Windows XP SP2 Has A Dangerous Hole

[NeonWizard]

Windows XP Service Pack 2 promises to raise the security bar for the sometimes beleaguered operating system. Unfortunately, one of the new features could be spoofed so that it reports misleading information about system security, or worse, lets a malicious program watch for an opportunity to do damage without being detected. The feature is the Windows Security Center ( Figure 1 ), which displays the status of the key elements of your defenses: Firewall, Updates, and Antivirus. If your firewall has been disabled, or your antivirus is out of date, that news will display here. The information is stored in an internal database managed by the Windows Management Instrumentation (WMI) subsystem built into Windows.

Based on an anonymous tip, we looked into the WMI and the Windows Security Center's use of it, and found that it may not only be a security hole, but a crater. Due to the nature of WMI, it could potentially allow attackers to spoof the state of security on a user's system while accessing data, infecting the system, or turning the PC into a zombie for spam or other purposes.

According to Microsoft, WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), an industry standard for accessing management information on a system. For Windows XP Service Pack 2, Microsoft added new fields or records to keep track of the Firewall and Antivirus information in the WMI database. Unfortunately, the WMI database is designed to be accessible via the WBEM API (application program interface) and is available to any program that wants to access the WMI. These programs can be desktop applications written in desktop- or web-based scripting or ActiveX modules.

This open door to the security status of a system can be exploited several ways. First, a malicious site could download a file (possibly with the drag and drop exploit discussed in our Windows updates and vulnerabilities section), which could run and access the WMI, monitoring the status of the firewall and antivirus protection.

Read Article

[avdven]

While I agree this could be an issue, I don't think people should be relying on the Windows Security Center in the first place. For instance, the article says that it is possible to tell the WSC that a antivirus and firewall are installed even if they're not. If you don't have an antivirus and/or firewall running and all of a sudden it shows that you do, you'd probably be pretty suspicious about it, right? Plus, realistically, there's not really much use for spoofing the WSC. I mean, if someone doesn't have an antivirus or firewall running, what good would it do to tell them that they do? Or, vice versa, if they do have something running and the WSC say that they aren't, it doesn't make their computer any more susceptible to attack. That's just my thought. I think the "Dangerous Hole" is kinda overrated. A hole, maybe. But even then, they'll argue that making it easily accessible is the whole point to the new Security Center. They'll say it's a feature, not a hole.

AJ

[tonybradley]

My opinion with this flaw or vulnerability, like most flaws and vulnerabilities, is that the issue isn't with the code. The dangerous hole in Windows XP SP2 and with just about every operating system and application is THE USER.

As soon as they figure out how to patch that we'll all be out of a job. Until then the money will keep flowing. :-)

[Vorlin]

Just as tonybradley stated, it's all about the end user, their ultimate responsibility with security, patches, and their machine as a whole, and hence, they're the end reason as to success or failure. Software has its faults, plenty of them, and will never be better than human intervention. The whole "remove human intervention is the best way" is not plausible in a lot of computerized scenarios. To remove it for user error, sure, but not for management or whatever. The security center isn't a replacement for a savvy person who's up to date on their software, patches, AV, firewall rulesets, etc...and never will be, so IMHO, the SC isn't something I view as necessary in SP2 at all. I do appreciate the fact that MS wants it to be easier for the typical user to see at a glance what their machine is at, but outside of that, it could be a lot more improved.

And what's preventing me from saying "Yeah, this AV is installed...it's really just a 0 byte text file that's renamed to 'antivirus.exe' " and the machine thinks I'm protected and some spoof/exploit is trying to circumvent that executable...interesting...

[dynagnosis]

Perhaps I've read the article wrong or misunderstood but I took it as WMI being exploited remotely and devulging critical information about the machine.

...funny that is a huge security concern all of a sudden, anyone ever hear about SNMP? LOL

[pooh sun tzu]

It may just be me, but doesn't the Security Center (I've completely removed that component, can't test) require not only a file name, but an installed program listing as well as the processing running? It doesn't just magically recognize a file and poof... virus scanner found!

[AngelicKnight]

That's what I would've expected, otherwise you could just name a trojan "antivirus.exe" and let the fun begin, right? Surely the security center has a little better identifying capability than that...

Curious Pooh, why'd you remove the component?

[pooh sun tzu]

Curious Pooh, why'd you remove the component?

I remove anything I don't use. The ICF, the Security Center, etc etc etc. Not that I recommend normal home users doing that, but let's face it, most of us on here won't need reminders that we are/are not running a virus scanner/firewall.

[AngelicKnight]

...and thus you streamline your OS as a result. Gotcha.

[avdven]

Microsoft responded to the reports that WSC has a serious hole. Read it here: http://www.neowin.net/comments.php?i...&category=main

"We wanted to alert you to some misguided press reports that may cause Microsoft customers undue concern. Some articles have posted that claim there is a highly critical vulnerability that would allow a malicious user to spoof the Windows Security Center in Windows XP SP2 however this claim is not accurate. we don’t know how closely you have been following this issue, but we wanted to make sure you had the facts from Microsoft.

As you know Windows Security Center, found in the Windows XP Control panel, provides customers the ability to easily check the status of essential security functionalities such as firewalls, automatic updates and antivirus. Windows Security Center will inform users whether key security capabilities are turned on and up to date and will notify users if it appears that updates need to be made or if additional action steps may need to be taken to help them get more secure.

To clarify, there is not a vulnerability in the Windows Security Center. In order for an attacker to spoof the Windows Security Center, he or she would have to have local administrator rights on the computer (ed. XP Homes default user is 'Admin', and many XP Pro users set their account to admin status for a hassle free life). If an attacker were granted access to a user’s system, either by being granted them or attaining them by enticing a user to open a malicious attachment, the criminal actions the attacker could pursue include many that are far more serious than just spoofing the Windows Security Center. In Windows XP SP2, we have added functionality to reduce the likelihood of unknown applications from running on the user’s system including turning Windows Firewall on by default, Data Execution Prevention and Attachment Manager in Outlook Express, to name a few.

All the best,
Windows Community Team"

AJ