Vista beta in a spot of bother

Windows Vista beta testers have stumbled upon a networking feature in the operating system that could pose a security risk to them - but they say they're not worried.

After installing the first beta release of the upcoming Windows client, some testers noticed suspicious network traffic to their machines. Concerned about a possible attack, these people last week contacted the SANS Internet Storm Center.

George Bakos, a security expert at the Institute for Security Technology Studies at Dartmouth College who is associated with SANS, said: "There was very curious traffic that did not match anything that they had seen before. The concern was that this may be some new type of attack, or somebody scanning for a vulnerability we were unaware of."

The traffic was coming from computers on the internet that, as far as the testers knew, were not supposed to be communicating with the beta machines. "It was anomalous to everything they were aware was going on," Bakos said.

After investigating the traffic for SANS, Bakos found the culprit: a peer-to-peer networking feature that is turned on by default in Vista Beta 1, released last month. The feature uses a new version of Microsoft's peer name resolution protocol (PNRP) and connects to other beta machines as soon as an internet connection is available, he said.

That default turn-on could expose the testers' machines to some security risks, Bakos said.

It does go against Microsoft's "secure by design, secure by default and secure in deployment" principle, which the company adopted as part of its broader security initiatives. The principle calls for delivering products in locked-down mode, with features turned off.

The peer-to-peer feature is meant to enable connections between Windows computers without the need for a central server, so that they form a "peer-to-peer cloud". Multiplayer gaming is one application that Microsoft has in mind for the technology, the company has said. Third-party application makers can also take advantage of it through the use of a software development kit.

Turning the feature on by default is risky in a range of ways, Bakos said. The system opens a connection to the internet using a protocol that has not yet been vetted for security issues. Also, the peer-to-peer service functions as a directory of connected computers and could aid attackers in finding targets.

Bakos said: "I recommend people be aware that [the peer-to-peer service] is there and decide if they are willing to accept the additional security risks associated with unnecessary services and protocols being used. A query against the [service] may very well disclose a sizable list of Windows Vista beta users."

Also, someone concerned about privacy might be worried about having an additional identifying value associated with their machines, Bakos said. The peer-to-peer service tags the PC with a new identifier.

Microsoft does not intend to enable the peer-to-peer service by default in the final version of Windows Vista, due out late next year, said Greg Sullivan, a product manager for Windows. That means the only machines likely to be exposed by the problem are those belonging to tech-savvy beta testers, who are more able to deal with it.

Sullivan said the software giant could have been more upfront about the service being enabled but stressed that beta releases are precisely for trying out new features.

"We do things differently in betas in order to gather information that will help us make the product better," Sullivan said. "The fact that we have a service that is turned on by default allows us to properly test it and helps make it much better."

Microsoft has conducted internal security reviews of PNRP. An earlier version of PNRP is also available in Windows XP Service Pack 1 but is not turned on by default. The company is currently in discussions with external security experts for a third-party analysis of the protocol, a Microsoft representative said.

Joris Evers writes for CNET News.com