Sign in with
Sign up | Sign in
Your question

PC Magazine article on Win XP SP 2 security hole

Last response: in Windows XP
Share
Anonymous
a b 8 Security
August 26, 2004 3:42:05 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

I have no opinion on this but would like to get some reaction from the
experts:

Top Threat: Windows Security Center Spoof

Windows XP Service Pack 2 promises to raise the security bar for the
sometimes beleaguered operating system. Unfortunately, one of the new
features could be spoofed so that it reports misleading information about
system security, or worse, lets a malicious program watch for an opportunity
to do damage without being detected. The feature is the Windows Security
Center ( Figure 1 ), which displays the status of the key elements of your
defenses: Firewall, Updates, and Antivirus. If your firewall has been
disabled, or your antivirus is out of date, that news will display here. The
information is stored in an internal database managed by the Windows
Management Instrumentation (WMI) subsystem built into Windows.

Based on an anonymous tip, we looked into the WMI and the Windows Security
Center's use of it, and found that it may not only be a security hole, but a
crater. Due to the nature of WMI, it could potentially allow attackers to
spoof the state of security on a user's system while accessing data,
infecting the system, or turning the PC into a zombie for spam or other
purposes.

According to Microsoft, WMI is the Microsoft implementation of Web-Based
Enterprise Management (WBEM), an industry standard for accessing management
information on a system. For Windows XP Service Pack 2, Microsoft added new
fields or records to keep track of the Firewall and Antivirus information in
the WMI database. Unfortunately, the WMI database is designed to be
accessible via the WBEM API (application program interface) and is available
to any program that wants to access the WMI. These programs can be desktop
applications written in desktop- or web-based scripting or ActiveX modules.

This open door to the security status of a system can be exploited several
ways. First, a malicious site could download a file (possibly with the drag
and drop exploit discussed in our Windows updates and vulnerabilities
section), which could run and access the WMI, monitoring the status of the
firewall and antivirus protection.

Some existing malicious programs attack the antivirus or firewall directly,
using techniques specific to the security product. These attacks are almost
invariably blocked when security is turned on. The malicious program could
wait until the security products are temporarily disabled, but do to that
currently they would have to monitor the products directly, which again
would trigger alarms. However, a program just casually checking WMI may be
ignored by security programs. When WMI reports that protection is off, the
malicious program could permanently disable the security protection and
remain undetected. Because the WMI database is not set to be a read-only
file, the attacking program could simply change the disabled product's
status to "up-to-date" and "enabled" to avoid suspicion. The WMI database
and subsystem cares less what the actual state of the product is, only that
it was told things are okay.

Beyond that, it is also possible to use WBEM API functions to add a firewall
or antivirus listing that didn't previously exist. In our example, we used a
reasonably simple script to add in fake antivirus and firewall product
listings in the Windows Security Center. In both cases, we told WMI that
they were up to date and enabled. ( Figure 2 ).

The WMI and WBEM interface has been well documented both on the Microsoft
Developer's Network, and other places on the web. We were able to find some
references to the namespace and objects that the Windows Security Center
uses on the web, though no references to it being exploited, yet.

However, it's almost like Microsoft has given attackers the path, door and
keys, Windows itself contains a test utility, WBEMTEST.EXE, that allows you
to view, add and edit the values in the WMI. In addition, files associated
with the utility provide the namespace, classes, and data types associated
with the Windows Security Center, all in plain text. The danger in this
utility is not that it can edit the WMI, but it lets a malicious developer
learn the data and fields needed to do the spoof.

While we are not aware of any malware exploiting this, we think it will only
be a matter of time. The one mitigating factor that we found is that to
change the WMI, and spoof the Security Center, the script has to be running
in Administrator mode. If executed in Windows XP's Limited Mode, it will
give an error, and not allow changes. Unfortunately, most home users who
will be at risk, run in the default administrator mode.

When we contacted Microsoft for comment, a spokesperson said that the
company was not aware of this issue, but would investigate. They had not
responded further at press time.
August 26, 2004 3:42:06 AM

Archived from groups: microsoft.public.windowsxp.basics (More info?)

that's why when i get the free cd from microsoft,i am going
to disable that xp security center as much as possible.





>-----Original Message-----
>I have no opinion on this but would like to get some
reaction from the
>experts:
>
>Top Threat: Windows Security Center Spoof
>
>Windows XP Service Pack 2 promises to raise the security
bar for the
>sometimes beleaguered operating system. Unfortunately, one
of the new
>features could be spoofed so that it reports misleading
information about
>system security, or worse, lets a malicious program watch
for an opportunity
>to do damage without being detected. The feature is the
Windows Security
>Center ( Figure 1 ), which displays the status of the key
elements of your
>defenses: Firewall, Updates, and Antivirus. If your
firewall has been
>disabled, or your antivirus is out of date, that news will
display here. The
>information is stored in an internal database managed by
the Windows
>Management Instrumentation (WMI) subsystem built into Windows.
>
>Based on an anonymous tip, we looked into the WMI and the
Windows Security
>Center's use of it, and found that it may not only be a
security hole, but a
>crater. Due to the nature of WMI, it could potentially
allow attackers to
>spoof the state of security on a user's system while
accessing data,
>infecting the system, or turning the PC into a zombie for
spam or other
>purposes.
>
>According to Microsoft, WMI is the Microsoft
implementation of Web-Based
>Enterprise Management (WBEM), an industry standard for
accessing management
>information on a system. For Windows XP Service Pack 2,
Microsoft added new
>fields or records to keep track of the Firewall and
Antivirus information in
>the WMI database. Unfortunately, the WMI database is
designed to be
>accessible via the WBEM API (application program
interface) and is available
>to any program that wants to access the WMI. These
programs can be desktop
>applications written in desktop- or web-based scripting or
ActiveX modules.
>
>This open door to the security status of a system can be
exploited several
>ways. First, a malicious site could download a file
(possibly with the drag
>and drop exploit discussed in our Windows updates and
vulnerabilities
>section), which could run and access the WMI, monitoring
the status of the
>firewall and antivirus protection.
>
>Some existing malicious programs attack the antivirus or
firewall directly,
>using techniques specific to the security product. These
attacks are almost
>invariably blocked when security is turned on. The
malicious program could
>wait until the security products are temporarily disabled,
but do to that
>currently they would have to monitor the products
directly, which again
>would trigger alarms. However, a program just casually
checking WMI may be
>ignored by security programs. When WMI reports that
protection is off, the
>malicious program could permanently disable the security
protection and
>remain undetected. Because the WMI database is not set to
be a read-only
>file, the attacking program could simply change the
disabled product's
>status to "up-to-date" and "enabled" to avoid suspicion.
The WMI database
>and subsystem cares less what the actual state of the
product is, only that
>it was told things are okay.
>
>Beyond that, it is also possible to use WBEM API functions
to add a firewall
>or antivirus listing that didn't previously exist. In our
example, we used a
>reasonably simple script to add in fake antivirus and
firewall product
>listings in the Windows Security Center. In both cases, we
told WMI that
>they were up to date and enabled. ( Figure 2 ).
>
>The WMI and WBEM interface has been well documented both
on the Microsoft
>Developer's Network, and other places on the web. We were
able to find some
>references to the namespace and objects that the Windows
Security Center
>uses on the web, though no references to it being
exploited, yet.
>
>However, it's almost like Microsoft has given attackers
the path, door and
>keys, Windows itself contains a test utility,
WBEMTEST.EXE, that allows you
>to view, add and edit the values in the WMI. In addition,
files associated
>with the utility provide the namespace, classes, and data
types associated
>with the Windows Security Center, all in plain text. The
danger in this
>utility is not that it can edit the WMI, but it lets a
malicious developer
>learn the data and fields needed to do the spoof.
>
>While we are not aware of any malware exploiting this, we
think it will only
>be a matter of time. The one mitigating factor that we
found is that to
>change the WMI, and spoof the Security Center, the script
has to be running
>in Administrator mode. If executed in Windows XP's Limited
Mode, it will
>give an error, and not allow changes. Unfortunately, most
home users who
>will be at risk, run in the default administrator mode.
>
>When we contacted Microsoft for comment, a spokesperson
said that the
>company was not aware of this issue, but would
investigate. They had not
>responded further at press time.
>
>
>.
>
!