Security Watch Special: Windows XP SP2 Security Center Spoofing Threat

Top Threat: Windows Security Center Spoof

Windows XP Service Pack 2 promises to raise the security bar for the sometimes beleaguered operating system. Unfortunately, one of the new features could be spoofed so that it reports misleading information about system security, or worse, lets a malicious program watch for an opportunity to do damage without being detected. The feature is the Windows Security Center (WSC), which displays the status ( (Figure 1) )of the key elements of your defenses: Firewall, Updates, and Antivirus. If your firewall has been disabled, or your antivirus is out of date, that news will display here. The information is stored in an internal database managed by the Windows Management Instrumentation (WMI) subsystem built into Windows.

Figure 1 SP2 Security Center

Based on an anonymous tip, we looked into the WMI and the Windows Security Center's use of it, and found that it may not only be a security hole, but a crater in the wrong hands. Due to the nature of WMI, the WSC could potentially allow attackers to spoof the state of security on a user's system while accessing data, infecting the system, or turning the PC into a zombie for spam or other purposes.

According to Microsoft, WMI is the Microsoft implementation of Web-Based Enterprise Management (WBEM), an industry standard for accessing management information on a system. For Windows XP Service Pack 2, Microsoft added new fields or records to keep track of the Firewall and Antivirus information in the WMI database. Unfortunately, the WMI database is designed to be accessible via the WBEM API (application program interface) and is available to any program that wants to access the WMI. These programs can be desktop applications written in desktop- or web-based scripting or ActiveX modules.

This open door to the security status of a system can be exploited several ways. First, a malicious site could download a file (possibly with the drag and drop exploit discussed in our Windows updates and vulnerabilities section), which could run and access the WMI, monitoring the status of the firewall and antivirus protection.

Some existing malicious programs attack the antivirus or firewall directly, using techniques specific to the security product. These attacks are almost invariably blocked when security is turned on. The malicious program could wait until the security products are temporarily disabled before acting. However, to do that currently, they would have to monitor the products directly, which again would trigger alarms. But, a program just casually checking WMI may be ignored by security programs. When WMI reports that protection is off, the malicious program could permanently disable the security protection and remain undetected. Because the WMI database is not set to be a read-only file, the attacking program could simply change the disabled product's status to "up-to-date" and "enabled" to avoid suspicion. The WMI database and subsystem cares less what the actual state of the product is, only that it was told things are okay.

Beyond that, it is also possible to use WBEM API functions to add a firewall or antivirus listing that didn't previously exist. In our example, we used a reasonably simple script to add in fake antivirus and firewall product listings in the Windows Security Center. In both cases, we told WMI that they were up to date and enabled. ( Figure 2 ).

Figure 2. Faked Security Center entries

The WMI and WBEM interface has been well documented both on the Microsoft Developer's Network, and other places on the web. We were able to find some references to the namespace and objects that the Windows Security Center uses on the web, though no references to it being exploited, yet.

However, it's almost like Microsoft has given attackers the path, door and keys, Windows itself contains a test utility, WBEMTEST.EXE, that allows you to view, add and edit the values in the WMI. In addition, files associated with the utility provide the namespace, classes, and data types associated with the Windows Security Center, all in plain text. The danger in this utility is not that it can edit the WMI, but it lets a malicious developer learn the data and fields needed to do the spoof.

While we are not aware of any malware exploiting this, we think it will only be a matter of time. The one mitigating factor that we found is that to change the WMI, and spoof the Security Center, the script has to be running in Administrator mode. If executed in Windows XP's Limited Mode, it will give an error, and not allow changes. Unfortunately, most home users who will be at risk, run in the default administrator mode.

When we contacted Microsoft for comment, a spokesperson said that the company was not aware of this issue, but would investigate. Read Microsoft Responds to see what they said.

< back   next >  
Email Order Reprints of this Article.
Add PC Magazine Security Product Guide to your RSS newsreader or My Yahoo!
Add PC Magazine Breaking News to your RSS newsreader or My Yahoo!

dell_bsd_mod_left dell_bsd_mod_middle TigerDirect Sony
Ziff Davis Partner Sites
  • New Server Resources & News
  • Devloper Resource Center

  • Search more than 60,000 tech jobs. Search by keywords, skill, job title and location.

    Powered by:Dice_logo
  • Aug 15, 2 p.m. ET
    How to Harness Emerging Technologies to Boost the Bottom Line
    with Joel Shore. Sponsored by IBM
  • Aug 15, 4 p.m. ET
    Comprehensive Automatic Load Balancing Delivers Easier SAN Optimization
    with Frank Derfler. Sponsored by EqualLogic
  • Aug 17, 2 p.m. ET
    Making Mobility Manageable with Savings, Security and Control
    with Aaron Goldberg. Sponsored by Sprint
  • Aug 22, 12:30 p.m. ET
    Securing Messaging Networks Against Next Generation Threats
    with Frank Derfler. Sponsored by CipherTrust
  • Q3 VTS Logo
    Join us on September 13 and 14 for our next Security Solutions Virtual Tradeshow: Balancing the Need for Heightened Security and Increased Access. Today's CIOs and IT managers face the daunting task of protecting their networks from viruses, spyware, phishing, keyloggers and cyberextortion. During this live, two-day virtual tradeshow the top minds in IT security, including former hacker Kevin Mitnick, will look at the threats facing your company and discuss the solutions available!
    Featured Offers
    Click on a link below to view one of our free offers!

    Technology Powers Business. Get Opportunities Now from HP

    Get details about valuable HP savings and offers not found anywhere else - including monthly limited-time exclusives - designed especially for small- and medium-size businesses.

    Start taking advantage - sign up today!

    Agentless or agent-based? Monitor IT with both!
    Start using QuickBase, the hosted, Web-based solution from Intuit, to better manage your projects. Keep your employees up to date on the latest information so they can take action sooner.

    Sign up for a free trial.

    >> brought to you by Network
    New In The Utility Library

    Just released!  A newly updated premium utility. Stream Revealer Makes it Easy to Detect Potential Computer Threats.

    Stream Revealer Lets you:

  • Discover Alternate Data Streams (ADS) for certain files.
  • Attach a stream to a file
  • Delete streams
  • Launch streams
  • Extract streams

    It's a great tool for discovering hidden ADS (and a neat way to hide your own files).

  • Download this PC Utility Now!

    Find By Topic
    Cell Phones  XML
    Bluetooth Phone, Verizon Cell Phones,
    Cingular Cell Phones, Motorola Cell Phones
    Computer Security  XML
    Virus Software, Spam Software, Spyware Software, Firewall Software
    Computer Software  XML
    Backup Software, System Utilities, Video Editing Software, Office Suites
    Desktops  XML
    Cheap Desktops, Media Desktops, Dell Desktops, Mac Desktops
    Digital Camcorders  XML
    Sony Digital Camcorders, JVC Digital Camcorders, Cheap Camcorders
    Digital Cameras  XML
    Cheap Digital Cameras, Canon Digital Cameras, Nikon Digital Cameras
    Editors' Choice Products  XML
    Best Laptops, Best Digital Cameras,
    Best Camcorders, Best Security Software
    Graphics Cards  XML
    ATI Graphic Cards, 256 MB Graphic Cards,
    Cheap Graphic Cards

    HDTVs  XML
    Plasma HDTV, LCD HDTV, Rear Projection TV,
    Sony HDTV
    InkJet Printers  XML
    Cheap InkJet Printers, Epson InkJet Printers,
    Canon InkJet Printers

    Laptops & Notebooks  XML
    Cheap Laptops, Toshiba Laptops, Dell Laptops, Business Laptops
    Laser Printers  XML
    Cheap Laser Printers
    LCDs  XML
    LCD TV, LCD Monitors, Cheap LCDs
    MP3 Players  XML
    Cheap MP3 Players, Portable MP3 Players,
    iRiver MP3 Players, Apple iPods

    Multi-Function Printers  XML
    Laser MFPs, InkJet MFPs, HP MFPs, Canon MFPs
    PDAs  XML
    Palm PDA, Pocket PC PDA
    Scanners  XML
    Flatbed Scanners, Scanners under $500, Canon Scanners, HP Scanners
    Speakers  XML
    Klipsch Speakers, Altec Lansing Speakers,
    2-Channel Speakers, Cheap Speakers

    Storage Devices  XML
    CD Burners, Hard Drives, DVD Burners,
    Flash Drives
    Wireless Networking  XML
    Wireless Routers, Wireless Access Points, Netgear, Linksys Routers
    Small Business Center 
    Small Business Laptops, Small Business Desktops,
    Smart Phones, Inkjet Printers, Wireless Networking,
    Business Accounting Software

    GearLog: Cool Gadgets—Now  XML
    Digital Cameras, Digital Video, Gadgets & Gizmos, MP3 Players, Desktops, Laptops, Wearable Tech, Cheap Geek
    ExtremeTech  XML
    Top Deep Tech Stories, CPUs, Boards & Components, 3D Graphics, Audio & HDTV,
    Build It, OS, Software & Networking
    Car Technology, Car Video Systems, Car Audio,
    Auto News, GPS Car Navigation, Car Reviews,
    Hybrid Cars, Concept Cars, Car Advice, Auto Shows

    View all RSS Feeds >

    table of contents
    Top Threat: Windows Security Center Spoof
    Microsoft Responds
    Top 10 E-mail Viruses
    Top 5 Vulnerabilities
    Phish of the Week
    Security Tip
    Security Alerts and Updates
    Jargon Watch
    Security Watch Story Feed