This has *always* been the main weakness of WinXP's built-in firewall:
It doesn't monitor or impede out-bound traffic at all... It's based upon
the rather silly premise that the average computer user knows what he's
doing when he installs an application.
Let's look at the silliness of that premise:
- that it's the user who is initiating the install
- that what the user thinks he's doing, is what's happening
You can create a file called "THIS IS A VIRUS.EXE" and sure enough,
some users will run it. This has been PoC'd.
You can also write malware, even commercial malware, that the system
auto-installs without prompting at all. This too has been PoC'd.
Between these extremes, as well as piled up at both ends of the
spectrum, is a lot of stuff. Sometimes this stuff exploits genuine
mistakes in how the system is coded, such as CoolWebSearch vs. Java,
Lovesan vs. RPC, Sasser vs. LSASS, the latest bots vs. ANS.1
Sometimes this stuff exploits bad software design at the code detail
level, such as raw code within .PIF, MIME-spoofed attachments
exploiting IE's failure to sanity-check this, or Word macros within
file types that should not contain them, such as .RTF
Other times, this stuff simply uses the system as it was designed to
be used. For example, web trash can put up a free-standing dialog
that looks exactly like a "system" dialog box, and which runs the code
as if you pressed OK when you click the top right-hand [X] or the
Cancel button - all without having to "exploit" anything at all.
--------------- ----- ---- --- -- - - -
Never turn your back on an installer program