PC Magazine article on Win XP SP 2 security hole

Archived from groups: microsoft.public.windowsxp.basics (More info?)

I have no opinion on this but would like to get some reaction from the
experts:

Top Threat: Windows Security Center Spoof

Windows XP Service Pack 2 promises to raise the security bar for the
sometimes beleaguered operating system. Unfortunately, one of the new
features could be spoofed so that it reports misleading information about
system security, or worse, lets a malicious program watch for an opportunity
to do damage without being detected. The feature is the Windows Security
Center ( Figure 1 ), which displays the status of the key elements of your
defenses: Firewall, Updates, and Antivirus. If your firewall has been
disabled, or your antivirus is out of date, that news will display here. The
information is stored in an internal database managed by the Windows
Management Instrumentation (WMI) subsystem built into Windows.

Based on an anonymous tip, we looked into the WMI and the Windows Security
Center's use of it, and found that it may not only be a security hole, but a
crater. Due to the nature of WMI, it could potentially allow attackers to
spoof the state of security on a user's system while accessing data,
infecting the system, or turning the PC into a zombie for spam or other
purposes.

According to Microsoft, WMI is the Microsoft implementation of Web-Based
Enterprise Management (WBEM), an industry standard for accessing management
information on a system. For Windows XP Service Pack 2, Microsoft added new
fields or records to keep track of the Firewall and Antivirus information in
the WMI database. Unfortunately, the WMI database is designed to be
accessible via the WBEM API (application program interface) and is available
to any program that wants to access the WMI. These programs can be desktop
applications written in desktop- or web-based scripting or ActiveX modules.

This open door to the security status of a system can be exploited several
ways. First, a malicious site could download a file (possibly with the drag
and drop exploit discussed in our Windows updates and vulnerabilities
section), which could run and access the WMI, monitoring the status of the
firewall and antivirus protection.

Some existing malicious programs attack the antivirus or firewall directly,
using techniques specific to the security product. These attacks are almost
invariably blocked when security is turned on. The malicious program could
wait until the security products are temporarily disabled, but do to that
currently they would have to monitor the products directly, which again
would trigger alarms. However, a program just casually checking WMI may be
ignored by security programs. When WMI reports that protection is off, the
malicious program could permanently disable the security protection and
remain undetected. Because the WMI database is not set to be a read-only
file, the attacking program could simply change the disabled product's
status to "up-to-date" and "enabled" to avoid suspicion. The WMI database
and subsystem cares less what the actual state of the product is, only that
it was told things are okay.

Beyond that, it is also possible to use WBEM API functions to add a firewall
or antivirus listing that didn't previously exist. In our example, we used a
reasonably simple script to add in fake antivirus and firewall product
listings in the Windows Security Center. In both cases, we told WMI that
they were up to date and enabled. ( Figure 2 ).

The WMI and WBEM interface has been well documented both on the Microsoft
Developer's Network, and other places on the web. We were able to find some
references to the namespace and objects that the Windows Security Center
uses on the web, though no references to it being exploited, yet.

However, it's almost like Microsoft has given attackers the path, door and
keys, Windows itself contains a test utility, WBEMTEST.EXE, that allows you
to view, add and edit the values in the WMI. In addition, files associated
with the utility provide the namespace, classes, and data types associated
with the Windows Security Center, all in plain text. The danger in this
utility is not that it can edit the WMI, but it lets a malicious developer
learn the data and fields needed to do the spoof.

While we are not aware of any malware exploiting this, we think it will only
be a matter of time. The one mitigating factor that we found is that to
change the WMI, and spoof the Security Center, the script has to be running
in Administrator mode. If executed in Windows XP's Limited Mode, it will
give an error, and not allow changes. Unfortunately, most home users who
will be at risk, run in the default administrator mode.

When we contacted Microsoft for comment, a spokesperson said that the
company was not aware of this issue, but would investigate. They had not
responded further at press time.
1 answer Last reply
More about magazine article security hole
  1. Archived from groups: microsoft.public.windowsxp.basics (More info?)

    that's why when i get the free cd from microsoft,i am going
    to disable that xp security center as much as possible.


    >-----Original Message-----
    >I have no opinion on this but would like to get some
    reaction from the
    >experts:
    >
    >Top Threat: Windows Security Center Spoof
    >
    >Windows XP Service Pack 2 promises to raise the security
    bar for the
    >sometimes beleaguered operating system. Unfortunately, one
    of the new
    >features could be spoofed so that it reports misleading
    information about
    >system security, or worse, lets a malicious program watch
    for an opportunity
    >to do damage without being detected. The feature is the
    Windows Security
    >Center ( Figure 1 ), which displays the status of the key
    elements of your
    >defenses: Firewall, Updates, and Antivirus. If your
    firewall has been
    >disabled, or your antivirus is out of date, that news will
    display here. The
    >information is stored in an internal database managed by
    the Windows
    >Management Instrumentation (WMI) subsystem built into Windows.
    >
    >Based on an anonymous tip, we looked into the WMI and the
    Windows Security
    >Center's use of it, and found that it may not only be a
    security hole, but a
    >crater. Due to the nature of WMI, it could potentially
    allow attackers to
    >spoof the state of security on a user's system while
    accessing data,
    >infecting the system, or turning the PC into a zombie for
    spam or other
    >purposes.
    >
    >According to Microsoft, WMI is the Microsoft
    implementation of Web-Based
    >Enterprise Management (WBEM), an industry standard for
    accessing management
    >information on a system. For Windows XP Service Pack 2,
    Microsoft added new
    >fields or records to keep track of the Firewall and
    Antivirus information in
    >the WMI database. Unfortunately, the WMI database is
    designed to be
    >accessible via the WBEM API (application program
    interface) and is available
    >to any program that wants to access the WMI. These
    programs can be desktop
    >applications written in desktop- or web-based scripting or
    ActiveX modules.
    >
    >This open door to the security status of a system can be
    exploited several
    >ways. First, a malicious site could download a file
    (possibly with the drag
    >and drop exploit discussed in our Windows updates and
    vulnerabilities
    >section), which could run and access the WMI, monitoring
    the status of the
    >firewall and antivirus protection.
    >
    >Some existing malicious programs attack the antivirus or
    firewall directly,
    >using techniques specific to the security product. These
    attacks are almost
    >invariably blocked when security is turned on. The
    malicious program could
    >wait until the security products are temporarily disabled,
    but do to that
    >currently they would have to monitor the products
    directly, which again
    >would trigger alarms. However, a program just casually
    checking WMI may be
    >ignored by security programs. When WMI reports that
    protection is off, the
    >malicious program could permanently disable the security
    protection and
    >remain undetected. Because the WMI database is not set to
    be a read-only
    >file, the attacking program could simply change the
    disabled product's
    >status to "up-to-date" and "enabled" to avoid suspicion.
    The WMI database
    >and subsystem cares less what the actual state of the
    product is, only that
    >it was told things are okay.
    >
    >Beyond that, it is also possible to use WBEM API functions
    to add a firewall
    >or antivirus listing that didn't previously exist. In our
    example, we used a
    >reasonably simple script to add in fake antivirus and
    firewall product
    >listings in the Windows Security Center. In both cases, we
    told WMI that
    >they were up to date and enabled. ( Figure 2 ).
    >
    >The WMI and WBEM interface has been well documented both
    on the Microsoft
    >Developer's Network, and other places on the web. We were
    able to find some
    >references to the namespace and objects that the Windows
    Security Center
    >uses on the web, though no references to it being
    exploited, yet.
    >
    >However, it's almost like Microsoft has given attackers
    the path, door and
    >keys, Windows itself contains a test utility,
    WBEMTEST.EXE, that allows you
    >to view, add and edit the values in the WMI. In addition,
    files associated
    >with the utility provide the namespace, classes, and data
    types associated
    >with the Windows Security Center, all in plain text. The
    danger in this
    >utility is not that it can edit the WMI, but it lets a
    malicious developer
    >learn the data and fields needed to do the spoof.
    >
    >While we are not aware of any malware exploiting this, we
    think it will only
    >be a matter of time. The one mitigating factor that we
    found is that to
    >change the WMI, and spoof the Security Center, the script
    has to be running
    >in Administrator mode. If executed in Windows XP's Limited
    Mode, it will
    >give an error, and not allow changes. Unfortunately, most
    home users who
    >will be at risk, run in the default administrator mode.
    >
    >When we contacted Microsoft for comment, a spokesperson
    said that the
    >company was not aware of this issue, but would
    investigate. They had not
    >responded further at press time.
    >
    >
    >.
    >
Ask a new question

Read More

Security Windows XP