• United States

The true spin about a ‘Windows wireless flaw’

Jan 25, 20063 mins
Enterprise Applications

* Who's in danger of the recently demonstrated 'Windows wireless flaw'?

A little over a week ago, a story broke on the Washington Post’s Web site, which purported to reveal a major security flaw in “laptops powered by Windows XP or Windows 2000 with built-in wireless capabilities.” The writer was given a demonstration by Mark Loveless, a security consultant better known by his online identity of “Simple Nomad”, purporting to demonstrate this flaw.

Let me begin by saying that the vulnerability demonstrated by Loveless is real. What’s not real is the spin that the Post’s story puts on it.

The story starts with the title: “Windows Wireless Flaw a Danger to Laptops.” It isn’t a “Windows wireless flaw,” but an intentional consequence of the IETF’s Request for Comment (RFC) #3927 (“Dynamic Configuration of IPv4 Link-Local Addresses”) written by three engineers – one from Microsoft, one from Apple and one from Sun. Any computer with an RFC3927-compliant Wireless client – which includes those running the Mac OS, Unix and Linux as well as Windows machines – will exhibit the same behavior.

What is even more interesting, though, is that even in Windows XP this is not the default behavior. As the Washington Post article indicates, “First of all, if you are running any kind of network firewall – including the firewall that comes built in to Windows XP – you won’t have to worry about some stranger connecting to your laptop. In fact, I had to shut down my firewall for both of us to successfully conduct our test.” Read that again: the reporter had to shut down his firewall so that the security breach could occur! I’m waiting for the follow-up story that says strangers can wonder into your house if you leave the doors unlocked.

So it’s a flaw that affects most laptops – not just ones running Windows. And you have to go out of your way to enable the exploit to occur. Yet I’ll wager that some of your users will pick up on the story and use it to complain about Microsoft. If some (or even one) of those users control budget or stand between you and the CEO, then you’ll need to keep this newsletter around so that you can slowly, using words of one syllable, explain the Chicken Luddle nature of the threat.