PDA

View Full Version : Windows XP SP2 HAS A MASSIVE SECURITY HOLE IN IT!!!


mastermesh
08-26-2004, 09:20 PM
Based on an anonymous tip, we looked into the WMI and the Windows Security Center's use of it, and found that it may not only be a security hole, but a crater in the wrong hands. Due to the nature of WMI, the WSC could potentially allow attackers to spoof the state of security on a user's system while accessing data, infecting the system, or turning the PC into a zombie for spam or other purposes..LINK: http://www.pcmag.com/article2/0,1759,1639276,00.asp

Joss
08-26-2004, 09:25 PM
ooooh! Well screw that then!

Not good at all!

FunBucket
08-26-2004, 09:27 PM
I thought the point of SP2 was to fix these things... :rolleyes: Microsoft! Get it together!

zen jehad
08-26-2004, 09:29 PM
Ouch. There's been a couple of exploits for SP2 already, but don't think they're as bad as this one.

On the topic of exploits, here's another one, this time Winamp. Who'd have thunk it.

http://slashdot.org/article.pl?sid=04/08/26/1919249

creative destructions
08-26-2004, 09:30 PM
Going to wait for SP2a or whatever, maybe SP3.

Gein
08-26-2004, 09:35 PM
This stuff if normal to appear. It's a massive update.

If you don't update because of one of these, you probably put yourself at bigger risk, since SP2 really fixes a lot of other ones.

Also, all of these "exploits" that I've been reading require you to open cmd.exe and type something or drag'n'drop a file. How likely is that?
This one talks about a possible webscripts, but they didn't use one to test it.

I'll update anyway, as soon as SP2 is available in my language.

alexyork
08-26-2004, 10:15 PM
aye i agree. SP2 = the lesser of two evils.

you either keep the old SP1 and face a wall of common threats daily or you take SP2, negate those old threats and wait for new ones.

like viruses. you only get a fix for a virus once it's spread.

just the lesser of two evils.

Dasleah
08-26-2004, 10:43 PM
What? A Microsoft product that isn't secure? An update that only half closes one door and then opens another? My god. My faith is Microsoft has been shaken forever :rolleyes:

thedaemon
08-26-2004, 10:49 PM
I think the main problem, is that sp2 causes some computers to boot up to a BSOD... that is a bigger issue! so back up!

sundialsvc4
08-26-2004, 11:32 PM
The key point is here:
Microsoft brings up the point that the user must be in Administrator mode, and the program running on the local machine to get to the WMI. For the enterprise, users may run at more protected levels. But Windows XP home edition installs in Administrator mode, and most end users never change it. So, having administrator mode as the default is a security risk.
For running locally, that's not too difficult. As much as we tell end users not to execute unfamiliar e-mail attachments, they still do. Then there are the attacks using exploits to download code, though many are patched or detected in SP2. And of course there's the time tested way-downloading a game demo or utility.
It is a fundamental axiom in the Unix/Linux world that: thou shalt not be 'root' all the time! ("root" is the all-powerful Unix user.) Yet Microsoft sets up the default (and usually "only") user on the new system as an Administrator, which is essentially omnipotent. Apple, too, sets up the default user as an Administrator, although in OS/X that user is one step away from being root. This deficiency is damnably short-sighted. It almost qualifies as sheer laziness on the part of the vendor. It would be no more difficult than setting up one user-ID, to set up two.

The first user-ID is the user's normal login, and this user is like every other user of the system. The second user-ID is used only for administrative purposes. Only this user-ID can update system software or make global settings to the registry (or its equivalent). Changes made by the "ordinary" user are private to itself. Viruses are compelled to execute with the privileges of the user who (unwittingly...) launch them; and so they are physically prevented from being able to do many types of damage. Instead of saying "Okay" to their nefarious requests, the OS now says, "Sorry, no. And oh by the way, you're dead."

All of the systems aforementioned have the built-in ability to make these distinctions, and to enforce these roles, right now. If users "routinely" used them, as Linux/Unix users do, viruses would be much less successful than they are today. Like real bio-organisms, computer viruses can become a plague only when they can encounter a "critical mass" of exploitable hosts through sheer blind luck. And, like real bio-organisms, the best defense might be ... hygeine. Customer education.

What if the next Windows update was delayed long enough to rework the system to change these roles by default? What if Microsoft engaged in a publicity campaign to teach users about "safe computing?" Both of these ideas are quite achievable. The true impact on virus-proliferation (which has ballooned into a multi-billion dollar largely needless problem) would be disproportionately large.

As much fun as it may be to "bash" Microsoft, :) they really don't deserve all that bad-press in this case. Current versions of Windows are securable and in fact boast state-of-the-art security. The trouble is, that security is largely turned-off. A much simpler proposition to fix.

creative destructions
08-26-2004, 11:52 PM
aye i agree. SP2 = the lesser of two evils.

you either keep the old SP1 and face a wall of common threats daily or you take SP2, negate those old threats and wait for new ones.

like viruses. you only get a fix for a virus once it's spread.

just the lesser of two evils.Help protect your PC from harmful attachments.
By alerting you to potentially unsafe attachments, Windows XP Service Pack 2 (http://www.microsoft.com/windowsxp/sp2/default.mspx) (SP2) helps guard your computer from viruses that can spread through Internet Explorer, Outlook Express, and Windows Messenger.

Improve your privacy when you’re on the Web.

SP2 helps protect your private information by applying the security settings that guard your PC to the files and content downloaded using Internet Explorer.

Avoid potentially unsafe downloads.

Alternative Solution: Use Firefox, Mozilla, Gmail, ICQ, AIM

Internet Explorer download monitoring and the Internet Explorer Information Bar (http://www.microsoft.com/windowsxp/using/web/sp2_infobar.mspx) warn you about potentially harmful downloads and give you the option to block files that could be malicious.

Reduce annoying pop-ups.

Alternative Solution: Google Bar, Nvidia Pop-up Blocker, Download monitor is a little annoying IMO

Internet Explorer Pop-Up Blocker (http://www.microsoft.com/windowsxp/using/web/sp2_popupblocker.mspx) makes browsing the Internet more enjoyable by helping you reduce the unwanted ads and content that pop up when you’re browsing the Web.

Get firewall protection from startup to shutdown.

Alternative Solution: Google Bar, Nvidia Pop-up Blocker

The powerful, built-in Windows Firewall (http://www.microsoft.com/windowsxp/using/security/internet/sp2_wfintro.mspx) is now turned on by default. This helps protect Windows XP against viruses and worms that can spread over the Internet.

Take control of your security settings.

Alternative Solution: Turn the default firewall on by yourself.


The new Windows Security Center (http://www.microsoft.com/windowsxp/using/security/internet/sp2_wscintro.mspx) allows you to easily view your security status and
manage key security settings in one convenient place.
Get the latest updates easily.

Alternative Solution: Update daily, bi-daily.

Enhancements to Windows XP’s Automatic Updates feature make it even easier to access Windows updates. Plus, new technology has been added to help dial-up customers download updates more efficiently.

Help protect your e-mail address.

Alternative Solution: You're forced to update windows update, even if you don't install SP2.

Improvements to Outlook Express (http://www.microsoft.com/windowsxp/using/web/sp2_oe.mspx) help reduce unwanted e-mail by limiting the possibility of your e-mail address being validated by potential spammers.

Take action against crashes caused by browser add-ons.

Alternative Solution: Gmail, Yahoo Mail, Eudora

The new Add-On Manager in Internet Explorer lets you easily view and control add-ons to reduce the potential for crashes and enjoy a more trouble-free browsing experience.
Go wireless without the hassle.

Alternative Solution: SP2 seems to cause BSOD and forces you to reformat.

SP2 improves wireless support and simplifies the process of discovering and connecting to wireless networks in your home or on the road.

Alternative Solution: Not tested.


SP2 does very little benefit for a knowledgable end user. It breaks any program with assembly calls. Causes Blue Screens and forces users to reformat. Enabling the NX instruction can cause the computer to become slower. The new firewall sucks big time IMO. I hope they have a option to opt that out with SP2a.

SheepFactory
08-27-2004, 01:17 AM
No windows update is complete without a massive security hole!

:D

clockwerkz
08-27-2004, 01:22 AM
Yikes.. and the little Update Windows icon popped up just today when I booted up, suggesting I update to SP2. Good thing I was turned off by the long DL it would have been.


cW

Gein
08-27-2004, 03:41 AM
Help protect your PC from harmful attachments.
By alerting you to potentially unsafe attachments, Windows XP Service Pack 2 (http://www.microsoft.com/windowsxp/sp2/default.mspx) (SP2) helps guard your computer from viruses that can spread through Internet Explorer, Outlook Express, and Windows Messenger.

snip

SP2 does very little benefit for a knowledgable end user. It breaks any program with assembly calls. Causes Blue Screens and forces users to reformat. Enabling the NX instruction can cause the computer to become slower. The new firewall sucks big time IMO. I hope they have a option to opt that out with SP2a. What you just posted was a list of features. Security patches and bug fixes are the kind of things that MS does, but avoids talking about in such a bug update. For one, it admits Windows is flawed more than it needs to admit.

But I guess is really up to you. If you want to skip this one, go for it.

To everyone updating, if you have the time, I recommend slipstreaming a windows XP cd with SP2 (http://www.msfn.org/comments.php?shownews=9235), and install a new copy with it.

MunCHeR
08-27-2004, 07:09 AM
I would have thought this was a given, .......line up for drenching over here:scream:

MunCH

Para
08-27-2004, 08:04 AM
Uhm. Microsoft patches 840 holes (all listed somewhere, can't remember the URL right now) and says even that this isn't a perfect update and now people flip out because more holes are found?

Sheesh, I wish someone made this kind of posts for open source stuff, ie. Mozilla's 5 years old really severe security exploit (which was finally patched) didn't get this much caps in thread titles anywhere.

JDex
08-27-2004, 08:08 AM
Uhm. Microsoft patches 840 holes (all listed somewhere, can't remember the URL right now) and says even that this isn't a perfect update and now people flip out because more holes are found?

Sheesh, I wish someone made this kind of posts for open source stuff, ie. Mozilla's 5 years old really severe security exploit (which was finally patched) didn't get this much caps in thread titles anywhere.
Aye but if it was Microsoft Mozilla... it would have been in bright orange CAPS!!!

Stone
08-27-2004, 09:22 AM
its not like all those 800-and-some fixes are new - but rather the sum of all patches released since xp hit the streets in 2001.

what preciesly is the _severe_ flaw that has been known in mozilla for 5 year? is a bit wierd .. mozilla is hardly even 5 years old.

/stone

Para
08-27-2004, 09:36 AM
what preciesly is the _severe_ flaw that has been known in mozilla for 5 year? is a bit wierd .. mozilla is hardly even 5 years old.

Here ya go: http://bugzilla.mozilla.org/show_bug.cgi?id=22183

creative destructions
08-27-2004, 10:22 AM
What you just posted was a list of features. Security patches and bug fixes are the kind of things that MS does, but avoids talking about in such a bug update. For one, it admits Windows is flawed more than it needs to admit.

But I guess is really up to you. If you want to skip this one, go for it.

To everyone updating, if you have the time, I recommend slipstreaming a windows XP cd with SP2 (http://www.msfn.org/comments.php?shownews=9235), and install a new copy with it.Skip a massive security hole, a clunky firewall and the possibility of a reformat?

Yes, please.

I'll opt out the possibilty of spending another minute of my life reinstalling Windows. Which usually takes a hour anyway. Virus and Trojan makers will always be one step ahead of MS because of a few reasons.

1. They are more computer knowlegdable than the average user.
2. They have windows and whatever service packs that MS release. Proabably before most people have them. So any NEW Trojans, Worms, and Viruses will be tested to WORK on SP2+ before it's introduced.
3. Anti-virus software, data encryption, data security, are big businesses.

mummey
08-27-2004, 11:15 AM
Skip a massive security hole, a clunky firewall and the possibility of a reformat?

Yes, please.

I'll opt out the possibilty of spending another minute of my life reinstalling Windows. Which usually takes a hour anyway. Virus and Trojan makers will always be one step ahead of MS because of a few reasons.

1. They are more computer knowlegdable than the average user.
2. They have windows and whatever service packs that MS release. Proabably before most people have them. So any NEW Trojans, Worms, and Viruses will be tested to WORK on SP2+ before it's introduced.
3. Anti-virus software, data encryption, data security, are big businesses.

eh, it(SP2) worked for me. :)

... blah blah blah M$ suxZors... blah blah blah...

If you so worried, install Norton or Zone Alarm, or even better yet:

1. get an old computer.
2. Put two NICs in it (if it doesn't have two already.)
3. Install OpenBSD on the computer.
4. Configure it to act as your internet gateway.
5. Wallah! Instant Firewall that no hacker would bother trying to get through.

OpenBSD is THE most secure of the Unix™-based operating systems. By default it blocks all ports until you choose to open them. Simply put it is an OS whose only priority is to be secure, so it does a good job at that. :)

creative destructions
08-27-2004, 11:48 AM
eh, it(SP2) worked for me. :)

... blah blah blah M$ suxZors... blah blah blah...

If you so worried, install Norton or Zone Alarm, or even better yet:

1. get an old computer.
2. Put two NICs in it (if it doesn't have two already.)
3. Install OpenBSD on the computer.
4. Configure it to act as your internet gateway.
5. Wallah! Instant Firewall that no hacker would bother trying to get through.

OpenBSD is THE most secure of the Unix™-based operating systems. By default it blocks all ports until you choose to open them. Simply put it is an OS whose only priority is to be secure, so it does a good job at that. :)Typically it's stupid things people exploit. It only takes one double-click to start a program. Think of all the pop-ups that appears. If one of them was for installing a trojan and you accidently click yes. No firewall will prevent you from installing it. Ultimately it lies on the End User. MS might be able to build a easier, friendlier, more secure computer, but they've failed to improve the person using it. Making solutions that are executed by a double click is stupid in my opinon. Especially when the problem also began with a double click.

Para
08-27-2004, 12:04 PM
Typically it's stupid things people exploit. It only takes one double-click to start a program. Think of all the pop-ups that appears. If one of them was for installing a trojan and you accidently click yes. No firewall will prevent you from installing it. Ultimately it lies on the End User. MS might be able to build a easier, friendlier, more secure computer, but they've failed to improve the person using it. Making solutions that are executed by a double click is stupid in my opinon. Especially when the problem also began with a double click.

Actually in XPSP2 if you run .exe from a remote location, IE/Windows will nag you several times that are you sure you want to do it or not since it may be a malicious file defaulting "No" with bolded text in the button itself.

It's a poor excuse to blame MS for the stupidity of users.

creative destructions
08-27-2004, 12:22 PM
Actually in XPSP2 if you run .exe from a remote location, IE/Windows will nag you several times that are you sure you want to do it or not since it may be a malicious file defaulting "No" with bolded text in the button itself.

It's a poor excuse to blame MS for the stupidity of users.I'm not blaming MS. Just the paradigm MS has. Pop-ups should have never been allowed into a browser. They didn't want to stop the advertising funds, and now they have to make these big alert boxes to distinguish themselves from adver tisements and ActiveX objects. What's stopping someone from mimicking the alert boxes as a front end for a trogan?

Blazer
08-27-2004, 01:03 PM
haha... I'm not bashing MS, as I agree it's mostly an end user issue, which is the main rwason linux is "more secure" ... more competant users/less attackers = more sefcure.

That said, after reading creative destructions comments I had this image in my mind of me working on Longhorn in about 2-3 years, with all these pop-ups flying all over my screen using my Geforce SE 12 with adverts that I can't turn off because some of them look like legit warnings. All I can do is look up to the heavens and yell WWHHHYYYYY?!?!?!?!?!?!?!!?!? :)

richcz3
08-27-2004, 04:26 PM
Computers. Despite their increasing neccessity in everyday life, are not appliances and most likely never will be. There are virtually hundreds of thousands of combinations of computers ranging over 6 years of hardware design.

Throw into the mix inexperienced users, OS bugs, driver bugs, and malware and you get a full spectrum of results. Any one person even remotely suggesting that one OS can be all things to all people is fooling themselves. Whichever OS reaches mass adoption in 5 years, it will face the same hoardes of those wanting to hack/circumvent any Windows security.

Sucessful OS Requirents: A soilid GUI, Ease of use, application support, drivers for a hundred thousand hardware setups and configs, and no astericks denoting, "What do you expect, this is not Windows." :) Build the Best OS right and they will come.
Make excuses and flame MS at every opportunity and they will stay away. Actions speak louder than flames.



richcz3

creative destructions
08-27-2004, 04:56 PM
Computers. Despite their increasing neccessity in everyday life, are not appliances and most likely never will be. There are virtually hundreds of thousands of combinations of computers ranging over 6 years of hardware design.

Throw into the mix inexperienced users, OS bugs, driver bugs, and malware and you get a full spectrum of results. Any one person even remotely suggesting that one OS can be all things to all people is fooling themselves. Whichever OS reaches mass adoption in 5 years, it will face the same hoardes of those wanting to hack/circumvent any Windows security.

Sucessful OS Requirents: A soilid GUI, Ease of use, application support, drivers for a hundred thousand hardware setups and configs, and no astericks denoting, "What do you expect, this is not Windows." :) Build the Best OS right and they will come.
Make excuses and flame MS at every opportunity and they will stay away. Actions speak louder than flames.

richcz3
You're missing the whole point. I never said MS sucks or anything in that degree. MS is clearly in the lead in the OS department and there's no debating that. SP2 besides the security holes in covers, shifts the paradigm in a whole new different direction. I myself don't see how productive nag screens can be.

Gein
08-27-2004, 05:19 PM
I myself don't see how productive nag screens can be. That is not the point, altought they do increase productivity if thet avoid just one virus attack. Those nag screens are there for inexperienced users (the majority). For everyone else, there's the option to turn them off.

creative destructions
08-27-2004, 05:53 PM
That is not the point, altought they do increase productivity if thet avoid just one virus attack. Those nag screens are there for inexperienced users (the majority). For everyone else, there's the option to turn them off.
That's the shift in paradigm I'm saying.

"Welcome to Windows XP Professional with SP2, now for the computer illiterate, and inexperience users."

richcz3
08-27-2004, 06:07 PM
Creative, I wasn't directing my point to anyone in particular, but there is a community of people extolling the virtues of product B over product A without acknowledging the entire market requirements. But I was directing my comment to anyone who promotes the idea that there is an iron clad alternative OS without justifying it with market proof.

Simply put, if and when another OS reaches critical mass, I expect the OS to bloat and experience security breaches. Until that day comes, OS comparisons are an Apples to Oranges slug fest. The masses may be Lemmings, but their basic requirements need to be met first if an alternative is to make it big.


richcz3

creative destructions
08-27-2004, 06:10 PM
Creative, I wasn't directing my point to anyone in particular, but there is a community of people extolling the virtues of product B over product A without acknowledging the entire market requirements. But I was directing my comment to anyone who promotes the idea that there is an iron clad alternative OS without justifying it with market proof.

Simply put, if and when another OS reaches critical mass, I expect the OS to bloat and experience security breaches. Until that day comes, OS comparisons are an Apples to Oranges rally. The masses may be Lemmings, but their basic requirements need to be met first if an alternative is to make it big.


richcz3
Ah, sorry my mistakes then.

CGTalk Moderation
01-19-2006, 01:00 AM
This thread has been automatically closed as it remained inactive for 12 months. If you wish to continue the discussion, please create a new thread in the appropriate forum.