Pros point to flaws in Windows security update

[SDK]

Security researchers say they're starting to find flaws in Microsoft's latest major update for Windows XP.
Last week, German company Heise Security announced that two flaws could be used to circumvent the new warnings that Windows XP Service Pack 2, or SP2, normally would display about running untrusted programs, potentially giving a leg up to a would-be intruder's attempts to execute code on a victim's PC.

And more revelations about vulnerabilities are on the way, Thor Larholm, senior security researcher with vulnerability-assessment company PivX Solutions, said Wednesday. Larholm has been looking for holes in the security of SP2 since the update was released and has notified Microsoft about several issues, but he would not discuss the details.

"I'm positive that we will see critical flaws over the next few weeks, and worms that will circumvent SP2 features over the next few months," he said.

Larholm has found dozens of flaws in Windows XP and Internet Explorer over the past few years and had previously maintained a Web page of unpatched vulnerabilities in the software giant's browser.

Microsoft would not discuss whether it had received reports of new vulnerabilities in Windows XP Service Pack 2 but did say that the company's researchers had investigated the Heise issues and found them wanting.

"The security response center is investigating those reports," said a representative of the company. "This feature is one that is supposed to protect users against executable files from an unknown source or untrusted locations. At this time, (Microsoft's security response center is) not aware of any instance that attackers could specifically bypass the service through e-mail or a browser."

Security researchers also point out that Microsoft has not solved some well-known issues with a few of the security technologies incorporated into SP2. Though the firewall is improved, it can be circumvented by any locally running program, a problem with most personal firewall programs, said Marc Maiffret, chief hacking officer for security software maker eEye Digital Security. Maiffret and his staff are analyzing the security update as well.

"We have seen some interesting things, but it is only about a week into it," Maiffret said.

The flaw reports could cause companies to hesitate even more before installing Microsoft's latest step to secure Windows. Many companies have said they will hold off on the update until it has been thoroughly vetted.

SP2 is designed to add better security to the operating system's handling of network data, program memory, browsing activity and e-mail messages by changing the system's code and configuration. For example, a revamped firewall is intended to keep attackers out and attempts to prevent malicious applications from connecting to the Internet by requiring that the user give specific permission to each application.

The major software update, which took almost a year to create, came to life after the MSBlast worm hit the Internet on Aug. 11. Almost 26 days before, Microsoft had issued a patch for the security hole the worm exploited, but many people did not install the fix even though there was widespread expectation that a virus would be created to take advantage of the flaw.

Microsoft Chair Bill Gates has described SP2 as the most extensive free update to Windows ever, and executives have acknowledged that work on the update has delayed other projects, including Longhorn, the next major version of Windows.

In addition to making the software available via automatic update, Microsoft will allow information-technology managers to download an upgrade that companies can use to update their machines.

As for flaws in XP itself, eEye's Maiffret points out that the update is about making Windows XP more secure by adding new protection features and better configuration, not about finding all the vulnerabilities in the operating system.

"Microsoft never claimed that SP2 would close all the security holes," he said.

Source : http://zdnet.com.com/2100-1105_2-5315063.html

[Tiger Shark]

Is this all just becoming a big game?

Let M$ release something.... anything... and see how many holes we can poke in it as quickly as possible? Is that the game for 'reporters'?

Yeah, I can claim that X is a vulnerability.... But is it remotely exploitable granting admin rights... not usually.... Usually it's BS little things that require physical access, often with admin access or at a minimum "power user", (damn I hate that term), access.... they are complaining about the "possibility of untrusted programs"...... That's "NEWS".... right????

Show us "the beans" Mr. Accuser... (not you SDK), show me how my box is any more vulnerable by installing SP2 than it was before......

[foxyloxley]

That's the thing about 'experts'

Ex = A has been.
Spurt = A drip under pressure.

As for TS and 'show us the beans' I think you nailed it there.

It has always been open season on MS, and probably always will be.
Mind you, with Billion's of $$$ in the bank, I don't see BG losing too much sleep.

[nihil]

Hmmmmmmmmmmmmmm.................

I wonder what these self-styled "security researchers" would do for a living if it were not for Micro$oft

I have yet to hear one of them come up with anything positive?

reminds me of the saying:

"Big fleas have little fleas, upon them do grow,
And little fleas have lesser fleas and do not even know."

Ack............I am just getting too cynical I suppose.

Cheers

[pooh sun tzu]

The Tao teaches us to not act until others require us to act, and to not learn unless others require us to know.

The reasoning behind that idelology is that you can plan, predict, expect, and number crunch... but nothing says wisdom like learned experience. I see Microsoft possibly taking this route, which although it makes certain security nuts ("WHY WASN'T THIS FIXED ALREADY!!!111") it also gives them quite the advantage. Not all forms of security are predictable, and I don't just mean 0 day. They bitched and complain when XP allowed raw sockets but Microsoft did it anyway. And through real life experience and user responces(as well as bug traq lists) they have come to learn how raw sockets can be exploited on their OS, why, and what must be done to patch that hole.

See what I'm getting at? Rather than blindly apply security features that may have an impact in theory, it still doesn't hold the water or real data results of a actual experience of it. I see Microsoft as not acting unless someone needs them to, not enhancing unless someone needs them to. Similar to a child touching a stove to learn that it is indeed hot and having first hand experience, rather than being told that the stove is hot and thinking that it is always going to be that hot at any given time during the day.

Because at that point in time it won't be guess work, it will be comments, emails, suggestions, bugs, facts and figures. Just a side thought in responce to another security "guru" chewing away at MS, and just my own humble opinion.

[Soda_Popinsky]

I have your beans...

What happens in SP2, is if you download an exe from an attachment, then the exe is appended with a security restriction that equals the security levels of the email you opened. Restricted level email = restricted level attachments. If you run that exe, it should warn you that it is untrusted. The flaw: By dragging the file into a command prompt (or something), you don't get a warning. So the vector is a email worm similar to bagle, it take user interaction and instruction to run.

But those beans are fried if you strip attachments like on TS's ninja mailserver. You aren't any more vulnerable than SP1, in fact you are less vulnerable to a .exe attachment. BIG DEAL

edit:

And .exe files renamed to .gif will be run executable in cmd. So same case, you still gotta talk the user into running the file in the cmd prompt. So unless TS's ninja mailserver blocks .gif's as attachments...

[chsh]

Originally posted here by nihil
I wonder what these self-styled "security researchers" would do for a living if it were not for Micro$oft

I have yet to hear one of them come up with anything positive?

You can drop the "self-styled" along with the quotes around "Security Researchers" in reference to Larholm. Like it or not, he discovers vulnerabilities, many of them. I am unaware of any reason why this is bad. This is leading to better software, isn't that a good thing?

[Tiger Shark]

Soda:

The flaw:

Er.... Isn't the "flaw" the user himself????? I mean c'mon.... If you don't know what the cmd prompt is what could possibly be so important as to coax a user of this level into following the instructions without suspicion. Or, if you do know what the cmd prompt is you should know better then to be doing what the instructions say anyway..... Shouldn't you?????

This is a perfect example of the developers having to try to determine _every_ potential action by the end users and as I was told a long time ago "It doesn't matter how good you think you are at predicting what the idiots will do with your computer and stopping them because they will simply breed better idiots".

[Soda_Popinsky]

Everyone is running around trying to find the first SP2 exploit, and what they found was a bug. Yeah, it's exploiting the user, but listen to MS's response

"We have investigated your report, as we do with all reports, however in this case, we don't see these issues as being in conflict with the design goals of the new protections. We are always seeking improvements to our security protections and this discussion will certainly provide additional input into future security features and improvements, but at this time we do not see these as issues that we would develop patches or workarounds to address."

Until the next patch, there is a documented way to bypass SP2 security measures against mass mailers. I just don't see why a batch file can't be included in the email instead of asking the user to open the command prompt.

So yeah, not a big deal. We'll probably see a worm just to so someone can claim the first SP2 worm, but it won't be a blaster or sasser.
http://www.heise.de/security/artikel/50051

[SirDice]

I do think Ms should have implemented the same securitycheck on the shell aka cmd.exe.

you still gotta talk the user into running the file in the cmd prompt

True, but we all know how easy that is. As Jurgen Schmidt pointed out: look at those viruses that send password protected zipfiles. People will do anything if asked. Just use a bit of social engineering and away we go....