Alarming vulnerability with XPSP2 Firewall

[Adam Lyttle]

I came across an alarming feature in the Windows XP SP2 Firewall:
Programs can systematically add themselves to the firewall exception
list, effectively giving themself complete access to the internet
without triggering any warnings or prompts, as documented here:
http://msdn.microsoft.com/library/d...ry/en-us/ics/ics/wf_adding_an_application.asp

This is definitely a feature that should never have been released with
the Service Pack. It effectively underminds the entire emphasis that
has been placed on the newer and more "secure" service pack. If a
program can *give itself* privileges to gain unrestricted access to
the internet, then the firewall itself is theoretically useless.
Instead of the rules being managed by the computer owner, they are
being managed by the applications themselves.

With a few lines of code a virus, worm or trojan can give itself full
access to the internet on the users computer. A worm could distribute
itself in the background without even prompting the firewall and a
trojan can open ports and wait for incoming connections without firing
off a warning of any sort from the firewall. All of this adds up to
one thing: an unsecure firewall.

In my opinion, an unsecure firewall can often be more dangerous than
having no firewall installed what-so-ever. If the user assumes they
are protected, they may open files with less caution.

It is my honest opinion (in fact, I plea) that this feature be removed
from the Service Pack. I assume that most people running the service
pack are also using the Automatic Update feature. If a patch is
distributed via the Automatic Update feature this problem can be fixed
before it is used in malicious programs.

Or at least there should be some sort of compromise. Instead of
allowing all programs the access to this feature, how about only
letting programs that have been digitally signed and verified to
access it?


Adam Lyttle
Software Developer
(e-mail address removed)

Lyttlesoft Studios
PO Box 99
Mitcham SC, 5062
South Australia

+61-422-072-537

 

[Kammbo]

Whilst I was printing my computer went into hibernation... the next thing was the screen went bright green and the words 'meltdown imminent'.
Have you any ideas on this .. If I can rectify this with manual port allocation how do I do this?

 

[Juergen Heinzl]

I came across an alarming feature in the Windows XP SP2 Firewall:
Programs can systematically add themselves to the firewall exception
list, effectively giving themself complete access to the internet
without triggering any warnings or prompts, as documented here:
http://msdn.microsoft.com/library/d...ry/en-us/ics/ics/wf_adding_an_application.asp

[-]
Try that without administrative rights -- exactly.

This is definitely a feature that should never have been released with
the Service Pack. It effectively underminds the entire emphasis that
has been placed on the newer and more "secure" service pack. If a
program can *give itself* privileges to gain unrestricted access to
the internet, then the firewall itself is theoretically useless.
Instead of the rules being managed by the computer owner, they are
being managed by the applications themselves.

[-]
Administrative rights means you / an application is supposed to be able
to do practically anything.

With a few lines of code a virus, worm or trojan can give itself full
access to the internet on the users computer. A worm could distribute
itself in the background without even prompting the firewall and a
trojan can open ports and wait for incoming connections without firing
off a warning of any sort from the firewall. All of this adds up to
one thing: an unsecure firewall.

[-]
Not really. Having enough rights a worm even could just disable the
firewall, then do what it wants to do and then enable it again and given
computers are pretty darn fast nowadays no-one may ever find out what
was going on.

In my opinion, an unsecure firewall can often be more dangerous than
having no firewall installed what-so-ever. If the user assumes they
are protected, they may open files with less caution.

[-]
Software cannot compensate for people's carelessness and people who
connect to the Internet and work as Administrator all day long only get what
they deserve IMHO.

It is my honest opinion (in fact, I plea) that this feature be removed
from the Service Pack. I assume that most people running the service
pack are also using the Automatic Update feature. If a patch is
distributed via the Automatic Update feature this problem can be fixed
before it is used in malicious programs.

[-]
I do agree though that it is not really a feature the world has been waiting
for.

Or at least there should be some sort of compromise. Instead of
allowing all programs the access to this feature, how about only
letting programs that have been digitally signed and verified to
access it?

[-]
Digitally signed and verified software still may do things you do not really
want it to do, so I'd prefer either to leave it as it is or remove any
automatisms completely. In short as clear and simple as possible and
without any gray areas.

Cheers,
Juergen

 

[Robert Moir]

I came across an alarming feature in the Windows XP SP2 Firewall:
Programs can systematically add themselves to the firewall exception
list, effectively giving themself complete access to the internet
without triggering any warnings or prompts, as documented here:
http://msdn.microsoft.com/library/d...ry/en-us/ics/ics/wf_adding_an_application.asp

I discovered an alarming feature in some computer users. It appears some
idiots are running as admin and then blaiming everybody but themselves when
programs run in their user context have administrative access to the
machine.

 

[Roger Abell [MVP]]

I discovered an alarming feature in some computer users. It appears some
idiots are running as admin and then blaiming everybody but themselves
when programs run in their user context have administrative access to the
machine.

and, no doubt that required extensive research, being more difficult than
counting the percentage of keyboards with post-it-notes under them

 

[Roger Abell [MVP]]

Writing code to use this feature is probably more difficult than
writing the code to tweak the registry to accomplish the same
or to just shut off the firewall for the needed time.
If the code is running with admin privs there are many ways
to do it, so an added interface is not a big deal.

 

[cquirke (MVP Win9x)]

I discovered an alarming feature in some computer users. It appears some
idiots are running as admin and then blaiming everybody but themselves when
programs run in their user context have administrative access to the machine.

I discovered an alarming feature in some of our newly-built homes. It
appears some idiots are walking around in the house with all doors
between rooms wide open, on the basis that the front door is locked,
instead of cowering in a locked basement while muggers and burglars
cruise around in th rest of the house as per our design.

--------------- ----- ---- --- -- - - -

Never turn your back on an installer program

 

[Adam Lyttle]

Thank you Roger, your post was pretty much the only response that
actually addressed the issues that I put forth. As I pointed out,
there is pretty much 3 lines of code that is needed. I would rather
see control of the firewall being in the users hands, not the programs
hands.

To everyone else, ridicule me all you want, but I still believe that
this feature underminds the entire concept of a 'firewall'. I thought
I would bring it to your attention, but I see that people respond with
arrogance rather than posting proper messages. Then again, this is
always the underlining nature of posting in public groups.

 

[cquirke (MVP Win9x)]

On 5 Sep 2004 09:04:29 -0700, (e-mail address removed) (Adam Lyttle)

Thank you Roger, your post was pretty much the only response that
actually addressed the issues that I put forth. As I pointed out,
there is pretty much 3 lines of code that is needed. I would rather
see control of the firewall being in the users hands, not the programs
hands.

This is (or should be) the classic difference between Home and Pro:

"Who's the boss; who sits at the keyboard, or whoever can
spoof admin rights from any network, including the Internet?"

Home is basically watered-down Pro, and Pro stacks the deck against
home users in favor of a notional remote "administrator". It takes
MCSE-level skills to get that tight enough to trust in big networks,
so three guesses what happens in consumerland?

To everyone else, ridicule me all you want, but I still believe that
this feature underminds the entire concept of a 'firewall'.

Yep, it does - or would be if the firewall had any pretentions to
doing post-intrusion/beach-head egress filtering, as is common in
3rd-party firewalls (including freebies).

It's the "defence in shallowness" of trusting the outermost paper
wall, and throwing up your hands and giving up when that's popped (and
usually by doing no more than using the documented functionality
offered to web developers to walk all over consumers' PCs)

The real question is: Do 3rd-party firewalls allow easy registry
changes to add apps to those permitted to egress? That's the minimum
standard to judge against; in fact, as MS's firewall will be the new
monoculture, one loses the mild security-by-obscurity of "which
3rd-party firewall product do we want to attack today?", one would
hope MS would have aimed higher than that standard.

------------ ----- --- -- - - - -

Drugs are usually safe. Inject? (Y/n)