Security Watch Special: Windows XP SP2 Has a Dangerous Hole

Top Threat: Windows Security Center Spoof

Windows XP Service Pack 2 promises to raise the security bar for the sometimes beleaguered operating system. Unfortunately, one of the new features could be spoofed so that it reports misleading information about system security, or worse, lets a malicious program watch for an opportunity to do damage without being detected. The feature is the Windows Security Center (WSC), which displays the status ( (Figure 1) )of the key elements of your defenses: Firewall, Updates, and Antivirus. If your firewall has been disabled, or your antivirus is out of date, that news will display here. The information is stored in an internal database managed by the Windows Management Instrumentation (WMI) subsystem built into Windows.

Based on an anonymous tip, we looked into the WMI and the Windows Security Center's use of it, and found that it may not only be a security hole, but a crater in the wrong hands. Due to the nature of WMI, the WSC could potentially allow attackers to spoof the state of security on a user's system while accessing data, infecting the system, or turning the PC into a zombie for spam or other purposes.

According to Microsoft, WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), an industry standard for accessing management information on a system. For Windows XP Service Pack 2, Microsoft added new fields or records to keep track of the Firewall and Antivirus information in the WMI database. Unfortunately, the WMI database is designed to be accessible via the WBEM API (application program interface) and is available to any program that wants to access the WMI. These programs can be desktop applications written in desktop- or web-based scripting or ActiveX modules.

This open door to the security status of a system can be exploited several ways. First, a malicious site could download a file (possibly with the drag and drop exploit discussed in our Windows updates and vulnerabilities section), which could run and access the WMI, monitoring the status of the firewall and antivirus protection.

Some existing malicious programs attack the antivirus or firewall directly, using techniques specific to the security product. These attacks are almost invariably blocked when security is turned on. The malicious program could wait until the security products are temporarily disabled before acting. However, to do that currently, they would have to monitor the products directly, which again would trigger alarms. But, a program just casually checking WMI may be ignored by security programs. When WMI reports that protection is off, the malicious program could permanently disable the security protection and remain undetected. Because the WMI database is not set to be a read-only file, the attacking program could simply change the disabled product's status to "up-to-date" and "enabled" to avoid suspicion. The WMI database and subsystem cares less what the actual state of the product is, only that it was told things are okay.

Beyond that, it is also possible to use WBEM API functions to add a firewall or antivirus listing that didn't previously exist. In our example, we used a reasonably simple script to add in fake antivirus and firewall product listings in the Windows Security Center. In both cases, we told WMI that they were up to date and enabled. ( Figure 2 ).

The WMI and WBEM interface has been well documented both on the Microsoft Developer's Network, and other places on the web. We were able to find some references to the namespace and objects that the Windows Security Center uses on the web, though no references to it being exploited, yet.

However, it's almost like Microsoft has given attackers the path, door and keys, Windows itself contains a test utility, WBEMTEST.EXE, that allows you to view, add and edit the values in the WMI. In addition, files associated with the utility provide the namespace, classes, and data types associated with the Windows Security Center, all in plain text. The danger in this utility is not that it can edit the WMI, but it lets a malicious developer learn the data and fields needed to do the spoof.

While we are not aware of any malware exploiting this, we think it will only be a matter of time. The one mitigating factor that we found is that to change the WMI, and spoof the Security Center, the script has to be running in Administrator mode. If executed in Windows XP's Limited Mode, it will give an error, and not allow changes. Unfortunately, most home users who will be at risk, run in the default administrator mode.

When we contacted Microsoft for comment, a spokesperson said that the company was not aware of this issue, but would investigate. Read Microsoft Responds to see what they said.

Antispyware Software	Media Centers
Antivirus Software	Multi-Function Printers
Apple Coverage	PDAs
Backup Software	Photo Printers
Cars	Plasma Displays
Computer & Console Gaming	Projectors
Digital Camcorders	Robots
Digital Imaging Software	Scanners
DVD Authoring Software	Security Software
External Hard Drives	Small Business
Firefox	Software
Flash Drives	Speakers
GPS	Utilities
HD DVD Players	Video Editing Software
HDTVs	VoIP
Ink Jet Printers	Windows Vista
Laser Printers	Windows XP
LCDs	Wireless Networking
View All >

	Issue Index \| Contact Us \| About \| Advertise \| Site Map \| Magazine Customer Service
	Cheap Laptops \| Wireless Networking \| Media Desktops \| Laser Printers\| InkJet Printers MP3 Players \| Digital Camcorders \| Plasma HDTVs \| LCD Monitors \| Flatbed Scanners Bluetooth Phones \| Palm PDAs \| Cheap Digital Cameras \| Virus Software \| Small Business Solutions
	Ziff Davis Home \| Contact Us \| Advertise \| Link to Us \| Reprints \| Magazine Subscriptions \| Newsletters RSS Feeds \| Tech Shop \| White Papers \| Tech Encyclopedia \| PC Downloads \| ROI Calculators \| Tech Jobs Enterprise Product Comparison Guides \| Consumer Electronics Buying Guides \| Tech Podcasts \| Tech Video
	1UP \| Baseline \| The Channel Insider \| CIO Insight \| Cranky Geeks \| DesktopLinux \| DeviceForge \| DevSource DigitalLife \| DL.TV \| eSeminars \| eWEEK \| ExtremeTech \| Filefront \| GameVideos \| GearLog \| LinuxDevices Linux Watch \| Microsoft Watch \| PC Magazine \| PCMagCasts \| PDF Zone \| Publish \| Security IT Hub Server IQ \| Smart Company \| Technoride \| Web Buyer's Guide \| What's New Now \| Windows for Devices Use of this site is governed by our Terms of Use and Privacy Policy Copyright © 1996-2006 Ziff Davis Publishing Holdings Inc. All Rights Reserved. PC Magazine is a registered trademark of Ziff Davis Publishing Holdings Inc. Reproduction in whole or in part in any form or medium without express written permission of Ziff Davis Media Inc. is prohibited.