Thursday, 26 August 2004

Larry Osterman points out what should be obvious, but is largely overlooked or ignored since it makes tasty "news." Recent reports that there is a security "hole" in Windows XP SP2 miss the big picture, he says.

The gist of the reported complaint is this: The new Security Center in SP2 uses WMI to control what information is displayed to the end user regarding what software is in place and it's status. Malicious code can, therefore, potentially use WMI to modify the information displayed by the Security Center, thereby convincing the user of the system that their firewall is on and AV software is running when in fact it's not.

PC Magazine and others ran articles about how they were able to spoof the new Windows XP SP2 Security Center, causing it to display false information about the status of the system. Microsoft later responded and PC Magazine followed up on the response, where they changed their tone somewhat.

From PC Magazine's original article:

"Based on an anonymous tip, we looked into the WMI and the Windows Security Center's use of it, and found that it may not only be a security hole, but a crater in the wrong hands. Due to the nature of WMI, the WSC could potentially allow attackers to spoof the state of security on a user's system while accessing data, infecting the system, or turning the PC into a zombie for spam or other purposes."

While this is technically possible, what is missed is the fact that in order to use WMI to make those changes, a program would have to be downloaded and installed on the machine with "system" level permissions. Any unwelcome code that is allowed/able to get that level of access has already won the race and is able to do much more harm than simply changing the information displayed in the Security Center. Even if the security center was not a part of your system, as soon as you ran the malicious code you'd be equally screwed, and the malware could make changes to pretty much any other apps running on your system. It would not need the Security Center to do its dirty work.

Read Larry's post for more, but remember one thing: The fact that someone claims something is a security hole - or in this case, a "crater" - does not mean they're right. It is, of course, always best to check things out and play the role of the skeptic, but accuracy in reporting is of primary importance, even if it is not as exciting. I'm glad PC Week followed up with their second story.

Their conclusion?

"We see the WMI and WSC as an indirect security risk, or hole, or whatever you want to call it. Maybe we're giving hackers and malware writers too much credit. WMI allows a program to get the security status of a user's system, as well as spoof it to give the user a false sense of security. Maybe it is too subtle. However, it is another tool in the hacker's toolbox. To have easy public access to the security status of a user's machine is like sending a password in plain text to a web site. It may not be used, but then again it might..."

"Do we think that end users should upgrade? Yes, Windows XP Service Pack 2 is a must do, especially for end users. However, we would recommend users not take the WSC as gospel, If you use an antivirus, or 3rd party firewall, look at their status panels as a sanity check. Keep your Antivirus, windows, firewall updates current, and most of all, be very careful of what you run on your system."

I do think the articles serve an important and valid purpose, though: They call to light the importance of securing systems by default and continuing to improve in that area. It's fair to say that in the real world, people will do exactly what you hope they would not do, and that the default configuration of the operating system, which is certainly greatly improved with the new service pack, is still a real concern. They point out that there is still work to be done, and that while things are better, they;re not perfect.  In that sense, I think they're right on.

Crater? No. Worth mentioning and asking about? Absolutely.

Add/Read: Comments [1]
IT Security
Thursday, 26 August 2004 18:59:50 (Pacific Standard Time, UTC-08:00)
#  Trackback

Referred by: [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral] [Referral]

Friday, 27 August 2004 09:59:33 (Pacific Standard Time, UTC-08:00)
yo yo yo -- i heard from my pops that sp2 is hosed yo. leave it to micro-sizoft to put out that whack jive. know what i'm sayin'

fo real
Comments are closed.