Archived from groups: microsoft.public.windowsxp.basics (More info?)
I have no opinion on this but would like to get some reaction from the
experts:
Top Threat: Windows Security Center Spoof
Windows XP Service Pack 2 promises to raise the security bar for the
sometimes beleaguered operating system. Unfortunately, one of the new
features could be spoofed so that it reports misleading information about
system security, or worse, lets a malicious program watch for an opportunity
to do damage without being detected. The feature is the Windows Security
Center ( Figure 1 ), which displays the status of the key elements of your
defenses: Firewall, Updates, and Antivirus. If your firewall has been
disabled, or your antivirus is out of date, that news will display here. The
information is stored in an internal database managed by the Windows
Management Instrumentation (WMI) subsystem built into Windows.
Based on an anonymous tip, we looked into the WMI and the Windows Security
Center's use of it, and found that it may not only be a security hole, but a
crater. Due to the nature of WMI, it could potentially allow attackers to
spoof the state of security on a user's system while accessing data,
infecting the system, or turning the PC into a zombie for spam or other
purposes.
According to Microsoft, WMI is the Microsoft implementation of Web-Based
Enterprise Management (WBEM), an industry standard for accessing management
information on a system. For Windows XP Service Pack 2, Microsoft added new
fields or records to keep track of the Firewall and Antivirus information in
the WMI database. Unfortunately, the WMI database is designed to be
accessible via the WBEM API (application program interface) and is available
to any program that wants to access the WMI. These programs can be desktop
applications written in desktop- or web-based scripting or ActiveX modules.
This open door to the security status of a system can be exploited several
ways. First, a malicious site could download a file (possibly with the drag
and drop exploit discussed in our Windows updates and vulnerabilities
section), which could run and access the WMI, monitoring the status of the
firewall and antivirus protection.
Some existing malicious programs attack the antivirus or firewall directly,
using techniques specific to the security product. These attacks are almost
invariably blocked when security is turned on. The malicious program could
wait until the security products are temporarily disabled, but do to that
currently they would have to monitor the products directly, which again
would trigger alarms. However, a program just casually checking WMI may be
ignored by security programs. When WMI reports that protection is off, the
malicious program could permanently disable the security protection and
remain undetected. Because the WMI database is not set to be a read-only
file, the attacking program could simply change the disabled product's
status to "up-to-date" and "enabled" to avoid suspicion. The WMI database
and subsystem cares less what the actual state of the product is, only that
it was told things are okay.
Beyond that, it is also possible to use WBEM API functions to add a firewall
or antivirus listing that didn't previously exist. In our example, we used a
reasonably simple script to add in fake antivirus and firewall product
listings in the Windows Security Center. In both cases, we told WMI that
they were up to date and enabled. ( Figure 2 ).
The WMI and WBEM interface has been well documented both on the Microsoft
Developer's Network, and other places on the web. We were able to find some
references to the namespace and objects that the Windows Security Center
uses on the web, though no references to it being exploited, yet.
However, it's almost like Microsoft has given attackers the path, door and
keys, Windows itself contains a test utility, WBEMTEST.EXE, that allows you
to view, add and edit the values in the WMI. In addition, files associated
with the utility provide the namespace, classes, and data types associated
with the Windows Security Center, all in plain text. The danger in this
utility is not that it can edit the WMI, but it lets a malicious developer
learn the data and fields needed to do the spoof.
While we are not aware of any malware exploiting this, we think it will only
be a matter of time. The one mitigating factor that we found is that to
change the WMI, and spoof the Security Center, the script has to be running
in Administrator mode. If executed in Windows XP's Limited Mode, it will
give an error, and not allow changes. Unfortunately, most home users who
will be at risk, run in the default administrator mode.
When we contacted Microsoft for comment, a spokesperson said that the
company was not aware of this issue, but would investigate. They had not
responded further at press time.
I have no opinion on this but would like to get some reaction from the
experts:
Top Threat: Windows Security Center Spoof
Windows XP Service Pack 2 promises to raise the security bar for the
sometimes beleaguered operating system. Unfortunately, one of the new
features could be spoofed so that it reports misleading information about
system security, or worse, lets a malicious program watch for an opportunity
to do damage without being detected. The feature is the Windows Security
Center ( Figure 1 ), which displays the status of the key elements of your
defenses: Firewall, Updates, and Antivirus. If your firewall has been
disabled, or your antivirus is out of date, that news will display here. The
information is stored in an internal database managed by the Windows
Management Instrumentation (WMI) subsystem built into Windows.
Based on an anonymous tip, we looked into the WMI and the Windows Security
Center's use of it, and found that it may not only be a security hole, but a
crater. Due to the nature of WMI, it could potentially allow attackers to
spoof the state of security on a user's system while accessing data,
infecting the system, or turning the PC into a zombie for spam or other
purposes.
According to Microsoft, WMI is the Microsoft implementation of Web-Based
Enterprise Management (WBEM), an industry standard for accessing management
information on a system. For Windows XP Service Pack 2, Microsoft added new
fields or records to keep track of the Firewall and Antivirus information in
the WMI database. Unfortunately, the WMI database is designed to be
accessible via the WBEM API (application program interface) and is available
to any program that wants to access the WMI. These programs can be desktop
applications written in desktop- or web-based scripting or ActiveX modules.
This open door to the security status of a system can be exploited several
ways. First, a malicious site could download a file (possibly with the drag
and drop exploit discussed in our Windows updates and vulnerabilities
section), which could run and access the WMI, monitoring the status of the
firewall and antivirus protection.
Some existing malicious programs attack the antivirus or firewall directly,
using techniques specific to the security product. These attacks are almost
invariably blocked when security is turned on. The malicious program could
wait until the security products are temporarily disabled, but do to that
currently they would have to monitor the products directly, which again
would trigger alarms. However, a program just casually checking WMI may be
ignored by security programs. When WMI reports that protection is off, the
malicious program could permanently disable the security protection and
remain undetected. Because the WMI database is not set to be a read-only
file, the attacking program could simply change the disabled product's
status to "up-to-date" and "enabled" to avoid suspicion. The WMI database
and subsystem cares less what the actual state of the product is, only that
it was told things are okay.
Beyond that, it is also possible to use WBEM API functions to add a firewall
or antivirus listing that didn't previously exist. In our example, we used a
reasonably simple script to add in fake antivirus and firewall product
listings in the Windows Security Center. In both cases, we told WMI that
they were up to date and enabled. ( Figure 2 ).
The WMI and WBEM interface has been well documented both on the Microsoft
Developer's Network, and other places on the web. We were able to find some
references to the namespace and objects that the Windows Security Center
uses on the web, though no references to it being exploited, yet.
However, it's almost like Microsoft has given attackers the path, door and
keys, Windows itself contains a test utility, WBEMTEST.EXE, that allows you
to view, add and edit the values in the WMI. In addition, files associated
with the utility provide the namespace, classes, and data types associated
with the Windows Security Center, all in plain text. The danger in this
utility is not that it can edit the WMI, but it lets a malicious developer
learn the data and fields needed to do the spoof.
While we are not aware of any malware exploiting this, we think it will only
be a matter of time. The one mitigating factor that we found is that to
change the WMI, and spoof the Security Center, the script has to be running
in Administrator mode. If executed in Windows XP's Limited Mode, it will
give an error, and not allow changes. Unfortunately, most home users who
will be at risk, run in the default administrator mode.
When we contacted Microsoft for comment, a spokesperson said that the
company was not aware of this issue, but would investigate. They had not
responded further at press time.
Facebook
Twitter
Instagram