link Flag
Wouldnt this tie in with Microsoft .net thing
Where Microsoft wants to set up their own internet?
Posted by wazzledoozle (288 comments )
Reply Link Flag
For a preview....
You can look at a similar technology....for the person looking for
this on a LAN.
Here: <a class="jive-link-external" href="http://www.apple.com/macosx/features/bonjour/" target="_newWindow">http://www.apple.com/macosx/features/bonjour/</a>
...and I'm not a fan boy... just a fan. ;)
The way Microsoft has implemented this technology... this is a
virus writers dream.
This will be exploited.
Posted by (96 comments )
Link Flag
Vista New Tools
Always did like Microsoft's new tools they include.
Posted by radcoe (2 comments )
Reply Link Flag
Yikes!
It's a direct link to Bill Gates and his fleet of black helicopters. He
sure is nosey cus.
Posted by cjohn17 (268 comments )
Reply Link Flag
Microsoft should be more responsible...
... to inform their beta testers about services that are turned on by default especially those services that actually exposes the computer to the Internet, worse, exposing it to other computers peer-to-peer style.

Microsoft should not undermine the importance of test environments. These test environments incurs costs as well. No one really want to mess up thousands of dollars in investments just because Microsoft didn't warn they have peer-to-peer turned on by default and that it has not been tested for security.

Tsk, tsk, tsk...
Posted by Mendz (519 comments )
Reply Link Flag
integration?
why do i get the feeling that this is an "integrated feature"? if this is true then we are looking at one HUGE security hole just begging to be exploited. one of the most important security rules is to NOT use p2p software. so what does MS do? they give the user no choice but to have MORE useless bloat on their system that only adds to security threats. even though it is switched off by default in the final version, this is still disturbing. it is entirely possible for someone to write a virus to enable it and BANG! every cracker, script kiddie and their mothers have full rights to fill your computer with useless viruses, trojans, spyware, adware and anything else that catches their fancy. i'm glad to be a linux user. too bad for all those poor MS followers.
Posted by Scott W (419 comments )
Reply Link Flag
Incorrect viewpoint
Many users already download p2p, regardless of the risks. 95% of the spyware I deal with is packaged with p2p stuff, and the user gladly agrees to install it. This will actually give users a much safer option. I think a more useless option, as MS will most likely take some steps to disallow tossing around copyrighted material, but safer.

And please knock off the 'adds to security threats' crap. take a quick read
<a class="jive-link-external" href="http://blogs.zdnet.com/Ou/?p=77" target="_newWindow">http://blogs.zdnet.com/Ou/?p=77</a>
and actually look into the numbers.
Now, is Apple adding to security threats by including Apache with OSX even though it is turned off by default? What, is that argument simply reserved for MS?
Posted by catchall (245 comments )
Link Flag
not really
If you download files from people on the internet you dont know then you will get spyware.

If you share files with trusted colleagues then it is unlikely. This is the purpose of this feature.

I think it is going to be very useful and I can see a lot of good applications for it.
Posted by cturkin (59 comments )
Link Flag
windows vista
very good info about windows vista is here <a class="jive-link-external" href="http://windows.czweb.org" target="_newWindow">http://windows.czweb.org</a>
Posted by (1 comment )
Reply Link Flag
vista latest features
pls check <a class="jive-link-external" href="http://vistaspot.blogspot.com" target="_newWindow">http://vistaspot.blogspot.com</a>
Posted by ajoymehra (2 comments )
Reply Link Flag
very nice
nice
Posted by ajoymehra (2 comments )
Link Flag
 

Join the conversation

Add your comment

The posting of advertisements, profanity, or personal attacks is prohibited. Click here to review our Terms of Use.

What's Hot

Discussions

Shared

RSS Feeds

Add headlines from CNET News to your homepage or feedreader.