RE: Security issues, purchasing a new, pre-loaded, Windows XP computer

From: Ji H. Lee (Ji.Lee@nstnet.com)
Date: 10/07/02


Date: Mon, 7 Oct 2002 11:35:41 -0700
From: "Ji H. Lee" <Ji.Lee@nstnet.com>
To: "De Velopment" <devel@www2.kparker.org>, "Focus-MS" <focus-ms@securityfocus.com>

Microsoft has a free cd that can be ordered at the following link:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/secur
ity/tools/tools/stkintro.asp

The CD is the Microsoft Security Toolkit. It basically has all the
baseline patches that you need to get you PC secure enough to get on the
Internet.

I don't believe it is fool-proof but it is a start.

Ji Lee
Northstar Technologies

-----Original Message-----
From: De Velopment [mailto:devel@www2.kparker.org]
Sent: Monday, October 07, 2002 9:47 AM
To: Focus-MS
Subject: Security issues, purchasing a new, pre-loaded, Windows XP
computer

Hello,

   I asked a casual question on another forum and believe I have
opened a major can of worms.

   The casual question came up when a friend of mine told me that she
purchased a new PC (I think Gateway, but manufacturer not important).
The PC comes pre-loaded with Windows XP Home. Simple enough. There
are probably millions of preloaded Windows XP boxes sold every week.

   The problem is security. Out of the box, Windows XP has some rather
dangerous vulnerabilities, including Universal Plug-n-Play, a number
of Internet Explorer / Outlook Express holes, including incorrectly
labeling an executable file as an audio (sound) file, and just maybe
a version of IIS that can be hit from outside by Code Red and Nimda.

   The question I brought up is what is required to make a PC, just
purchased, with Windows XP, safe on the Internet? One answer I got
was that all downloads, (Service Pack 1, Security Rollup, and
miscellaneous patches) would come up to 105 Megabytes. The problem
is that my friend only has dialup access! How long would it take
to download 105 Megs on a dialup line? How about if the phone line
is dirty? A related question, for those outside the USA, is how much
would it cost to download all of these fixes?

   So, my question to this list: Exactly what should I tell my friend?
How dangerous it it to have an unpatched Windows XP Home system on
the Internet? How many steps does it take to secure it? And, does
anybody have an estimate on how long it takes with Dialup? Can this
upgrade be done at night while she is sleeping? (Or does it take
several reboots and answers to questions (i.e. EULA) along the way?)

   Finally, has Microsoft been approached with the idea of releasing
a bug-fix version of Windows XP that has the patches pre-applied,
at least for the OEM distributers?

   Thanks in advance and best regards,

           Ken Parker



Relevant Pages

  • [NT] Cumulative Security Update for Internet Explorer (MS04-025)
    ... Get your security news from a reliable source. ... * Microsoft Windows NT Workstation 4.0 Service Pack 6a ... Navigation Method Cross-Domain Vulnerability ...
    (Securiteam)
  • SecurityFocus Microsoft Newsletter #120
    ... Strengthening Network Security: FREE Guide Network security is a ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows File Protection Signed File Replacement... ... PlatinumFTPServer Information Disclosure Vulnerability ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #176
    ... MICROSOFT VULNERABILITY SUMMARY ... Microsoft Windows XP HCP URI Handler Arbitrary Command Execu... ... PHPNuke Category Parameter SQL Injection Vulnerability ... Microsoft Baseline Security Analyzer Vulnerability Identific... ...
    (Focus-Microsoft)
  • SecurityFocus Microsoft Newsletter #242
    ... MICROSOFT VULNERABILITY SUMMARY ... PostNuke Blocks Module Directory Traversal Vulnerability ... Groove Networks Groove Virtual Office COM Object Security By... ... The Microsoft Windows IPV6 TCP/IP stack is prone to a "loopback" condition initiated by sending a TCP packet with the "SYN" flag set and the source address and port spoofed to equal the destination source and port. ...
    (Focus-Microsoft)
  • [NT] Vulnerability in HTML Help Allows Code Execution (MS05-001)
    ... The following security advisory is sent to the securiteam mailing list, and can be found at the SecuriTeam web site: http://www.securiteam.com ... Get your security news from a reliable source. ... * Microsoft Windows XP Service Pack 1 and Microsoft Windows XP Service ...
    (Securiteam)